ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 6
Registered: ‎07-08-2009

Management user authentication through RADIUS

I'm trying to enable users to authenticate through RADIUS when accessing mobility controller.

I'm working with aruba 2400mc
RADIUS server is SteelBelted Radius (later it will be IAS service on AD)

There is user configured, and attribute "Class" is set to "root"

When I go to diagnostics to test the configuration everything is OK, and I get "authentication succesful".

When I try to log in to web interface od mobillity controller with the same user name I end up beeing rejected.

I see this in the Logs:authmgr: <121014> |authmgr| |aaa| Received invalid reply digest from RADIUS server
Sep 4 14:26:55 aaa: <125022> |aaa| Authentication failed for User username, Logged in from 1.2.3.4 port 8370, Connecting to 5.5.5.5 port 4343 connection type HTTPS

When I create a rule like in the user manual: "Select Server Group to display the Server Group list.
A. Enter the name of the new server group (for example, corp_rad) and click
Add.
B. Select the name to configure the server group.
C. Under Servers, click New to add a server to the group.
D. Select a server from the drop-down menu and click Add Server.
E. Under Server Rules, click New to add a server rule.
F. For Condition, select Class from the scrolling list. Select value-of from
the drop-down menu. Select Set Role from the drop-down menu.
G. Click Add.
H. Click Apply.
"


I get an error stating "Please select one of the management roles".

I've tried seting rule if attribut == "root" set role "root" but without success.

So to sum it up: when I test configuration with this user I get authenticated. When I try to access web interface with the same user, I get rejected.

NOTE: I can not return attribute "Aruba-User-Role" for now but this should not be the problem, as user manual states that user roles can be applied based on the "Class" attribute as well.
NOTE2: "Local authentication mode" is disabled.
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

What attribute is being returned

Petar,

I would find out what attribute is being returned when you get those rejects. Turn on logging for authmgr like this:

config t
logging level debug security process authmgr
logging level debug security process aaa

After that, try your authentication, and after it fails, do a "show log security 50" to see what attributes are returned or why there is a failure:

Sep 4 12:16:18 :124011:   |authmgr|  Test authenticating user cjoseph:****** using server radius-server
Sep 4 12:16:21 :124004: |authmgr| Auth server 'radius-server' response=1
Sep 4 12:16:21 :124019: |authmgr| Test server response: Authentication failed

That would mean that the radius server itself is rejecting it and the rules on the radius server have to be written properly.

If it passes, then it will show you the radius attributes that are sent back to the controller.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎07-08-2009

Re: Management user authentication through RADIUS

It looks like my RADIUS server isn't returning the attribute value it should. Am I right?

However what does this mean:

Sep 7 09:03:40 :124056: |authmgr| No server available for AAA client type Management

---

Sep 7 09:02:46 :124011: |authmgr| Test authenticating user username1:****** using server TEST
Sep 7 09:02:46 :124004: |authmgr| User username1 MAC=00:00:00:00:00:00 not found
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/33
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/34
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/35
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/36
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/9
Sep 7 09:02:46 :124004: |authmgr| Auth server 'TEST' response=0
Sep 7 09:02:46 :124019: |authmgr| Test server response: Authentication successful
Sep 7 09:03:40 :125019: |aaa| Checking for Radius Authentication
Sep 7 09:03:40 :125026: |aaa| Radius Authentication is enabled
Sep 7 09:03:40 :124004: |authmgr| RX (sock) message of type 1, len 608
Sep 7 09:03:40 :124004: |authmgr| Select server for method=Management, user=username1, essid=<>, server-group=MGMT-Auth, last_srv <>
Sep 7 09:03:40 :124004: |authmgr| server=TEST, ena=0, ins=1 (1)
Sep 7 09:03:40 :124038: |authmgr| Selected server <> for method=Management; user=username1, essid=<>, domain=<>, server-group=MGMT-Auth
Sep 7 09:03:40 :124056: |authmgr| No server available for AAA client type Management
Sep 7 09:03:40 :124003: |authmgr| Authentication result=AAA Server not available(5), method=Management, server=, user=10.20.30.40
Sep 7 09:03:40 :125027: |aaa| mgmt-auth: username1, failure, , 0
Sep 7 09:03:40 :125059: |aaa| Since user 'username1' authentication is rejected by authentication server, the user will not be given any access.
Sep 7 09:03:40 :125022: |aaa| Authentication failed for User username1, Logged in from 10.20.30.40 port 4184, Connecting to 10.0.0.10 port 4343 connection type HTTPS
Sep 7 09:05:42 :124004: |authmgr| Rx message 14001/5221, length 184 from 127.0.0.1:8235
Sep 7 09:05:50 :124004: |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
Sep 7 09:05:50 :124011: |authmgr| Test authenticating user username1:****** using server TEST
Sep 7 09:05:50 :124004: |authmgr| User username1 MAC=00:00:00:00:00:00 not found
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/33
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/34
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/35
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/36Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/9
Sep 7 09:05:50 :124004: |authmgr| Auth server 'TEST' response=0
Sep 7 09:05:50 :124019: |authmgr| Test server response: Authentication successful
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

yes


It looks like my RADIUS server isn't returning the attribute value it should. Am I right?

However what does this mean:

Sep 7 09:03:40 :124056: |authmgr| No server available for AAA client type Management

---

Sep 7 09:02:46 :124011: |authmgr| Test authenticating user username1:****** using server TEST
Sep 7 09:02:46 :124004: |authmgr| User username1 MAC=00:00:00:00:00:00 not found
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/33
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/34
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/35
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/36
Sep 7 09:02:46 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/9
Sep 7 09:02:46 :124004: |authmgr| Auth server 'TEST' response=0
Sep 7 09:02:46 :124019: |authmgr| Test server response: Authentication successful
Sep 7 09:03:40 :125019: |aaa| Checking for Radius Authentication
Sep 7 09:03:40 :125026: |aaa| Radius Authentication is enabled
Sep 7 09:03:40 :124004: |authmgr| RX (sock) message of type 1, len 608
Sep 7 09:03:40 :124004: |authmgr| Select server for method=Management, user=username1, essid=<>, server-group=MGMT-Auth, last_srv <>
Sep 7 09:03:40 :124004: |authmgr| server=TEST, ena=0, ins=1 (1)
Sep 7 09:03:40 :124038: |authmgr| Selected server <> for method=Management; user=username1, essid=<>, domain=<>, server-group=MGMT-Auth
Sep 7 09:03:40 :124056: |authmgr| No server available for AAA client type Management
Sep 7 09:03:40 :124003: |authmgr| Authentication result=AAA Server not available(5), method=Management, server=, user=10.20.30.40
Sep 7 09:03:40 :125027: |aaa| mgmt-auth: username1, failure, , 0
Sep 7 09:03:40 :125059: |aaa| Since user 'username1' authentication is rejected by authentication server, the user will not be given any access.
Sep 7 09:03:40 :125022: |aaa| Authentication failed for User username1, Logged in from 10.20.30.40 port 4184, Connecting to 10.0.0.10 port 4343 connection type HTTPS
Sep 7 09:05:42 :124004: |authmgr| Rx message 14001/5221, length 184 from 127.0.0.1:8235
Sep 7 09:05:50 :124004: |authmgr| Rx message 14001/5221, length 231 from 127.0.0.1:8235
Sep 7 09:05:50 :124011: |authmgr| Test authenticating user username1:****** using server TEST
Sep 7 09:05:50 :124004: |authmgr| User username1 MAC=00:00:00:00:00:00 not found
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/33
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/34
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/35
Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/36Sep 7 09:05:50 :121017: |authmgr| |aaa| rc_avpair_vsa unknown vendor or attribute 800/9
Sep 7 09:05:50 :124004: |authmgr| Auth server 'TEST' response=0
Sep 7 09:05:50 :124019: |authmgr| Test server response: Authentication successful




yes, you are right


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎07-08-2009

Re: Management user authentication through RADIUS

I've made some progress but I'm now having problems with assinging admin roles different from the default one.

Now user gets authenticated but the attribute I'm returing is ignored, thus user is always assigned the "Default Role".

From my radius server I'm returing attribute Aruba-Admin-Role with value "root". Also on my management server I have a rule saying: "If Attribute Aruba-Admin-Role equlas root set role root". However user is still assigned the "guest-provisioning" role (which I've set as default).

What am I missing?

This is debbug output:

Sep 23 09:59:54 :125019: |aaa| Checking for Radius Authentication
Sep 23 09:59:54 :125026: |aaa| Radius Authentication is enabled
Sep 23 09:59:54 :124004: |authmgr| RX (sock) message of type 1, len 608
Sep 23 09:59:54 :124004: |authmgr| Select server for method=Management, user=username, essid=<>, server-group=MGMT-Auth, last_srv <>
Sep 23 09:59:54 :124004: |authmgr| server=TEST, ena=1, ins=1 (1)
Sep 23 09:59:54 :124038: |authmgr| Selected server TEST for method=Management; user=username, essid=<>, domain=<>, server-group=MGMT-Auth
Sep 23 09:59:54 :124004: |authmgr| User username MAC=00:00:00:00:00:00 not found
Sep 23 09:59:54 :124003: |authmgr| Authentication result=Authentication Successful(0), method=Management, server=TEST, user=10.11.12.32
Sep 23 09:59:54 :124004: |authmgr| Auth server 'TEST' response=0
Sep 23 09:59:54 :124004: |authmgr| Matching `MGMT-Auth' rules to derive role ...
Sep 23 09:59:54 :124004: |authmgr| rule: set role condition Aruba-Admin-Role equals "root" set-value root
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Class : SBR-CL DN="USERNAME" AT="0"
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match NAS-IP-Address : 114.111.111.116
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match PW_RADIUS_ID : F
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Rad-Length : 58
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match PW_RADIUS_CODE : \002
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match PW_RAD_AUTHENTICATOR : P\370\267WAHTP\002\374\302)\015\033I\023
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Server-Name : TEST
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Server-Group : MGMT-Auth
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match User-Name : username
Sep 23 09:59:54 :124025: |authmgr| Administrative user 'username' authenticated successfully (role=guest-provisioning, privileged=0
Sep 23 09:59:54 :125027: |aaa| mgmt-auth: username, success, guest-provisioning, 0
Sep 23 09:59:54 :125024: |aaa| Authentication Succeeded for User username, Logged in from 10.11.12.32 port 4785, Connecting to 10.1.1.10 port 4343 connection type HTTPS
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Not sending that attribute


I've made some progress but I'm now having problems with assinging admin roles different from the default one.

Now user gets authenticated but the attribute I'm returing is ignored, thus user is always assigned the "Default Role".

From my radius server I'm returing attribute Aruba-Admin-Role with value "root". Also on my management server I have a rule saying: "If Attribute Aruba-Admin-Role equlas root set role root". However user is still assigned the "guest-provisioning" role (which I've set as default).

What am I missing?

This is debbug output:

Sep 23 09:59:54 :125019: |aaa| Checking for Radius Authentication
Sep 23 09:59:54 :125026: |aaa| Radius Authentication is enabled
Sep 23 09:59:54 :124004: |authmgr| RX (sock) message of type 1, len 608
Sep 23 09:59:54 :124004: |authmgr| Select server for method=Management, user=username, essid=<>, server-group=MGMT-Auth, last_srv <>
Sep 23 09:59:54 :124004: |authmgr| server=TEST, ena=1, ins=1 (1)
Sep 23 09:59:54 :124038: |authmgr| Selected server TEST for method=Management; user=username, essid=<>, domain=<>, server-group=MGMT-Auth
Sep 23 09:59:54 :124004: |authmgr| User username MAC=00:00:00:00:00:00 not found
Sep 23 09:59:54 :124003: |authmgr| Authentication result=Authentication Successful(0), method=Management, server=TEST, user=10.11.12.32
Sep 23 09:59:54 :124004: |authmgr| Auth server 'TEST' response=0
Sep 23 09:59:54 :124004: |authmgr| Matching `MGMT-Auth' rules to derive role ...
Sep 23 09:59:54 :124004: |authmgr| rule: set role condition Aruba-Admin-Role equals "root" set-value root
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Class : SBR-CL DN="USERNAME" AT="0"
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match NAS-IP-Address : 114.111.111.116
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match PW_RADIUS_ID : F
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Rad-Length : 58
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match PW_RADIUS_CODE : \002
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match PW_RAD_AUTHENTICATOR : P\370\267WAHTP\002\374\302)\015\033I\023
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Server-Name : TEST
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match Server-Group : MGMT-Auth
Sep 23 09:59:54 :124004: |authmgr| Value Pair to match User-Name : username
Sep 23 09:59:54 :124025: |authmgr| Administrative user 'username' authenticated successfully (role=guest-provisioning, privileged=0
Sep 23 09:59:54 :125027: |aaa| mgmt-auth: username, success, guest-provisioning, 0
Sep 23 09:59:54 :125024: |aaa| Authentication Succeeded for User username, Logged in from 10.11.12.32 port 4785, Connecting to 10.1.1.10 port 4343 connection type HTTPS




You are not sending that attribute, otherwise it would have matched. Everything that says "Value Pair" are the attributes that are seen. Aruba-Admin-Role is not being sent. You might want to contact Juniper support to ensure that you are sending that attribute correctly.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: