Security

Reply
Frequent Contributor II

Auth Server Group vs. RFC 3576

Hey all,

 

I was asked today by a peer to explain the difference between a dot1x-server-group and an RFC 3576 entry, and I was not able to come up with a cohesive answer. Could anyone please explain the difference?

 

Thank you,

 

Ryan

Guru Elite

Re: Auth Server Group vs. RFC 3576

It allows you to separately define your authentication servers and RADIUS CoA servers which may be different in some use cases. Most of the time you can just put the same servers for both.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Auth Server Group vs. RFC 3576

Thanks for the fast reply, Tim. Could you extrapolate on that and give me a very basic use case?

 

Thank you,

 

Ryan

Guru Elite

Re: Auth Server Group vs. RFC 3576

If you had an external device/server (registration server) that needed to bump users from the network via CoA.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Auth Server Group vs. RFC 3576

Great, thanks for that. I found this document that explains everything. I'll post the blurb here:

 

Configuring an RFC-3576 RADIUS Server

 

You can configure a RADIUS server to send user disconnect, change-of-authorization (CoA), and session timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS)”.

The disconnect and change-of-authorization messages sent from the server to the controller contains information to identify the user for which the message is sent. The controller supports the following attributes for identifying the users who authenticate with a RFC 3576 server:

 user-name: Name of the user to be authenticated
 framed-ip-address: User’s IP address
 calling-station-id: Phone number of a station that originated a call
 accounting-session-id: Unique accounting ID for the user session.

If the authentication server sends both supported and unsupported attributes to the controller, the unknown or unsupported attributes are ignored. If no matching user is found the controller sends a 503: Session Not Found error message back to the RFC 3576 server.

 

Super Contributor I

Re: Auth Server Group vs. RFC 3576

 

There's a trick here.  If you use an RFC3576 server to send attributes that change the role/vlan, you should ALSO define the server as an auth server and put it in the auth server group.  Use the horribly named "mode" button on that server definition to turn it off.  This will allow the RFC3576 responses to run through the server derivation rules, but will prevent auth/acct requests from being sent to the rfc3576 server.

 

 

Frequent Contributor II

Re: Auth Server Group vs. RFC 3576

Oh that is good. Thanks for that!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: