Security

Reply
MVP
Posts: 702
Registered: ‎03-25-2009

CPPM - VIA htting wrong service

After some internal changes and upgrading to the latest VIA several of my users started complaining that they could no longer connect.

 

Investigating this further in Access Tracker showed those authentication events were matching a wlan dot1x service.

In this wlan dot1x service we have a 'radius-aruba'  condition that it must match the 'aruba-essid-name' of our wlan.

 

For VIA we have the same condfitions configured with the exception that we refuse to match any auth request that has the aruba-essid-name of our wlan.

 

So now, I'm a bit confused... why would VIA send the aruba-essid-name in its authentication request?

More importantly... what would be the best differentiator to only 'capture' VIA authentication requests?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: CPPM - VIA htting wrong service

If you look at Access Tracker, does it show Aruba-ESSID-Name as being passed under the Input tab?  Also can you give a quick screenshot of your two services (conditions)?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 702
Registered: ‎03-25-2009

Re: CPPM - VIA htting wrong service

Sorry, I should have phrased my question a bit better.

 

If VIA is connecting from a client that is connected to a local WLAN the radius request sends the aruba-essid-name attribute along with the auth request.. Clearpass then 'correctly' uses this when deciding what service it matches.

 

When VIA is launched from a wired connection (or non-local) WLAN this aruba-essid-name attribute is not sent along with the auth request.

This also means it isn't too important since outside of the office it all works as intended but it would be nice that it would work the same even if used fron the internal local aruba wlan.

 

I am pretty much just wondering why VIA would send along something like that and more importantly and how I would be able to avoid it.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 360
Registered: ‎01-14-2010

Re: CPPM - VIA htting wrong service

Koenv,

 

I have an install with a VIA service that is setup in Clearpass in the following manner:

 

1. Connection, NAD-IP-ADDRESS, BELONGS-TO-GROUP "Aruba-Devices" (custom group I created for the controllers)

2. RADIUS:Aruba, Aruba-AP-Group, EQUALS, default

3. RADIUS:IETF, Service-Type, NOT_EQUALS, Administrative-User (6)

 

It took me a hot minute of playing around to get it to work, but it seems to have been good for the past 2-3 weeks.

 

-Mike

MVP
Posts: 702
Registered: ‎03-25-2009

Re: CPPM - VIA htting wrong service

Thx boston, that is pretty much how I have it configured but try connecting VIA from an internal Aruba WLAN.

You will see the actual Aruba-AP-Group in the authentication request and fail to hit that service.

That's my "problem".

 

Then again, therre is no real need to connect from a known local WLAN so it isn't a huge issue or anything anyway. I'll just tell people to test VIA from outside the office WLAN.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: CPPM - VIA htting wrong service

Can you make the conditions such that you put the VIA service above the wireless LAN service?   

 

You can further differentiate this by creating a duplicate RADIUS server entry and server group on the controller for VIA use.   Then put a specific NAS-Identifier in the server entry on ArubaOS;  include this as part of your condition inthe appropriate service.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: CPPM - VIA htting wrong service

Have you tried the VIA service template in 6.2?  It may prove useful

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 702
Registered: ‎03-25-2009

Re: CPPM - VIA htting wrong service

The problem is that the VIA auth from the LAN is identical to a wireless authentication. Putting it in front would be bad :)

The idea of using a different NAS-ID however does sound like a solution.. thanks.

 

Haven't tried the service template either, will check what that thing builds as template.. thanks again.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 19,993
Registered: ‎03-29-2007

Re: CPPM - VIA htting wrong service


koenv wrote:

The problem is that the VIA auth from the LAN is identical to a wireless authentication. Putting it in front would be bad :)

The idea of using a different NAS-ID however does sound like a solution.. thanks.

 

Haven't tried the service template either, will check what that thing builds as template.. thanks again.


Koenv,

 

VIA by default uses PAP for authentication.  Remove PAP and it should not be processed by that rule.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: CPPM - VIA htting wrong service

So you have a couple challenges here.

 

Mainly the VIA provisioning

 

I ran into this same issue and the challenge is that the auth comes in when you are local and it will have the same radius parameters as a standard auth so unless you use a separate controller than the VIA controller you will have a challenge.

 

The way I over came the issue was to either

 

1. Force VIA provisioning on the internet only so it will trigger a PAP auth

2. Or add a PAP auth to your wired/wireless service (which is what I did)

       A. I also have my service trigger to put my VIA users in my provisioning role that allows CPPM and VIA.

 

If your VIA is setup correctly it will recognize that you are local and not trigger an auth. 

 

screenshot_05 Oct. 31 22.37.gif

 

 

 

Is there a reason you are triggering your VIA local?

 

 

 

Im not a VIA expert so there might be some other options and I will ping engineering to see what they say. :)

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: