Security

We have a homegrown system that requires users to register their devices MAC address. We use this registration as a sort of NAC and to serve DMCA (copyright) notices. The side benefit is that it also allows us to use MAC auth on our open network.

Our mac auth is set to use a radius server to validate the MAC address (the registration server uses free radius against a MYSQL database). Unfortunately when a device is MAC authed the user table shows the MAC as the username of the client. I was told by Jon Green? or Ash? that it was possible to override the username by returning the username as a return attribute. 

I finally got around to testing this, unfortunately without luck...

Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:339] Radius authenticate user (10:9a:dd:9e:2a:ba) PAP using server netinfo_radius_test
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1064] Default : setting nas_port_type to wireless
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Add Request: id=20, srv=129.64.x.x, fd=72
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:839] Sending radius request to netinfo_radius_test:129.64.x.x:1812 id:20,len:211 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  NAS-IP-Address: 129.64.x.x 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  NAS-Port-Id: 0 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  NAS-Port-Type: 19 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  User-Name: 10:9a:dd:9e:2a:ba 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:852]  Password: ***** 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Calling-Station-Id: 109ADD9E2ABA 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Called-Station-Id: 000B866184A8 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Service-Type: Login-User 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Aruba-Essid-Name: brandeis_open01 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Aruba-Location-Id: d8:c7:c8:c0:fc:44 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Aruba-AP-Group: Test_APGroup 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:848]  Message-Auth: \037\2474\267\230\317F\326\306\235\214\334X\275\030E 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:60] Find Request: id=20, srv=129.64.x.x, fd=72
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:66]  Current entry: srv=129.64.x.x, fd=72
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:22] Del Request: id=20, srv=129.64.x.x, fd=72
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:972] Authentication Successful
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:974] RADIUS RESPONSE ATTRIBUTES:
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  User-Name: turner 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  PW_RADIUS_ID: \024 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  Rad-Length: 28 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  PW_RADIUS_CODE: \002 
Jan 30 18:47:12 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:989]  PW_RAD_AUTHENTICATOR: \3352V$l\016\331T\2544}/H\275\214# 

(feld-3200-test1) #        show user-table                  

Users
-----
    IP              MAC            Name              Role               Age(d:h:m)  Auth  VPN link  AP name  Roaming   Essid/Bssid/Phy                         Profile       Forward mode  Type
----------     ------------       ------             ----               ----------  ----  --------  -------  -------   ---------------                         -------       ------------  ----
129.64.x.x  10:9a:dd:9e:2a:ba  10:9a:dd:9e:2a:ba  Brandeis-Mac-Auth  00:00:03    MAC             N/A      Wireless  brandeis_open01/d8:c7:c8:8f:c4:51/a-HT  brandeis-mac  tunnel        

User Entries: 1/1

 What am I doing wrong? should I be setting Full-Name? or Strip-User-Name?

From our experience with Amigopod and supporting RADIUS MAC authentication, both the username and password are received from the controller as the MAC. Amigopod is setup to authentication the MAC devices based on this formatting of the Access-Request packet. 

You can modidy the delimiter format of the MAC address sent from the controller using the MAC authenticaiton profile.

Hope this helps

Cam.

Our Mac auth is working. What I am really trying to do is have the user string modified by the return attribute from RADIUS. 

Right now if you look in your user table you should see users who have been MAC auth'd with the username as the MAC addr. What I want to have is once they are authenticated, have the real username in that spot.

This was supposedly possible, hoping to find the answer.

John

It turns out you're not doing anything wrong - we just didn't implement the feature fully.  This is supported in 802.1X today and does work (it was originally done to support tunneled EAP methods that hide the username in the outer identity exchange), but the feature wasn't extended to support MAC authentication.  I have filed an enhancement bug (63793) to track the issue and get it fixed.

-Jon

Trying to do the same, any word/timeframe on what release may/will have this enhancement?

Thanks!

Jon, is there any update to accomplish what the OP wanted? I need the same - as in the actual account username listed in the user-table instead of the mac address.

I too am now looking for this; or something similar.  In my case, the MACs are paired with registerd guests.   The authenticaiton portion is working, but we'd lie to send teh user-name attribute back to be the username of the paired account.   Is there any custom condition or way to do this?  Is this planned?

The enhancement bug that John filed, 63793, is implemented in the 6.2 code train.  We have it working in our lab with 6.2.0.3 code, but it does not work in our production environment with the 6.1.3.7 code.  Our SE has confirmed that it was fixed in 6.2.

James Nesbitt

got around to testing this today.   and it works!     this particular setup is running 6.3.0.1 and using CPPM 6.2 to setup mac_auth_pairs.   we now have the sponsor's name show up rather than the MAC (sponsor being the mac_auth_pair).

Can you please post screen shot of the enforcement profile on how you did this or exactly what attribute you passed back. I would like to passback a value that i have stored as an attribute in the endpoints database.

Thanks.