Security

Reply
Occasional Contributor II
Posts: 10
Registered: ‎07-17-2013

Management user authentication through RADIUS

Hi Airheads Communtiry,

 

I am currently facing an issue at the controller of a customer of mine.
Regarding to this old discussion I tried to troubleshoot the configuration or the behavior.
But I was Unable to resolve the issue.
I try to authenticate admin users and Lobby Users via Radius.
But I am currently even unable to simply authenticate into the default role and I am not sure where the misconfiguration is.
Do I have to change the configuration of my Controller or is there a problem at the configuration of my Radius?
I can provide you the output of the Debug I have performed already like it was described in the old discussion.

 

 

Aug 8 15:13:37 :124011:  <INFO> |authmgr|  Test authenticating user winketa:****** using server Radius1
Aug 8 15:13:37 :121041:  <DBUG> |authmgr|  User winketa MAC=00:00:00:00:00:00 not found.
Aug 8 15:13:37 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=0
Aug 8 15:13:37 :124019:  <INFO> |authmgr|  Test server response: Authentication Successful



Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  RX (sock) message of type 1, len 1016
Aug 8 15:11:38 :124546:  <DBUG> |authmgr|  aal_authenticate user:winketa vpnflags:0.
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  unknown user=172.31.29.241, method=Management
Aug 8 15:11:38 :124547:  <DBUG> |authmgr|  aal_authenticate server_group:default.
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  Select server for method=Management, user=winketa, essid=<>, server-group=KVB_RADIUS_ADMIN, last_srv <>
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|   server=Radius1, ena=1, ins=1 (1)
Aug 8 15:11:38 :124038:  <INFO> |authmgr|  Selected server Radius1 for method=Management; user=winketa,  essid=<>, domain=<>, server-group=RADIUS_ADMIN
Aug 8 15:11:38 :124064:  <NOTI> |authmgr|  Administrative User result=Authentication failed(1), method=Management, username=winketa IP=172.31.29.241 auth server=Radius1
Aug 8 15:11:38 :124003:  <INFO> |authmgr|  Authentication result=Authentication failed(1), method=Management, server=Radius1, user=172.31.29.241
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=1
Aug 8 15:11:38 :125022:  <WARN> |aaa|  Authentication failed for User winketa, Logged in from 172.31.29.241 port 56934, Connecting to 172.31.190.50 port 4343 connection type HTTPS

I tried to login via with the User "winketa" in the AAA diagnostics tool everything went fine. As you see in my first authentication attempt. The radius returns a successful authentication.
But if I try to log into the WebGUI using the same credentials the controller sends some additional information to the radius like the issuing hosts IP address.
I think this is why my radius sends a authentication reject.
But I cant see where I can change this behavior.
Or where my misconfiguration is?
Here I have a screenshot with my current configuration.

 

AdminLogin.JPG

I already tried several "Server Rules" I also tried to have no "Server Rules" applied but nothing changed the current behavior.

 

Do you guys have any idea how to solve this issue?

 

I like to thank you for your support in advance!

 

Greetings

WiFi_Newbie

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Management user authentication through RADIUS

If I remember right, AAA test server uses PAP by default and the real mgmt authentication uses CHAP. Do you have CHAP enabled on the RADIUS server rule/service that the mgmt requests are hitting?
Occasional Contributor II
Posts: 10
Registered: ‎07-17-2013

Re: Management user authentication through RADIUS

Oh I see that the link to the old discussion doesnt work as Hyperlink so I will add it here as plain text just for completeness maybe there is something interesting in it for you guys.

 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Management-user-authentication-through-RADIUS/td-p/2928

 

Thanks olino for the quick response.

I retried the test an I saw that on the diagnostics page it says that it is using MSCHAPv2 but you are able to use PAP also.

I tried both mechanisms.

MSCHAPv2

PAP

 

Here are the output of the AAA Logging during the test.

MSCHAPv2

Aug 8 16:29:21 :124011:  <INFO> |authmgr|  Test authenticating user winketa:****** using server Radius1
Aug 8 16:29:21 :121041:  <DBUG> |authmgr|  User winketa MAC=00:00:00:00:00:00 not found.
Aug 8 16:29:21 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=0
Aug 8 16:29:21 :124019:  <INFO> |authmgr|  Test server response: Authentication Successful

PAP

Aug 8 16:29:57 :124011:  <INFO> |authmgr|  Test authenticating user winketa:****** using server Radius1
Aug 8 16:29:57 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=1
Aug 8 16:29:57 :124019:  <INFO> |authmgr|  Test server response: Authentication failed

 

Looks like it is about the response "0" means allowed and "1" means rejected.
But if I try to logon regular into the GUI I am unable to perform a simple MSCHAPv2 request only with the given credentials.
The Controller always send some stuff like the issuing hosts IP Address and so on.
Maybe someone has any clue?

 

Greetings

WiFi_Newbie

Guru Elite
Posts: 20,576
Registered: ‎03-29-2007

Re: Management user authentication through RADIUS

What do the logs of the radius server say? The radius server configuration is the other side of the answer.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: