Security

Reply
Occasional Contributor II

Management user authentication through RADIUS

Hi Airheads Communtiry,

 

I am currently facing an issue at the controller of a customer of mine.
Regarding to this old discussion I tried to troubleshoot the configuration or the behavior.
But I was Unable to resolve the issue.
I try to authenticate admin users and Lobby Users via Radius.
But I am currently even unable to simply authenticate into the default role and I am not sure where the misconfiguration is.
Do I have to change the configuration of my Controller or is there a problem at the configuration of my Radius?
I can provide you the output of the Debug I have performed already like it was described in the old discussion.

 

 

Aug 8 15:13:37 :124011:  <INFO> |authmgr|  Test authenticating user winketa:****** using server Radius1
Aug 8 15:13:37 :121041:  <DBUG> |authmgr|  User winketa MAC=00:00:00:00:00:00 not found.
Aug 8 15:13:37 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=0
Aug 8 15:13:37 :124019:  <INFO> |authmgr|  Test server response: Authentication Successful



Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  RX (sock) message of type 1, len 1016
Aug 8 15:11:38 :124546:  <DBUG> |authmgr|  aal_authenticate user:winketa vpnflags:0.
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  unknown user=172.31.29.241, method=Management
Aug 8 15:11:38 :124547:  <DBUG> |authmgr|  aal_authenticate server_group:default.
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  Select server for method=Management, user=winketa, essid=<>, server-group=KVB_RADIUS_ADMIN, last_srv <>
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|   server=Radius1, ena=1, ins=1 (1)
Aug 8 15:11:38 :124038:  <INFO> |authmgr|  Selected server Radius1 for method=Management; user=winketa,  essid=<>, domain=<>, server-group=RADIUS_ADMIN
Aug 8 15:11:38 :124064:  <NOTI> |authmgr|  Administrative User result=Authentication failed(1), method=Management, username=winketa IP=172.31.29.241 auth server=Radius1
Aug 8 15:11:38 :124003:  <INFO> |authmgr|  Authentication result=Authentication failed(1), method=Management, server=Radius1, user=172.31.29.241
Aug 8 15:11:38 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=1
Aug 8 15:11:38 :125022:  <WARN> |aaa|  Authentication failed for User winketa, Logged in from 172.31.29.241 port 56934, Connecting to 172.31.190.50 port 4343 connection type HTTPS

I tried to login via with the User "winketa" in the AAA diagnostics tool everything went fine. As you see in my first authentication attempt. The radius returns a successful authentication.
But if I try to log into the WebGUI using the same credentials the controller sends some additional information to the radius like the issuing hosts IP address.
I think this is why my radius sends a authentication reject.
But I cant see where I can change this behavior.
Or where my misconfiguration is?
Here I have a screenshot with my current configuration.

 

AdminLogin.JPG

I already tried several "Server Rules" I also tried to have no "Server Rules" applied but nothing changed the current behavior.

 

Do you guys have any idea how to solve this issue?

 

I like to thank you for your support in advance!

 

Greetings

WiFi_Newbie

Aruba Employee

Re: Management user authentication through RADIUS

If I remember right, AAA test server uses PAP by default and the real mgmt authentication uses CHAP. Do you have CHAP enabled on the RADIUS server rule/service that the mgmt requests are hitting?
Occasional Contributor II

Re: Management user authentication through RADIUS

Oh I see that the link to the old discussion doesnt work as Hyperlink so I will add it here as plain text just for completeness maybe there is something interesting in it for you guys.

 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Management-user-authentication-through-RADIUS/td-p/2928

 

Thanks olino for the quick response.

I retried the test an I saw that on the diagnostics page it says that it is using MSCHAPv2 but you are able to use PAP also.

I tried both mechanisms.

MSCHAPv2

PAP

 

Here are the output of the AAA Logging during the test.

MSCHAPv2

Aug 8 16:29:21 :124011:  <INFO> |authmgr|  Test authenticating user winketa:****** using server Radius1
Aug 8 16:29:21 :121041:  <DBUG> |authmgr|  User winketa MAC=00:00:00:00:00:00 not found.
Aug 8 16:29:21 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=0
Aug 8 16:29:21 :124019:  <INFO> |authmgr|  Test server response: Authentication Successful

PAP

Aug 8 16:29:57 :124011:  <INFO> |authmgr|  Test authenticating user winketa:****** using server Radius1
Aug 8 16:29:57 :124004:  <DBUG> |authmgr|  Auth server 'Radius1' response=1
Aug 8 16:29:57 :124019:  <INFO> |authmgr|  Test server response: Authentication failed

 

Looks like it is about the response "0" means allowed and "1" means rejected.
But if I try to logon regular into the GUI I am unable to perform a simple MSCHAPv2 request only with the given credentials.
The Controller always send some stuff like the issuing hosts IP Address and so on.
Maybe someone has any clue?

 

Greetings

WiFi_Newbie

Guru Elite

Re: Management user authentication through RADIUS

What do the logs of the radius server say? The radius server configuration is the other side of the answer.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: