Security

Reply
Occasional Contributor II

RADIUS request without considering username and password

Hi Airheads,


We're migrating our private APN environment from NPS to Clearpass. The authenticating routers all use the username 'void' for every radius request. The differentiator is the calling station ID, which is the mobile number of the supplicant. The Radius server then responds with a framed-ip-address.

 

I have set up role mapping and enforcement profiles to match a mobile number with a radius response, but I'm stuck at user authentication because ofcourse user 'void' doesn't exist.

 

Can someone please point me in the right direction to skip or alternate that check please?

 

*EDIT*

I like to keep it simple, but if there's no way around authentication the username, these attributes may be used instead:

 

'%{Radius:IETF:NAS-Identifier}' as user_id,
'%{Radius:IETF:NAS-IP-Address}' as user_password

 

Authentication source may be local or guest, doesn't really matter. I'm not sure how to translate this in a custom source filter.

Occasional Contributor II

Re: RADIUS request without considering username and password

The logs point out that a MAC address is searched in the calling station ID which is a mobile phone number in my case. Auth method is CHAP

 

2017-03-28 11:13:49,524    [Th 3552 Req 3971458 SessId R000753e3-01-58da294d] INFO RadiusServer.Radius - The attribute 324XXXXXXX does not contain valid MAC Address


2017-03-28 11:13:49,525    [RequestHandler-1-0x7f5c10561700 r=psauto-1489164657-1499386 h=239 r=R000753e3-01-58da294d] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations

Occasional Contributor II

Re: RADIUS request without considering username and password

I've googled some more. Void means that there's a blank username and/or password in the request.

 

The NAS devices are not managed by us and the configuration cannot be altered because the Windows NPS-server still has to authenticate during migration to Clearpass.

 

The NPS connection request policy is very simple:

Conditions: called station ID + NAS IP address + Calling station ID = Framed IP address x.x.x.x. And flag 'accept users without validating credentials'.


Is it possible to replicate it and accept any user on one service only? I will use other radius attributes to assign an enforcement profile.

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: