Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Role Derivation when using MAC Auth + 802.1x Auth

This thread has been viewed 4 times

  • 1.  Role Derivation when using MAC Auth + 802.1x Auth

    Posted Sep 05, 2013 05:33 PM

    Running the 6.2 AOS code, I want to use both MAC and 802.1x authentication so that if the client fails either one then they are placed into a particular role (say 'registration' for example).  If they pass both, then they are placed in another.  They will be authenticating against a separate RADIUS server for MAC and 802.1x but the roles will not be derived from the servers.  Is this possible and what would be the best way of implementing it?



  • 2.  RE: Role Derivation when using MAC Auth + 802.1x Auth

    EMPLOYEE
    Posted Sep 05, 2013 06:19 PM
    @Daniel K wrote:

    Running the 6.2 AOS code, I want to use both MAC and 802.1x authentication so that if the client fails either one then they are placed into a particular role (say 'registration' for example).  If they pass both, then they are placed in another.  They will be authenticating against a separate RADIUS server for MAC and 802.1x but the roles will not be derived from the servers.  Is this possible and what would be the best way of implementing it?

    If your client fails 802.1x authentication, which is required to gain access to the network, the client will not be able to gain access, no matter the circumstance.

     

    In the AAA profile, you can enable l2 failthrough, where if mac authentication is failed, but 802.1x is passed, the client will gain access, but his/her role will be the 802.1x role in the AAA profile.  If a client passes both, the client will gain access and the default mac authentication role will be applied to the client.  If l2 faithrough is disabled in the AAA profile, 802.1x is passed and mac authentication has failed, the client will NOT gain access to the network, period.



  • 3.  RE: Role Derivation when using MAC Auth + 802.1x Auth

    Posted Sep 05, 2013 06:55 PM

    Ah, I was unsure about that.  I still seem to be unable to place a client under the correct conditions to receive the default mac authentication role.  Even with l2 failthrough enabled, they pass mac and 802.1x authentication then receive the 802.1x default role.



  • 4.  RE: Role Derivation when using MAC Auth + 802.1x Auth

    EMPLOYEE
    Posted Sep 05, 2013 07:04 PM

    Turn on client debugging and paste in the log here:

     

    config t

    logging level debug user

    show log user 50

     



  • 5.  RE: Role Derivation when using MAC Auth + 802.1x Auth

    Posted Sep 05, 2013 07:21 PM

    Sep 5 18:12:19 :522083:  <DBUG> |authmgr|  Skip User-Derivation, mba:1 udr_exist:0,default_role:logon,pDefRole:0x0x109933f4

    Sep 5 18:12:19 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:19:e3:d5:8d:ba, pmkid_present:False, pmkid:N/A

    Sep 5 18:12:19 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 10, AP IP: 192.168.0.38, flags : 0

    Sep 5 18:12:19 :522243:  <DBUG> |authmgr|  MAC=00:19:e3:d5:8d:ba Station Updated Update MMS: BSSID=00:0b:86:b4:47:30 ESSID=Test VLAN=33 AP-name=Rap2WG.RAP

    Sep 5 18:12:19 :501095:  <NOTI> |AP Rap2WG.RAP@192.168.0.38 stm|  Assoc request @ 18:12:19.829095: 00:19:e3:d5:8d:ba (SN 3898): AP 192.168.0.38-00:0b:86:b4:47:30-Rap2WG.RAP

    Sep 5 18:12:19 :501065:  <DBUG> |AP Rap2WG.RAP@192.168.0.38 stm|  handle_assoc_req:4241: mcast_encr(0x00000040), ucast_encr(0x00000040)

    Sep 5 18:12:19 :501100:  <NOTI> |AP Rap2WG.RAP@192.168.0.38 stm|  Assoc success @ 18:12:19.841060: 00:19:e3:d5:8d:ba: AP 192.168.0.38-00:0b:86:b4:47:30-Rap2WG.RAP

    Sep 5 18:12:19 :501065:  <DBUG> |AP Rap2WG.RAP@192.168.0.38 stm|  handle_assoc_req:5331 - send response to client

    Sep 5 18:12:20 :522207:  <DBUG> |authmgr|  MS-CHAPV2 authenticate user dannyk

    Sep 5 18:12:20 :522038:  <INFO> |authmgr|  username=dannyk MAC=00:19:e3:d5:8d:ba IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=RadiusServer2

    Sep 5 18:12:20 :522044:  <INFO> |authmgr|  MAC=00:19:e3:d5:8d:ba Station authenticate(start): method=802.1x, role=RemoteUser/RemoteUser//logon, VLAN=33/33/33/0/0/0, Derivation=1/0, Value Pair=1

    Sep 5 18:12:20 :522136:  <DBUG> |authmgr|  {L2} RemoteUser from profile \"RAP-Wireless\".

    Sep 5 18:12:20 :522127:  <DBUG> |authmgr|  {L2} Update role from RemoteUser to RemoteUser for IP=0.0.0.0.

    Sep 5 18:12:20 :522049:  <INFO> |authmgr|  MAC=00:19:e3:d5:8d:ba,IP=N/A User role updated, existing Role=RemoteUser/RemoteUser, new Role=RemoteUser/RemoteUser, reason=Station Authenticated with auth type: 4

    Sep 5 18:12:20 :522159:  <DBUG> |authmgr|  Station authenticate has l2 role :RemoteUser default role logon logon role logon.

    Sep 5 18:12:20 :522161:  <DBUG> |authmgr|  Valid Dot1xct, remote:1, assigned:33, default:33, current:33,termstate:8, wired:0, dot1x enabled:1, psk:0 static:0 bssid=00:0b:86:b4:47:30.

    Sep 5 18:12:20 :522029:  <INFO> |authmgr|  MAC=00:19:e3:d5:8d:ba Station authenticate: method=802.1x, role=RemoteUser/RemoteUser//logon, VLAN=33/33/33/0/0/0, Derivation=1/0, Value Pair=1

    Sep 5 18:12:20 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

    Sep 5 18:12:20 :522053:  <DBUG> |authmgr|  PMK Cache getting updated for 00:19:e3:d5:8d:ba, (def, cur, assigned) = (33, 33, 33) with vlan=0 vlanhow=0 essid=Test role=RemoteUser

    Sep 5 18:12:20 :524037:  <DBUG> |authmgr|  wpa2_tx_eapolkey_mesg1: sending key1 11r (0) xsec(0)

    Sep 5 18:12:20 :524041:  <DBUG> |authmgr|  wpa2_tx_eapolkey_mesg3 :FT mesg3 copied gtk, len=22 data len=46

    Sep 5 18:12:21 :524121:  <DBUG> |authmgr|  Derived VLAN for the user is 33.

    Sep 5 18:12:23 :522233:  <DBUG> |authmgr|  DHCP ACK seen for ac:81:12:3d:53:c4.

    Sep 5 18:12:23 :522211:  <DBUG> |authmgr|  DHCP assigned address and server address updated for ac:81:12:3d:53:c4 10.91.0.1 10.91.0.1.

    Sep 5 18:12:24 :522233:  <DBUG> |authmgr|  DHCP ACK seen for 00:19:e3:d5:8d:ba.

    Sep 5 18:12:24 :522211:  <DBUG> |authmgr|  DHCP assigned address and server address updated for 00:19:e3:d5:8d:ba 10.51.0.17 10.51.0.17.

    Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

    Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

    Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

    Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

    Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

    Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

    Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

    Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

    Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

    Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

    Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

    Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

    Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

    Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

    Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

    Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

    Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

    Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0

    Sep 5 18:12:24 :522143:  <DBUG> |authmgr|  user_miss from RAP:192.168.0.38, (Wireless) user IP:10.33.0.95, VLAN:33, BSSID:00:0b:86:b4:47:30:AP:Rap2WG.RAP.

    Sep 5 18:12:24 :522169:  <DBUG> |authmgr|  Station inherit: IP=10.33.0.95 start bssid:00:0b:86:b4:47:30 essid: Test port:0x0x200d (0x0x200d).

    Sep 5 18:12:24 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=dannyk MAC=00:19:e3:d5:8d:ba IP=10.33.0.95 role=RemoteUser VLAN=33 AP=Rap2WG.RAP SSID=Test AAA profile=RAP-Wireless auth method=802.1x auth server=RadiusServer2

    Sep 5 18:12:24 :522171:  <DBUG> |authmgr|  station inherit IP=10.33.0.95 bssid:00:0b:86:b4:47:30 essid: Test auth:1 type:802.1x role:RemoteUser port:0x0x200d.

    Sep 5 18:12:24 :522147:  <DBUG> |authmgr|  rap user : Sending SOS_USER_ACTION_ADD to RAP 10.33.0.95: IP=10.33.0.95, Role: RemoteUser, ACL:50, authtype:4.

    Sep 5 18:12:24 :522096:  <DBUG> |authmgr|  00:19:e3:d5:8d:ba: Sending STM new Role ACL : 50, and Vlan info: 33, action : 18, AP IP: 192.168.0.38, flags : 0



  • 6.  RE: Role Derivation when using MAC Auth + 802.1x Auth

    Posted Sep 05, 2013 09:41 PM

    For wireless client authentication : you cant retain user-roles derived during MAC-auth , if dot1x-authentication is done.

    User-roles derived during dot1x authentication will override the mac-auth derivation, User-derivation-rules (non dhcp-option), initial-role.