Security

Reply
Aruba Employee
Posts: 64
Registered: ‎04-07-2007

Server derivation rules to transform aruba-user-role VSA

I am working on denying access to our "registered" users to our guest portal.

 

Our mac authentication system returns aruba specific attributes (VSA's) specifically the Aruba-User-Role attribute.

 

What I want to do is to transform those values in a server group profile

 

aaa server-group "GUEST-PORTAL-RESTRICT-ACCESS-SG-B"
auth-server NETREG-RADIUS-TEST-B
set role condition Aruba-User-Role equals "UNREGISTERED-ROLE-B" set-value amigopod-guest-role 
set role condition Aruba-User-Role not-equals "UNREGISTERED-ROLE-B" set-value guest_reguser_deny_redirect 
!

 

Basically this says if you are "unregistered" then set you to the amigopod guest role. If you are anything else, deny access.

 

However from the logs it looks like Aruba VSA's trump server derivation rules:

 

Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:860] Sending radius request to NETREG-RADIUS-TEST-B:129.64.102.17:1812 id:9,len:204 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] NAS-IP-Address: 129.64.27.175 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] NAS-Port-Id: 0 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] NAS-Port-Type: 19 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] User-Name: 70:56:81:bc:ba:d1 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:873] Password: ***** 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Calling-Station-Id: 705681BCBAD1 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Called-Station-Id: 000B8611BA00 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Service-Type: Login-User 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Aruba-Essid-Name: brandeis_guest01 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Aruba-Location-Id: JT_TestAP 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Aruba-AP-Group: Test_APGroup 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:869] Message-Auth: \272\254\347"\224\214\231p\001\222\315DF\2520\222 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=9, srv=129.64.102.17, fd=74
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:82] Current entry: srv=129.64.102.17, fd=74
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:38] Del Request: id=9, srv=129.64.102.17, fd=74
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:972] Authentication Successful
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:974] RADIUS RESPONSE ATTRIBUTES:
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] User-Name: turner 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] {Aruba} Aruba-User-Role: ACCESS-ROLE-B 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RADIUS_ID: \011 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] Rad-Length: 49 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RADIUS_CODE: \002 
Jul 24 08:48:13 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:989] PW_RAD_AUTHENTICATOR: \020\361\272\0\217e\356\022
Jul 24 08:48:14 :121031: <DBUG> |authmgr| |aaa| [rc_acct.c:561] Radius Accounting Start: user 70:56:81:bc:ba:d1
Jul 24 08:48:14 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1064] Default : setting nas_port_type to wireless
Jul 24 08:48:14 :121031: <DBUG> |authmgr| |aaa| [rc_acct.c:294] create_common_acct: Added VSA Aruba-User-Vlan 700

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
10.202.27.254 70:56:81:bc:ba:d1 70:56:81:bc:ba:d1 ACCESS-ROLE-B 00:00:11 MAC JT_TestAP Wireless brandeis_guest01/d8:c7:c8:32:a7:b2/a-HT brandeis-amigopod-aaa tunnel OS X
User Entries: 1/1

 

 

Is this expected? I know it's unusuall to transform a VSA but hey It doesn't say you can't!
 

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: Server derivation rules to transform aruba-user-role VSA

Yes. It is expected and here is the Role Derivation Flowchart from the Virtual Branch Networking VRD. 

--
HT
Search Airheads
Showing results for 
Search instead for 
Did you mean: