Security

Reply
Occasional Contributor I

Server-derived rule using Filter-Id from FreeRADIUS not working

I'm setting up a wireless lab. I added FreeRADIUS 3.0.15 to my back-end services. I am trying to set up a server-derived rule. The intent is that when guest123, password guest123 authenticates via 802.1X, radius1 (the FreeRADIUS server) returns Filter-Id = labguest, and a rule in the server group containing radius1 sets the user-role to labguest instead.

 

What happens instead is that the user receives the default 802.1X role, "authenticated".

 

Here is the relevant Aruba configuration:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

 

aaa authentication-server radius "radius1"
   host "192.168.18.249"
   key b07f6475f2dcdf6f66ef027b4532fe8b8fb1b5880e755383

 

aaa server-group "lab-emp_srvgrp-ckl54"
 auth-server radius1
 set role condition Filter-Id value-of

 

The following looks good:

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 2.589
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   ,W\332\023\211\277R@c\350\262\333\031\270w\017
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        \263if&\273\027\236y\034:4\270E\372\262\234
           PW_RADIUS_ID        \360
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
           Filter-Id                  labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \202\336
Microsoft  MS-MPPE-Send-Key           \215\270Q\230"\0048\252\301\\377\313b\001\024\360\202u\350\033\217\322Q\025L\365ri\201\340sY\347\011
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               \360
           Rad-Length                 189
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       \347\211\010\362\356\232\017\011\246$\351\314\365\271\370\350

 

The same thing results from the Local1 controller, since both Master1 and Local1 were set up as RADIUS clients at FreeRADIUS.

 

But when guest123/guest123 authenticates via 802.1X, the user-role is "authenticated", when it should be "labguest":

(Local1) #show user mac 44:39:c4:59:e5:64


Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X

...truncated output

 

Just in case this is a FreeRADIUS issue, I also posted the same issue at https://stackoverflow.com/questions/47681051/server-derived-role-based-on-filterid-using-freeradius-not-working

 

Thoughts?

Guru Elite

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Why are you using filter-id with SDR? Just return the Aruba-User-Role VSA directly.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I'm preparing for a certification with a non-disclosure agreement, so I can't tell you exactly what I'm attempting to solve.

 

However, my setup is also ignoring Aruba-User-Role VSA. I believe an Aruba VSA is supposed to be top priority.

 

This works:

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 3.909
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   \207M>\205\367"[\032\204\304\307^\272k\251\317
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        q\267M\203\016\375\324v]\205\261\2678\020\016Y
           PW_RADIUS_ID        \361
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
Aruba      Aruba-User-Role            labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \206\254\177+\233\010n_\265p\275\333R\011(4\215'\264]\003MEq\204\0064B\340\033\326\244U\322
Microsoft  MS-MPPE-Send-Key           \217\032\251\256\032\230_%\373\32687BF\260dn\305\350\235\246\002\341E\355\317\032\021\277\311I!\246'
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               \361
           Rad-Length                 195
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       3\341\3629\237\242\242 b\3631\372\252\021

 

But when guest123/guest123 authenticates, user-role is still "authenticated":

(Master1) #show user mac 44:39:c4:59:e5:64

Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN

Guru Elite

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

That role definitely exists on the controller?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Yes. Here it is:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

Occasional Contributor I

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I think something may be funky about the exchange with my RADIUS server.

 

I can show you some logs, if you advise which ones to set up prior to authenticating.

Occasional Contributor I

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I believe I have a broken lab, in some regard. Here's what I've done to continue to troubleshooting it.

 

Questions: is the RADIUS server behaving properly, from the logs and packet captures? I do see it sending back the AVP "FilterId","labguest" in one of the packets, but not in the accept packet at the end. Should it be there as well? Can someone please do a simple test with a working setup and compare?

 

I attach resulting logs, and RADIUS traffic screenshots from Wireshark.

 

Other notes:

I did a fresh build -- write erase all and set up just the master, AP, switch, and back-end services.

Added radius1 with the correct host IP and key.

Created ACL "dont-ping-controller".

Created user-role "labguest" designed to allow the user to do everything but ping the controller.

Used wlan wizard to make an 802.1X VAP. There was a checkbox to set up SDR based on Filter-Id, so I used it.

 

Here's the relevant part of the resulting config:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

!

aaa authentication-server radius "radius1"
   host "192.168.18.249"
   key fb11664b1c366e5eca38c6f86a95cd0b34ee938842c55450
!
aaa server-group "Lab-Emp_srvgrp-zud62"
 auth-server radius1
 set role condition filter-id value-of
!

 

I notice the code generated by the wizard referred to "filter-id" rather than "Filter-Id". I changed it at the CLI as follows, but it still didn't help. Since Aruba VSAs are also being ignored, that can't be the sole issue in any case.

 

aaa server-group "Lab-Emp_srvgrp-zud62"
 auth-server radius1
 set role condition Filter-Id value-of

 

***This is bad***

(Master1) # show user mac 44:39:c4:59:e5:64


Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN

 

***This is good***

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 6.301
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   \220\024\274\330\2622FP\351\025c\234\234\256Bv
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        \223.1\222\034n\362E\224\217\307\371\211\237\3527
           PW_RADIUS_ID        E
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
           Service-Type               Framed-User
           Filter-Id                  labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \307\354$s\277c\215\262|\246\312F\216\275\025v\032\305K\212\271J\370+\225#\314*i\324\321\001
Microsoft  MS-MPPE-Send-Key           \3137\217\0117<\001#L\212\177\303\023\356\374("\016d#\017\217+a\022\311\214B\273;\260\256V\004
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               E
           Rad-Length                 195
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       \274\335\332\250~*\2647\253\321\210\370\016aA.

Occasional Contributor I

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I attach Wireshark screenshots and controller logs. Still not working. Can anyone tell if the exchange with RADIUS is right?

Guru Elite

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Please work with Aruba TAC. Troubleshooting is difficult on here.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Have you tested with an actual wireless client?  The SDR rules are applied to the server-group, but the aaa test is done by specifying a server.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: