Security

Reply
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I connect wirelessly to SSID Lab-Emp. It prompts for username and password, does 802.1X authentication based on radius1 which is in the group with the SDR. RADIUS returns Filter-Id labguest and accepts the authentication request. The user is then connected but with the role "authenticated" rather than "labguest". I tried both from the laptop, and from a Samsung phone.

 

On the other hand, I set up another SSID called Lab-Guest using captive portal and radius1 with the same SDR in the server group. guest123/guest123 does receive the role "labguest" after captive portal (L3) authentication. Just not when authenticating L2/802.1X.

 

I won't hammer this board, based on Tim's feedback. I'll open a case at TAC, but still check here from time to time. I think someone may have an idea what's going on.

 

Thanks all!

 

 

Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I would like to provide closure:

This turned out to be a FreeRADIUS configuration issue.

Aruba support engineer Akshay Sharma analyzed captured packets and observed:

I would like to inform you that I went through the packet captures and I have attached the screenshots from the same based on what we observed; As seen in the CP-Accept screenshot, we see the Radius Accept, for when the user was authenticating with Captive Portal. We see in the accept packet, that the server is sending the attribute 'labguest' to the controller for the user role to be assigned. In the case of Dot1x-Accept screenshot, we do not see any attribute being sent by the server in the accept packet for when the user was authenticating with dot1x authentication. Please check on the server end if we need to enable sending attribute for MSCHAPv2 along with the PAP protocol, or if there are any specific configurations on the server that are handling the attributes to be sent based on the authentication type.

I then posted to the FreeRADIUS user list, and received this feedback:

“The solution is to move the "files" module to before "eap".  Edit sites-enabled/default.   Look at the "authorize" section.”

 

SDR and Aruba VSAs now work fully with FreeRADIUS.

 

The value to the community is that especially for wireless lab and proof of concept use, FreeRADIUS is a viable alternative to more costly or complicated RADIUS solutions.

 

The configuration I used is:

FreeRADIUS 3.0.15 / Ubuntu 16.04.3 / VMWare Workstation 14

Set up a static IP by editing /etc/network/interfaces. Restart.

Open UDP 1812 and 1813 at the laptop firewall.

Edit users to add usernames, passwords, and returned attributes.

Edit clients.conf to add controller(s).

Update certificates.

Edit sites-enabled/default as explained above.

Start the service via "freeradius -X" to see debug output, or simply "freeradius". If it was already running, then stop it first by "service freeradius stop".

 

 

 

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Thank you, thank you, thank you.  I've been struggling so long trying to figure out why my Aruba-VLAN tag was not working.  Move files before EAP solved the problem.

Frequent Contributor I

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

“The solution is to move the "files" module to before "eap".  Edit sites-enabled/default.   Look at the "authorize" section.”

 

This !

 

Had trouble understanding exaclty what to do, but once I found the "authorize section" it was more clear. I had this exact problem yesterday aswell. Was setting up a lab with ArubaOS8 and using Aruba-User-Role. Couldn´t for my life understand why it wouldn´t work.

 

Awesome that you took the time to post this follow up, thank you!

/Daniel
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: