Security

Reply
MVP
Posts: 707
Registered: ‎12-01-2010

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

We've gone with:

  1. Build two new VMs and patch to 6.6.2
  2. Restore backup from morning of the upgrade
  3. export guest users database from 6.6.3 system
  4. switch 6.6.3 VMs out and 6.6.2 VMs in
  5. restore guest users database
  6. back in business!

The issue is in the Cisco interpretation of the RFC for RADIUS, Aruba has (I think) correctly interpreted that there is no reason for a "reply-message" attribute to be in the initial auth-request and so now CPPM rejects requests with the erroneous attribute.

Cisco is claiming that since the response request was made by my SSH client (acceptable from client to NAD, just not froim NAD to NAS) they are obliged to pass the attribute up.

We're working with Cisco to get the equipment to conform to the standard (probably have to filter the attribute) and we'll push that configuration out then re-upgrade CPPM.

 

Whew!

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Community Administrator
Posts: 2,254
Registered: ‎12-03-2013

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

Nice explanation and thanks for the update.

 

Now back to the Tacacs discussion @jrwhitehead :-)

CWNA, ACMP, Security +
MVP
Posts: 707
Registered: ‎12-01-2010

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

TAC/Engineering report that they have added an option to toggle enforcement of the RFC in 6.6.4.

I'm still holding Cisco's feet to the fire to fix their request, but deeply apprecaite Aruba making allowances for their (Cisco's) failings.

Expect my report on testing in a few days.

 

Thanks TAC!!

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 707
Registered: ‎12-01-2010

Re: Upgraded CPPM 6.6 from patch 2 to 3 - ssh client fails: Malformed RADIUS packet

The final word from Cisco: my our problem, your RADIUS vendor is mistaken, talk to your account rep to request us to care, or words to that effect.

I'll install the Aruba patch and tick the box to let me continue with poorly behaved gear and let you know how it works.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: