Security

Reply
MVP
Posts: 702
Registered: ‎03-25-2009

returning HEX radius VSA's?

Ok, running into an issue when using Clearpass to log onto Alcatel-Lucent switches.

 

Alcatel uses radius vendor code 800 (Xylan) to return a few vsa's that are used to authenticate switch mgmt logons.

The kicker is, they need to be returned in hex.

 

No problem when using IAS/NPS, but I can't seem to return hex values in CPPM. 

I need to return values FFFFFFFF and 0007FFB3.

 

The default type of these vsa's is OctetArray. But I don't have a clue how to go from hex to OctetArray or even what exactly is OctetArray.

I thought about using unsigned32 but adding 4294967295 (for the hex FFFFFFFF) isn't allowed: "Value "4294967295" is not a valid unsigned integer".

 

 

So Anybody have an idea how to return VSA as hexadecimal types?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: returning HEX radius VSA's?

[ Edited ]

EDIT:

 

octet-array should take the Hex value as is.  Have you tried that.

 

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 702
Registered: ‎03-25-2009

Re: returning HEX radius VSA's?

[ Edited ]

Yes, tried that.

Octetarray value FFFFFFFF gets converted into some other big decimal (?) number: 4646464646464646 when looking at the radius access-accept with wireshark.

Settign the value to hex in NPS does give FFFFFFFF in wireshark.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: returning HEX radius VSA's?

I'm not sure if this helps but here are the settings for CPPM and alcatel that i have running at a customer site

 

 

  1. To enforce a VLAN 1014 for the RADIUS request, send –

RADIUS: IETF:Tunnel-Type = VLAN(13)

RADIUS: IETF:Tunnel-Medium-Type = IEEE-802(6)

Radius:Xylan:Xylan-Auth Group = 1014

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 702
Registered: ‎03-25-2009

Re: returning HEX radius VSA's?

[ Edited ]

To return vlan and policy info I'm using user-network-profile (UNP) which is working correctly. 

What isn't working is the management logon to the switches with cppm as backend radius. 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: returning HEX radius VSA's?

[ Edited ]

I am not sure if CPPM can send that over in HEX, hopefully someone here or TAC can tell you for sure.    

 

I have no idea if this will work or if it is supported, but what if you were to export the Xlan dictionary file; then edit it so that your "octetarray" types were now string.    This way the attribute name and number are the same, but CPPM will send over whatever string you put in (FFFFFFFF) in this case.   I have verified this will work from CPPM's perspective (through Access Tracker), but not whether your switches will interpret it properly.

 

Before

xlan-b4.jpg

 

 

After

 

xlan-after.jpg

 

 

 

Also, since you're updating the dictionary file, there is a chance it could be overwritten with updates.   You may run the question by TAC.  If you do, please let us know the result.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 702
Registered: ‎03-25-2009

Re: returning HEX radius VSA's?

[ Edited ]

Doesn't work unfortunatly.

I do however get completely different results from you. 

 

1) I edited the exported xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Wed Feb 27 14:33:02 CET 2013" version="6.0"/>
<Dictionaries>
<Vendor vendorEnabled="true" prefix="Xylan" name="Radius:Xylan" id="800">
<RadiusAttributes>
<Attribute profile="in out" type="Unsigned32" name="Xylan-Auth-Group" id="1"/>
<Attribute profile="in out" type="String" name="Xylan-Slot-Port" id="2"/>
<Attribute profile="in out" type="String" name="Xylan-Time-of-Day" id="3"/>
<Attribute profile="in out" type="IPv4Address" name="Xylan-Client-IP-Addr" id="4"/>
<Attribute profile="in out" type="String" name="Xylan-Group-Desc" id="5"/>
<Attribute profile="in out" type="String" name="Xylan-Port-Desc" id="6"/>
<Attribute profile="in out" type="Unsigned32" name="Xylan-Profil-Numb" id="7"/>
<Attribute profile="in out" type="String" name="Xylan-Auth-Group-Protocol" id="8"/>
<Attribute profile="in out" type="String" name="Xylan-Asa-Access" id="9"/>
<Attribute profile="in out" type="String" name="Xylan-Acce-Priv-F-W2" id="42"/>
<Attribute profile="in out" type="String" name="Xylan-Acce-Priv-F-R1" id="39"/>
<Attribute profile="in out" type="OctetArray" name="Xylan-Acce-Priv-R2" id="34"/>
<Attribute profile="in out" type="Unsigned32" name="Xylan-Access-Priv" id="16">
<ValidValues>
<ValidValue enumOrdinal="1" value="Xylan-Read-Priv"/>
<ValidValue enumOrdinal="2" value="Xylan-Write-Priv"/>
<ValidValue enumOrdinal="3" value="Xylan-Admin-Priv"/>
</ValidValues>
</Attribute>
<Attribute profile="in out" type="String" name="Xylan-Acce-Priv-F-R2" id="40"/>
<Attribute profile="in out" type="OctetArray" name="Xylan-Acce-Priv-W1" id="35"/>
<Attribute profile="in out" type="String" name="Xylan-Acce-Priv-F-W1" id="41"/>
<Attribute profile="in out" type="OctetArray" name="Xylan-Acce-Priv-W2" id="36"/>
<Attribute profile="in out" type="OctetArray" name="Xylan-Acce-Priv-R1" id="33"/>
<Attribute profile="in out" type="OctetArray" name="Xylan-Acce-Priv-G2" id="38"/>
<Attribute profile="in out" type="OctetArray" name="Xylan-Acce-Priv-G1" id="37"/>
</RadiusAttributes>
</Vendor>
</Dictionaries>
</TipsContents>

 

2) they do appear as strings

01.edited-string-vendor-800.png

 

 

3) I added the values

02.enforce_strings.png

 

4) my output does not give the string. The values I do get is also what I get to see with wireshark.

EDIT: after rebooting CPPM I do get to see the string values fffffff etc in the access tracker output. Wireshark however still sees the 'wrong' values.

03.not-my-string.png

 

I'm guessing it's about time to go bother TAC. 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: returning HEX radius VSA's?

forgot to mention, i had to restart policy manager and the radius service for the dictionary change to reflect in the returned attributes.   TAC is probably your best next step.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 23
Registered: ‎12-22-2011

Re: returning HEX radius VSA's?

Hi Guys,

 

Anyone managed to resolve this?

 

I have similar issue that authentication is accepted by Clearpass and the problem lies with the return attribute from Clearpass.

Managed to get it to work with Juniper SBR.

 

Thank you!

MVP
Posts: 702
Registered: ‎03-25-2009

Re: returning HEX radius VSA's?

FYI, filed a ticket for this issue and got back that this issue will be fixed in CPPM v6.2

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: