Wireless Access

Hello,

I am configuring controller management access via FreeRadius and I am having issue.

We have two main groups, lets call them A and B. In RADIUS I check authorization as follows...

If user is in group A {

accept

}

if user is in group B AND NAS-Identifer = "grpA-controller"

accept

}

The first group is fine, but group B will fail because the controller does not appear to be sending a NAS-Identifier. I cannot match on NAS-IP-Address either, because the IP that gets sent is from the machine I am SSH-ing from and not the IP of the controller.

Any ideas?

Dave

I just discovered this:

aaa authentication-server radius <server>

nas-identifier <string>

Isn't aaa authentication-server radius <server> a global configuration item though? It doesn't make sense to me to have all of the controllers send the same NAS-Identifier.

Yes it is global for each server that is defined, even across controllers.  If you want to do geographic definition, you should look at the aruba-ap-group radius attribute that is sent with each authentication so that you can do a different rule based on ap-group.  Do you think that would work?

Please look at the post here: http://community.arubanetworks.com/t5/Amigopod/RADIUS-Auth-failing/m-p/15573/highlight/true#M82 to see if you would be interested in that.

EDIT:  Since you are doing authentication via user groupings, how are your users grouped?

Hi Colin,

Unfortunately, no. This is just for the network admins to get CLI access from the wired side. 

We have admins and a subgroup of admins. The latter can only access a couple of the local controllers, where as the first group can access everything. Right now I can't seem to avoid giving the subgroup access on all of the controllers.

I would also like to avoid creating new roles on the aruba to manage this, if possible.

EDIT: I missed the last bit there. To grant access I am checking LDAP to see if they are a member of the admin-L1 or admin-L15 group. L1 should get the subset of controllers.

Dave

So the "nas-ip-address" is still the literal address of the controller that actually sent the authentication.  Can you manage the radius permissions that way on Freeradius?

Sure can.

So the way it works in FreeRadius is in a few stages.

1. It will authorize the user,

2. It will authenticate the user,

3. Finally you can do post-auth manipulation. All of this happens before RADIUS sends an Access-Accept, or Access-Reject.

In this case, I am working in the post-auth section.

Since we have multiple types of devices that require different login types (think: Wireless, 802.1x, VPN, switch management), the easiest way to match what I want is via the literal nas name and login-type. 

My configuration looks something like this:

post auth {

if (LDAP-Group == admin-L15) {

update reply {

Service-Type := Administrative-User

}

}

elsif (LDAP-Group == admin-L1) && (NAS-Identifier == controller-b) {

update reply {

Service-Type := Administrative-User

}

}

else {

reject

}

}

Its pretty cool actually. 

Dave

Dave,

I knew you could, I meant is that a workable solution to use the NAS-IP for the post auth?  

Oh, my mistake.

It would be perfectly fine to use the Nas-IP, but the RADIUS requests always use the IP of the master controller, even when you are logging into a local via CLI.

Dave

That is interesting.  Do you have the nas-ip parameter configured in the Radius definition on the Master controller?  If you do, please remove it and see if that is now populated with the literal address of the controller that you are logging into.

Hi Colin,

Using your direction I got it working. 

On the master, the radius server looked like this:

Auth Port 1812
Acct Port 1813
Retransmits 3
Timeout 5 sec
NAS ID N/A
NAS IP N/A
Source Interface N/A
Use MD5 Disabled
Use IP address for calling station ID Disabled
Mode Enabled

None of the above attributes can be changed on the local controllers. What CAN be changed on the locals is:

#ip radius nas-ip A.B.C.D

This apparently overrides any IP that is configured for sending RADIUS on the master.

Thanks for pointing me in the right direction!

Dave

Hi guys!

I am facing a problem similar to this one.. but I am using widonws server 2012.

My virtual controller sends the NAS IP to my server but the NAS IDENTIFIER goes empty..

I am using the version 6.5.4.4 and it is a IAP 215 .

The only solution is use the NAS IP ?

Thanks for the helping.

Best Regards