Wireless Access

Reply
Occasional Contributor II
Posts: 36
Registered: ‎02-08-2011

Controller not sending NAS-Identifer

Hello,

 

I am configuring controller management access via FreeRadius and I am having issue.

 

We have two main groups, lets call them A and B. In RADIUS I check authorization as follows...

 

If user is in group A {

accept

}

 

if user is in group B AND NAS-Identifer = "grpA-controller"

accept

}

 

The first group is fine, but group B will fail because the controller does not appear to be sending a NAS-Identifier. I cannot match on NAS-IP-Address either, because the IP that gets sent is from the machine I am SSH-ing from and not the IP of the controller.

 

Any ideas?

 

Dave

Occasional Contributor II
Posts: 36
Registered: ‎02-08-2011

Re: Controller not sending NAS-Identifer

I just discovered this:

 

aaa authentication-server radius <server>

nas-identifier <string>

 

 

Isn't aaa authentication-server radius <server> a global configuration item though? It doesn't make sense to me to have all of the controllers send the same NAS-Identifier.

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Controller not sending NAS-Identifer

[ Edited ]

Yes it is global for each server that is defined, even across controllers.  If you want to do geographic definition, you should look at the aruba-ap-group radius attribute that is sent with each authentication so that you can do a different rule based on ap-group.  Do you think that would work?

 

Please look at the post here: http://community.arubanetworks.com/t5/Amigopod/RADIUS-Auth-failing/m-p/15573/highlight/true#M82 to see if you would be interested in that.

 

EDIT:  Since you are doing authentication via user groupings, how are your users grouped?

 

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 36
Registered: ‎02-08-2011

Re: Controller not sending NAS-Identifer

[ Edited ]

Hi Colin,

 

Unfortunately, no. This is just for the network admins to get CLI access from the wired side. 

 

We have admins and a subgroup of admins. The latter can only access a couple of the local controllers, where as the first group can access everything. Right now I can't seem to avoid giving the subgroup access on all of the controllers.

 

I would also like to avoid creating new roles on the aruba to manage this, if possible.

 

EDIT: I missed the last bit there. To grant access I am checking LDAP to see if they are a member of the admin-L1 or admin-L15 group. L1 should get the subset of controllers.

 

Dave

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Controller not sending NAS-Identifer

So the "nas-ip-address" is still the literal address of the controller that actually sent the authentication.  Can you manage the radius permissions that way on Freeradius?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 36
Registered: ‎02-08-2011

Re: Controller not sending NAS-Identifer

Sure can.

 

So the way it works in FreeRadius is in a few stages.

 

1. It will authorize the user,

 

2. It will authenticate the user,

 

3. Finally you can do post-auth manipulation. All of this happens before RADIUS sends an Access-Accept, or Access-Reject.

 

In this case, I am working in the post-auth section.

 

Since we have multiple types of devices that require different login types (think: Wireless, 802.1x, VPN, switch management), the easiest way to match what I want is via the literal nas name and login-type. 

 

My configuration looks something like this:

 

post auth {

if (LDAP-Group == admin-L15) {

update reply {

Service-Type := Administrative-User

}

}

elsif (LDAP-Group == admin-L1) && (NAS-Identifier == controller-b) {

update reply {

Service-Type := Administrative-User

}

}

else {

reject

}

}

 

Its pretty cool actually. 

 

Dave

 

 

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Controller not sending NAS-Identifer

Dave,

 

I knew you could, I meant is that a workable solution to use the NAS-IP for the post auth?  

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 36
Registered: ‎02-08-2011

Re: Controller not sending NAS-Identifer

Oh, my mistake.

 

It would be perfectly fine to use the Nas-IP, but the RADIUS requests always use the IP of the master controller, even when you are logging into a local via CLI.

 

Dave

Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Controller not sending NAS-Identifer

That is interesting.  Do you have the nas-ip parameter configured in the Radius definition on the Master controller?  If you do, please remove it and see if that is now populated with the literal address of the controller that you are logging into.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 36
Registered: ‎02-08-2011

Re: Controller not sending NAS-Identifer

Hi Colin,

 

Using your direction I got it working. 

 

On the master, the radius server looked like this:

 

Auth Port 1812
Acct Port 1813
Retransmits 3
Timeout 5 sec
NAS ID N/A
NAS IP N/A
Source Interface N/A
Use MD5 Disabled
Use IP address for calling station ID Disabled
Mode Enabled

 

 

None of the above attributes can be changed on the local controllers. What CAN be changed on the locals is:

 

#ip radius nas-ip A.B.C.D

 

This apparently overrides any IP that is configured for sending RADIUS on the master.

 

Thanks for pointing me in the right direction!

 

Dave

Search Airheads
Showing results for 
Search instead for 
Did you mean: