Wireless Access

Reply
Super Contributor II

Uniquely identifying auth requests from l2tp/ipsec clients

Hi,

I'm  looking at using one of our Aruba controllers to provide an l2tp/ipsec service for network staff  who need to have unfettered access to our network from outside our network. Back end auth is against our RADIUS service and I'm generating a specific Filter-Id radius attribute to indicate that they're l2tp/ipsec users. A successful auth then places them in a specific role and away they go. 

 

My concern however is that I've set up the correct Filter-Id attribute value. The radius server copes with eap and mschapv2 auths from all over the place and may well have Service-Type=Login-User from other devices

 

Looking at the the RADIUS Access-Request packet sent by the controller, I've got

 

NAS-IP-Address -- <ip address of controller>

NAS-Port = 0

Nas-Port-Type - Wireless-802.11

User-name - me

Calling station id - 000000000000

Called-Station-Id - mac address of client

Framed-ip address - ip address of client machine

MS-CHap stuff

Service-Type - Login-User

Aruba-Location-Id - "N/A"

Aruba-AP-Group - "default"

Message-Authenticator - <stuff>

 

At the moment I'm checking for my username, the Aruba-Location-Id, the Aruba-AP-Group and the Service-Type but I'm not entirely convinced that the combination of those 3 uniquely identify an auth request associated with an l2tp?ipsec connection.

 

Any way of really really identifying the auth request as being associated with an l2tp/ipsec connect request? Can I add an atribute at the controller end to say this is an l2tp/ipsec auth request?

 

Rgds

Alex

 

Guru Elite

Re: Uniquely identifying auth requests from l2tp/ipsec clients

Nas Port type should be VPN or Virtual for VPN authentication.

 







********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Super Contributor II

Re: Uniquely identifying auth requests from l2tp/ipsec clients

Would be good if it was but  it's set to Wireless-802.11

 

We've got a whole batch of RAPs out there as well

 

Rgds

Alex

 

Guru Elite

Re: Uniquely identifying auth requests from l2tp/ipsec clients

If you have RAPs along with VPN clients, I suggest you open a support case so that you do no break anything with your RAPs.

 

If you are running ArubaOS 6.x, in Security> Authentication> L3 Authentication there are different ways to handle authentication depending on if it is a RAP, or incoming VPN connection.

 

 

 







********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Super Contributor II

Re: Uniquely identifying auth requests from l2tp/ipsec clients

Sounds like a good idea. FWIW once I've authenticarted over an l2tp/ipsec connection and have a look at the clients that are loggged on, I can see that my auth type is VPN

 

and yes, we're running ArubaOS 6.1.3.7

 

Rgds

Alex

 

Guru Elite

Re: Uniquely identifying auth requests from l2tp/ipsec clients

Allright.

 

Your 802.1x clients have a server group.  In Configuration> Security> authentication> L3 Authenticatin> VPN, THAT has a server group.

 

You could create a new server that is the exact duplicate of your 802.1x server, except you add a parameter in the NAS-ID, like VPN.  Create a new server group, and add that server to it.  Replace the server group in Configuration> Security> authentication> L3 Authenticatin> VPN with that new server group.  On your radius server, the NAS ID of VPN will let you know that it is an incoming VPN connection.

 







********************************************

Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Super Contributor II

Re: Uniquely identifying auth requests from l2tp/ipsec clients

ust read your message again. Already set up the rught stuff in the layer 3 auth. There are 3 profiles there, default, default-cap anbd default-rap. I've pointed default at our radius servers and left the default-rap alone so they're stil running o.k.

 

Rgds

Alex

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: