Wireless Access

Reply
Contributor I

role doesn't apply after passed stateful-802.1x

 

 

Hi all,

   I have some problem about WLAN controller and 3th party AP. I connected AP to Aruba interface and config it as untrusted port then I connected PC with 802.1x authentication after passed authentication Aruba controller didn’t apply role from radius response its got the default role from stateful-dot1x configuration.

 

interface gigabitethernet  1/3        
description "GE1/3"       
trusted vlan 1-4092      
switchport mode trunk

 

aaa authentication-server radius "IAS"

   host "172.20.43.131"

   key xxxxxx

 

aaa server-group "3th_AP"

 auth-server IAS

 set role condition Reply-Message contains "pidgroup" set-value pidgroup

 

aaa authentication stateful-dot1x                

   default-role "authenticated"                  

   server-group "3th_AP"                         

   enable       

 

 

 

UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IDENTIFIER_ID:

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IP_ADDRESS

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  USERNAME

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLING_STATION_ID

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLED_STATION_ID

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP_MESSAGE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding to the Radius Server(172.20.43.131) len:0

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:1/smac:00:24:a8:88:4b:8e/sport:32769/dport:1812

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Received Valid Radius Reponse

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP MESSAGE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius Response to AP:172.20.43.11 len:0

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:11/smac:00:0c:29:b0:48:5c/sport:1812/dport:32769

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IDENTIFIER_ID:

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IP_ADDRESS

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  USERNAME

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLING_STATION_ID

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLED_STATION_ID

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP_MESSAGE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding to the Radius Server(172.20.43.131) len:0

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:1/smac:00:24:a8:88:4b:8e/sport:32769/dport:1812

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Received Valid Radius Reponse

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP MESSAGE

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|   {L2} Authenticating Server is IAS

Jun 25 03:13:08 :199802:  <ERRS> |authmgr|  user.c, derive_role2:5623: {38:e7:d8:e7:6a:dc-??} Missing server group in attribute list, auth=Stateful-802.1x, utype=L2

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Adding user: 1090e3b4 (38:e7:d8:e7:6a:dc:0.0.0.0:pid2) to ap group: ap group id: 0

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Tx message to Sibyte. Opcode = 17, msglen = 188

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  MM: mac=38:e7:d8:e7:6a:dc, state=3, name=pid2, role=authenticated, dev_type=, ip=0.0.0.0

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius Response to AP:172.20.43.11 len:0

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:2/smac:00:0c:29:b0:48:5c/sport:1812/dport:32769

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Tx message to Sibyte. Opcode = 21, msglen = 128

Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  MAC: 38:e7:d8:e7:6a:dc, No L2 auth configured, L2 Deauthenticate skipped for station.

Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  Create ipuser 0x0x1095b374 for user 0x0x1090e3b4

Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  Called ip_user_new() for ip 10.20.20.254

Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  sta_add_l3: mac 38:e7:d8:e7:6a:dc ip 10.20.20.254

Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  Adding user: 1090e3b4 (38:e7:d8:e7:6a:dc:10.20.20.254:pid2) to ap group: ap group id: 0

 

have anyone get this issue before?

thanks in advance

Retired Employee

Re: role doesn't apply after passed stateful-802.1x

Are you setting the filter-id on the RADIUS server as  "pidgroup"? 

--
HT
Contributor I

Re: role doesn't apply after passed stateful-802.1x

Hi hthakker,

 

   I used Reply-message attribute on radius server not the fillter-id.

 

anyidea?

Retired Employee

Re: role doesn't apply after passed stateful-802.1x


aakmit wrote:

Hi hthakker,

 

   I used Reply-message attribute on radius server not the fillter-id.

 

anyidea?


aakmit, 
You should be seeing a message like the following in the user-debug logs. 

Jun 27 07:13:41 :522017:  <INFO> |authmgr|  MAC=e8:99:c4:4e:39:53 IP=10.163.207.102 Derived role 'reply-authenticated' from server rules: server-group=radius, authentication=802.1x

 

 

Following is my configuration 

aaa server-group "radius"

auth-server hthakker
set role condition Reply-Message contains "reply123" set-value reply-authenticated

 

Can you check if the the RADIUS server is sending out Reply-message in the Access-Accept message. 

 

You can get packet capture on the RADIUS server and filter with "radius". 

Attribute Value Pairs inside the Access-Accept packet 

 

AVP: l=10  t=Reply-Message(18): reply123

 

--
HT
Retired Employee

Re: role doesn't apply after passed stateful-802.1x

aakmit, 

 

If you do not have the capability to get packet capture on the RADIUS server, you can check if the server is responding with the Reply message on the controller itself.

 

(master) (config) #logging level debugging security subcat aaa
(master) (config) #logging level debugging security process authmgr

 

(master) # aaa test-server mschapv2 <radius-server> <username> <password>

 

(master) #show log all | include Reply
Jun 27 09:42:32 authmgr[1579]: <121031> <DBUG> |authmgr| |aaa| [rc_api.c:989] Reply-Message: reply123

 

 

Also, 

Can you post the output of the following command? 

 

show aaa authentication wired

 

Thanks,

--

HT

 

--
HT
Contributor I

Re: role doesn't apply after passed stateful-802.1x

Hi hthakker,

 

thanks for your answer. I captured packet on radius server and i saw the Reply-message return attribute list in the radius packet.

 

radius-capture.png

 

Then i tested with aaa test-server command i got the resault like below.

Jun 28 06:03:37  authmgr[1565]: <121031> <DBUG> |authmgr| |aaa| [rc_api.c:989]  Reply-Message: pidgroup

 

 So, I'm pretty sure the radius return attribute correctly but i don't know while server rule doesn't apply to user.

 

(WLAN) #show aaa authentication wired

Wired Authentication Profile

 ----------------------------

Parameter    Value

 ---------    -----

AAA Profile  wire-authen

 

(WLAN) #show aaa profile wire-authen

AAA Profile "wire-authen"

-------------------------

Parameter                           Value

---------                           -----

Initial role                        logon

MAC Authentication Profile          N/A

MAC Authentication Default Role     guest

MAC Authentication Server Group     N/A

802.1X Authentication Profile       N/A

802.1X Authentication Default Role  guest

802.1X Authentication Server Group  N/A

L2 Authentication Fail Through      Disabled

RADIUS Accounting Server Group      N/A

RADIUS Interim Accounting           Disabled

XML API server                      N/A

RFC 3576 server                     N/A

User derivation rules               N/A

Wired to Wireless Roaming           Enabled

SIP authentication role             N/A

Device Type Classification          Enabled

 Enforce DHCP                        Disabled

(WLAN) #

 

thanks in advance.

 

 

Retired Employee

Re: role doesn't apply after passed stateful-802.1x

aakmit, 

 

Try using the following configuration instead of "stateful-dot1x" 

 

aaa authentication-server radius "IAS"

   host "172.20.43.131"

   key xxxxxx

 

aaa server-group "3th_AP"

 auth-server IAS

 set role condition Reply-Message contains "pidgroup" set-value pidgroup

 

 

aaa profile "3th_AP-aaa"
authentication-dot1x "3th_AP-dot1x_prof"
dot1x-default-role "authenticated"
dot1x-server-group "3th_AP"
!

 

aaa authentication dot1x "3th_AP-dot1x_prof"
!

 

Apply the "aaa profile" under the Virtual AP profile if the client is connected through an SSID of apply to the wired interface if the client traffic is coming through an untrusted wired interface 

 

 

aaa authentication wired 

profile "3th_AP-aaa"

!

 

Hope it helps ! 

 

--

HT 

 

--
HT
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: