Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

server-derived role from VSA RADIUS

  • 1.  server-derived role from VSA RADIUS

    Posted Aug 17, 2014 11:13 AM

    Hi,

     

    I have reached kind of a dead end with this. Having working simple solution 802.1X authentication and FreeRADIUS, simply authentication users defined in RADIUS users file with password. After successful auth default role 'authenticated' is applied. 

     

    ... but I can't get role deriviation from Aruba VSA Aruba-User-Role. I have configured another role 'authenticated-vsa' on the controller, on RADIUS in 'users' file I have bob Cleartext-Password := "bob123" and Aruba-User-Role := "authenticated-vsa"

     

    As I checked FreeRADIUS configuration, dictrionary.aruba file with definitions is already included. I have also read that there is no need for explicit server derivation rule on the controller to apply VSA attribute.

     

    Anybody can give me a hint?

     

    UPDATE: see FreeRADIUS debug below, it seems radius is sending VSA Aruba-User-Role so the problem is on the controller site. I have tried with or withoud server rules, no change

     

    [eap] EAP Identity
    [eap] processing type md5
    rlm_eap_md5: Issuing Challenge
    ++[eap] returns handled
    Sending Access-Challenge of id 105 to 172.16.0.254 port 59329
            Aruba-User-Role := "authenticated-vsa"
            EAP-Message = 0x010300160410b5302d12e3b0bc39b6a55d1963ba5815
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0x52e1d8da52e2dc053abe7d46171537b4

     

    [peap] Got tunneled reply code 2
            Aruba-User-Role := "authenticated-vsa"
            MS-MPPE-Encryption-Policy = 0x00000002
            MS-MPPE-Encryption-Types = 0x00000004
            MS-MPPE-Send-Key = 0x03fc70495b61ff2bc92d0a920d5bf71e
            MS-MPPE-Recv-Key = 0xdfa3cb0c9501b992af40543ccc728b94
            EAP-Message = 0x03090004
            Message-Authenticator = 0x00000000000000000000000000000000
            User-Name = "bob"

    [peap] Got tunneled reply RADIUS code 2
            Aruba-User-Role := "authenticated-vsa"
            MS-MPPE-Encryption-Policy = 0x00000002
            MS-MPPE-Encryption-Types = 0x00000004
            MS-MPPE-Send-Key = 0x03fc70495b61ff2bc92d0a920d5bf71e
            MS-MPPE-Recv-Key = 0xdfa3cb0c9501b992af40543ccc728b94
            EAP-Message = 0x03090004
            Message-Authenticator = 0x00000000000000000000000000000000
            User-Name = "bob"
    [peap] Tunneled authentication was successful.
    [peap] SUCCESS



  • 2.  RE: server-derived role from VSA RADIUS

    Posted Aug 17, 2014 04:09 PM
    Hi Seba, Have you verified logs at the controller? Do you have a role named "authenticated-vsa" at the controller side? Regards,


  • 3.  RE: server-derived role from VSA RADIUS

    Posted Aug 17, 2014 06:46 PM

    Hi Maro!

     

    Yep, there is 'authenticated-vsa' role on the controller, but after looking into controller logs (don't know if chosen right) I began to wonder on using some packet sniffer, because to my eyes there is nothing incoming VSA related in controller logs...

     

    See below logging level debugging security process authmgr output

     

    |authmgr| |aaa| [rc_api.c:146] Radius authenticate raw using server MY-RADIUS
    |authmgr| |aaa| [rc_request.c:52] Add Request: id=203, srv=172.16.0.200, fd=63
    |authmgr| |aaa| [rc_server.c:1576] Sending radius request to MY-RADIUS:172.16.0.200:1812 id:203,len:259
    |authmgr| |aaa| [rc_server.c:1586]  User-Name: bob
    |authmgr| |aaa| [rc_server.c:1586]  NAS-IP-Address: 172.16.0.254
    |authmgr| |aaa| [rc_server.c:1586]  NAS-Port-Id: 0
    |authmgr| |aaa| [rc_server.c:1586]  NAS-Identifier: 172.16.0.254
    |authmgr| |aaa| [rc_server.c:1586]  NAS-Port-Type: 19
    |authmgr| |aaa| [rc_server.c:1586]  Calling-Station-Id:
    |authmgr| |aaa| [rc_server.c:1586]  Called-Station-Id:
    |authmgr| |aaa| [rc_server.c:1586]  Service-Type: Login-User
    |authmgr| |aaa| [rc_server.c:1586]  Framed-MTU: 1100
    |authmgr| |aaa| [rc_server.c:1586]  EAP-Message: \002\012
    |authmgr| |aaa| [rc_server.c:1586]  State: \244n@\366\243dY2\257+o\012\36332E
    |authmgr| |aaa| [rc_server.c:1586]  Aruba-Essid-Name: Galaxy
    |authmgr| |aaa| [rc_server.c:1586]  Aruba-Location-Id: IAP225-c6:e5:3a
    |authmgr| |aaa| [rc_server.c:1586]  Aruba-AP-Group: TEST-group
    |authmgr| |aaa| [rc_server.c:1586]  Aruba-Device-Type: Win 7
    |authmgr| |aaa| [rc_server.c:1586]  Message-Auth: \332\017(6k\302\320\213\231\202*5\235\032\376\005
    |authmgr| |aaa| [rc_request.c:76] Find Request: id=203, srv=172.16.0.200, fd=63
    |authmgr| |aaa| [rc_request.c:82]  Current entry: srv=172.16.0.200, fd=63
    |authmgr| |aaa| [rc_request.c:37] Del Request: id=203, srv=172.16.0.200, fd=63
    |authmgr| |aaa| [rc_api.c:1139] Authentication Successful
    |authmgr| |aaa| [rc_api.c:1141] RADIUS RESPONSE ATTRIBUTES:
    |authmgr| |aaa| [rc_api.c:1156]  {Microsoft} MS-MPPE-Recv-Key: \221\026\<cut>
    |authmgr| |aaa| [rc_api.c:1156]  {Microsoft} MS-MPPE-Send-Key: \236\013\<cut>
    |authmgr| |aaa| [rc_api.c:1156]  EAP-Message: \003\012
    |authmgr| |aaa| [rc_api.c:1156]  Message-Auth: \\250\241\2254\200\017\243\364\273\3507z\314/\256
    |authmgr| |aaa| [rc_api.c:1156]  User-Name: bob
    |authmgr| |aaa| [rc_api.c:1156]  PW_RADIUS_ID: \313
    |authmgr| |aaa| [rc_api.c:1156]  Rad-Length: 167
    |authmgr| |aaa| [rc_api.c:1156]  PW_RADIUS_CODE: \002
    |authmgr| |aaa| [rc_api.c:1156]  PW_RAD_AUTHENTICATOR: 5\235\212\226\217+\246: \262&J\330\233_T
    |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=MY-RADIUS, user=
    |authmgr|  Auth server 'MY-RADIUS' response=0
    |authmgr|  Setting authserver 'MY-RADIUS' for user 0.0.0.0, client 802.1x.
    |authmgr|  {L2} Authenticating Server is MY-RADIUS.
    |authmgr|  get_traffic_prio_from_role_name: |TC-PROF GET|: Profile Name (Default) Role name (authenticated) val(15)
    |authmgr|  user_download: |TC-PROF|: Role (authenticated)  Traffic Prio(15)
    |authmgr|  Create ipuser 172.16.0.10 for user
    |authmgr|  Called ip_user_new() for ip 172.16.0.10.
    |authmgr|  sta_add_l3: mac
    |authmgr|  get_traffic_prio_from_role_name: |TC-PROF GET|: Profile Name (Default) Role name (authenticated) val(15)
    |authmgr|  user_download: |TC-PROF|: Role (authenticated)  Traffic Prio(15)
    |authmgr|  Enforcing L2 check for mac
    |authmgr|  download-L3: ip=172.16.0.10 acl=60/0 role=authenticated, Ubwm=0, Dbwm=0 tunl=0x0x1000c, PA=0, HA=1, RO=0, VPN=0, MAC



  • 4.  RE: server-derived role from VSA RADIUS

    Posted Aug 17, 2014 08:08 PM

    The VSA is not configured properly, or it is not being sent.  You would see it in the debug message.  Try sending a standard radius attribute, like filter-id to see if you see it appear.