Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

role doesn't apply after passed stateful-802.1x

  • 1.  role doesn't apply after passed stateful-802.1x

    Posted Jun 25, 2012 03:17 AM

     

     

    Hi all,

       I have some problem about WLAN controller and 3th party AP. I connected AP to Aruba interface and config it as untrusted port then I connected PC with 802.1x authentication after passed authentication Aruba controller didn’t apply role from radius response its got the default role from stateful-dot1x configuration.

     

    interface gigabitethernet  1/3        
    description "GE1/3"       
    trusted vlan 1-4092      
    switchport mode trunk

     

    aaa authentication-server radius "IAS"

       host "172.20.43.131"

       key xxxxxx

     

    aaa server-group "3th_AP"

     auth-server IAS

     set role condition Reply-Message contains "pidgroup" set-value pidgroup

     

    aaa authentication stateful-dot1x                

       default-role "authenticated"                  

       server-group "3th_AP"                         

       enable       

     

     

     

    UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IDENTIFIER_ID:

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IP_ADDRESS

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  USERNAME

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLING_STATION_ID

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLED_STATION_ID

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP_MESSAGE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding to the Radius Server(172.20.43.131) len:0

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:1/smac:00:24:a8:88:4b:8e/sport:32769/dport:1812

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Received Valid Radius Reponse

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP MESSAGE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius Response to AP:172.20.43.11 len:0

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:11/smac:00:0c:29:b0:48:5c/sport:1812/dport:32769

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IDENTIFIER_ID:

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  NAS_IP_ADDRESS

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  USERNAME

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLING_STATION_ID

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  CALLED_STATION_ID

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP_MESSAGE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  UNKNOWN ATTRIBUTE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding to the Radius Server(172.20.43.131) len:0

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:1/smac:00:24:a8:88:4b:8e/sport:32769/dport:1812

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Received Valid Radius Reponse

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  EAP MESSAGE

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|   {L2} Authenticating Server is IAS

    Jun 25 03:13:08 :199802:  <ERRS> |authmgr|  user.c, derive_role2:5623: {38:e7:d8:e7:6a:dc-??} Missing server group in attribute list, auth=Stateful-802.1x, utype=L2

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Adding user: 1090e3b4 (38:e7:d8:e7:6a:dc:0.0.0.0:pid2) to ap group: ap group id: 0

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Tx message to Sibyte. Opcode = 17, msglen = 188

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  MM: mac=38:e7:d8:e7:6a:dc, state=3, name=pid2, role=authenticated, dev_type=, ip=0.0.0.0

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius Response to AP:172.20.43.11 len:0

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Forwarding the Radius packet after stateful dot1x processing code:2/smac:00:0c:29:b0:48:5c/sport:1812/dport:32769

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  Tx message to Sibyte. Opcode = 21, msglen = 128

    Jun 25 03:13:08 :124004:  <DBUG> |authmgr|  MAC: 38:e7:d8:e7:6a:dc, No L2 auth configured, L2 Deauthenticate skipped for station.

    Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  Create ipuser 0x0x1095b374 for user 0x0x1090e3b4

    Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  Called ip_user_new() for ip 10.20.20.254

    Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  sta_add_l3: mac 38:e7:d8:e7:6a:dc ip 10.20.20.254

    Jun 25 03:13:10 :124004:  <DBUG> |authmgr|  Adding user: 1090e3b4 (38:e7:d8:e7:6a:dc:10.20.20.254:pid2) to ap group: ap group id: 0

     

    have anyone get this issue before?

    thanks in advance



  • 2.  RE: role doesn't apply after passed stateful-802.1x

    Posted Jun 25, 2012 11:34 AM

    Are you setting the filter-id on the RADIUS server as  "pidgroup"? 



  • 3.  RE: role doesn't apply after passed stateful-802.1x

    Posted Jun 26, 2012 09:19 AM

    Hi hthakker,

     

       I used Reply-message attribute on radius server not the fillter-id.

     

    anyidea?



  • 4.  RE: role doesn't apply after passed stateful-802.1x

    Posted Jun 27, 2012 11:44 AM

    @aakmit wrote:

    Hi hthakker,

     

       I used Reply-message attribute on radius server not the fillter-id.

     

    anyidea?


    aakmit, 
    You should be seeing a message like the following in the user-debug logs. 

    Jun 27 07:13:41 :522017:  <INFO> |authmgr|  MAC=e8:99:c4:4e:39:53 IP=10.163.207.102 Derived role 'reply-authenticated' from server rules: server-group=radius, authentication=802.1x

     

     

    Following is my configuration 

    aaa server-group "radius"

    auth-server hthakker
    set role condition Reply-Message contains "reply123" set-value reply-authenticated

     

    Can you check if the the RADIUS server is sending out Reply-message in the Access-Accept message. 

     

    You can get packet capture on the RADIUS server and filter with "radius". 

    Attribute Value Pairs inside the Access-Accept packet 

     

    AVP: l=10  t=Reply-Message(18): reply123

     



  • 5.  RE: role doesn't apply after passed stateful-802.1x

    Posted Jun 27, 2012 02:11 PM

    aakmit, 

     

    If you do not have the capability to get packet capture on the RADIUS server, you can check if the server is responding with the Reply message on the controller itself.

     

    (master) (config) #logging level debugging security subcat aaa
    (master) (config) #logging level debugging security process authmgr

     

    (master) # aaa test-server mschapv2 <radius-server> <username> <password>

     

    (master) #show log all | include Reply
    Jun 27 09:42:32 authmgr[1579]: <121031> <DBUG> |authmgr| |aaa| [rc_api.c:989] Reply-Message: reply123

     

     

    Also, 

    Can you post the output of the following command? 

     

    show aaa authentication wired

     

    Thanks,

    --

    HT

     



  • 6.  RE: role doesn't apply after passed stateful-802.1x

    Posted Jun 28, 2012 03:15 AM

    Hi hthakker,

     

    thanks for your answer. I captured packet on radius server and i saw the Reply-message return attribute list in the radius packet.

     

    radius-capture.png

     

    Then i tested with aaa test-server command i got the resault like below.

    Jun 28 06:03:37  authmgr[1565]: <121031> <DBUG> |authmgr| |aaa| [rc_api.c:989]  Reply-Message: pidgroup

     

     So, I'm pretty sure the radius return attribute correctly but i don't know while server rule doesn't apply to user.

     

    (WLAN) #show aaa authentication wired

    Wired Authentication Profile

     ----------------------------

    Parameter    Value

     ---------    -----

    AAA Profile  wire-authen

     

    (WLAN) #show aaa profile wire-authen

    AAA Profile "wire-authen"

    -------------------------

    Parameter                           Value

    ---------                           -----

    Initial role                        logon

    MAC Authentication Profile          N/A

    MAC Authentication Default Role     guest

    MAC Authentication Server Group     N/A

    802.1X Authentication Profile       N/A

    802.1X Authentication Default Role  guest

    802.1X Authentication Server Group  N/A

    L2 Authentication Fail Through      Disabled

    RADIUS Accounting Server Group      N/A

    RADIUS Interim Accounting           Disabled

    XML API server                      N/A

    RFC 3576 server                     N/A

    User derivation rules               N/A

    Wired to Wireless Roaming           Enabled

    SIP authentication role             N/A

    Device Type Classification          Enabled

     Enforce DHCP                        Disabled

    (WLAN) #

     

    thanks in advance.

     

     



  • 7.  RE: role doesn't apply after passed stateful-802.1x

    Posted Jun 28, 2012 06:46 PM

    aakmit, 

     

    Try using the following configuration instead of "stateful-dot1x" 

     

    aaa authentication-server radius "IAS"

       host "172.20.43.131"

       key xxxxxx

     

    aaa server-group "3th_AP"

     auth-server IAS

     set role condition Reply-Message contains "pidgroup" set-value pidgroup

     

     

    aaa profile "3th_AP-aaa"
    authentication-dot1x "3th_AP-dot1x_prof"
    dot1x-default-role "authenticated"
    dot1x-server-group "3th_AP"
    !

     

    aaa authentication dot1x "3th_AP-dot1x_prof"
    !

     

    Apply the "aaa profile" under the Virtual AP profile if the client is connected through an SSID of apply to the wired interface if the client traffic is coming through an untrusted wired interface 

     

     

    aaa authentication wired 

    profile "3th_AP-aaa"

    !

     

    Hope it helps ! 

     

    --

    HT