Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

This thread has been viewed 17 times
  • 1.  Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

    Posted May 17, 2022 01:02 PM

    Hello,

     

    I'm having issues with Windows NPS. And getting the below output in event log when attempting to radius into an Aruba 6000 series switch after failing to authenticate. I believe I need to configure a vendor specific attribute (VSA) but couldn't find any clear documentation in configuring it on NPS. I've seen some videos where the VSA is applied to the Network Policy but based on the reason code and the particular conditions I have leads me to believe I need to configure a VSA on the Connection Request Policy.

     

    User:

                  Security ID:                                     NULL SID

                  Account Name:                              User1

                  Account Domain:                                         -

                  Fully Qualified Account Name:   -

    Client Machine:

                  Security ID:                                     NULL SID

                  Account Name:                              -

                  Fully Qualified Account Name:   -

                  Called Station Identifier:                            -

                  Calling Station Identifier:                           192.168.X.X

    NAS:

    NAS IPv4 Address:                         -

                  NAS IPv6 Address:                         -

                  NAS Identifier:                               sshd

    NAS Port-Type:                              Virtual

                  NAS Port:                                        15263

    RADIUS Client:

                  Client Friendly Name:                   "Friendly Name"

                  Client IP Address:                                        192.168.X.X

    Authentication Details:

                  Connection Request Policy Name:           -

                  Network Policy Name:                  -

                  Authentication Provider:                            -

                  Authentication Server:                 "Authentication Server"

                  Authentication Type:                    -

                  EAP Type:                                        -

                  Account Session Identifier:                        -

                  Logging Results:                             Accounting information was written to the local log file.

                  Reason Code:                                 49

                  Reason:                                                         The RADIUS request did not match any configured connection request policy (CRP).

     

    Thank you in advance if anyone has any information regarding my issue.



    ------------------------------
    Austin
    ------------------------------


  • 2.  RE: Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

    EMPLOYEE
    Posted May 18, 2022 01:38 PM
    Austin --

    The error code you are referencing (49) means the NPS server couldn't figure out how to process the RADIUS request.    This is in your network connection request setup on the NPS server.
    If this is for 802.1x authentication the server needs to recognize the NAS-Port-Type as Ethernet and the Service-Type as Login-User or Framed-User
    Mac auth would require NAS-Port-Type Ethernet and Service-Type as Call-Check
    For user authentication to the CLI you would need NAS-Port-Type Virtual, Service-Type NAS-Prompt-User 

    If all you are doing is accept / reject there is no need for a VSA.   If you are passing back enforcement information than NPS uses the Filter-ID VSA which you would need to intercept as a local role on the switch.

    ------------------------------
    Travis Thompson
    ------------------------------



  • 3.  RE: Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

    Posted May 19, 2022 09:58 AM

    So, I'm understanding based on the reason code that the request isn't matching on the connection request policy (CRP). But what I'm not understanding is how the request can't be processed as the only condition I'm using for the CRP is a NAS IPv4 matching on the management subnet for all my switches. I have HP 2530's and Aruba 2540's also in my network that are hitting on that CRP policy.  I've changed out the conditions for the different things you recommended with no luck. I get the same reason code of 49. I may have been listing them under the wrong setting potentially, but I tried a variation of using them as conditions and/or settings within the CRP. I'm not sure what else I would need to add in the CRP for the ArubaOS-CX's to be able to process the radius requests. I've looked through the documentation and the only thing that seems to be relevant and what I might be missing is attached but that seems to come back to VSA's.

     

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00110027en_us&docLocale=en_US" target="_blank" rel="noopener"> https://support.hpe.com/hpesc/public/docDisplay?docId=a00110027en_us&docLocale=en_US

     

     



    ------------------------------
    Austin
    ------------------------------



  • 4.  RE: Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

    EMPLOYEE
    Posted May 20, 2022 12:16 PM
    Austin -- 

    It won't matter what VSAs you are sending back until the RADIUS server can determine which connection request policy to use.  
    The one difference between AOS-S (2540, etc.) and AOS-CX is that for a CX switch login request we only send NAS-Port-Type = Virtual.  We do not send the Service-Type or MS-RAS-Vendor attributes.   It's possible your connection request policy for the other switches are triggering off one of those two attributes.

    Just set this up in the lab for a super simple administrative allow, hopefully the screen shots will help.

    Overview of the connection request profile



    Define the NAS Port type


    Allow PAP logins


    Return the "Administrator" service type for full switch access


    ------------------------------
    Travis Thompson
    ------------------------------



  • 5.  RE: Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

    Posted May 20, 2022 12:41 PM
    Travis, Thank you! The screen shots really helped and I was able to authenticate via radius.

    ------------------------------
    Austin
    ------------------------------



  • 6.  RE: Issue with Radius (Windows NPS) and Aruba 6000 Series Switches

    EMPLOYEE
    Posted 4 days ago
    CX switches by default does not send NAS-IP-Address, we need below radius server group configuration. It is supported from 8.1060/9.1020 release onwards

    (config)# aaa radius-attribute group <radius-server-group-name>

    shobana-vsf(config-radius-attr)# nas-ip-addr
    request-type Configure the request-type.
    service-type Configure the service-type RADIUS attribute.
    shobana-vsf(config-radius-attr)# nas-ip-addr request-type both
    accounting Include the attribute in accounting-request packets.
    authentication Include the attribute in access-request packets.
    both Include the attribute in access-request and
    accounting-request packets.
    shobana-vsf(config-radius-attr)# nas-ip-addr service-type
    user-management Include the attribute for management users RADIUS
    access-request packets.
    shobana-vsf(config-radius-attr)# nas-ip-addr service-type user-management

    ------------------------------
    Shobana
    Aruba
    ------------------------------