Security

Trying to get Amigopod to accept and then use the radius attributes I've configured on the radius server to then create a mac account in its internal db so the user doesn't have to log on again afterwards.

 

Amigopod is setup with the radius server as an external RADIUS authentication server (type proxy).The authorization method is set to "use attributes from proxy radius server"

On the radius sever (windows NPS) I've added the Aruba Aruba-User-Role VSA as "quest-cp" to the users network policy.

 

On the Amigopod a radius user role has been created: guest-cp.

In this guest-cp user role a standard radius attribute Tmp-String-0 which has the following conditional expression which should create a mac account in the amigopod internal db.

return ($a=GetAttr('Calling-Station-Id')) && NwaDynamicLoad('NwaCreateUser') && NwaCreateUser(array('creator_accept_terms'=>1, 'role_id'=>6, 'username'=>$a, 'password'=>$a, 'visitor_name'=>$user[‘username’], 'modify_expire_time'=>'september', 'do_expire'=>4, 'auto_update_account'=>1)) && 0;

 

Now when I logon with a ad/radius user I can see the Aruba-User-Role attribute being returned. The user authenticates and is allowed through but no mac account is created.

 

When I log on with an internal db user which has its role set to the same guest-cp the mac account is created.

 

So, why isn't my user-role being accepted to create the mac account?

 

I believe an updated version of the auto Mac account tech note has been published to the support.arubanetworks.com website. The update includes a revised conditional expression that better caters for proxy authentication.

Same problem with the new document.

 

A test shows the radius server actualy sending back the aruba-user-role and the reply-message VSA's I configured but amigopod seems to ignore them.

 

Sending Access-Request of id 183 to 127.0.0.1 port 1812 
        User-Name = "mylogon" 
        User-Password = "●●●●●●●●" 
        NAS-Identifier = "amigopod.mydomain.local" 
        NAS-IP-Address = 127.0.0.1 
        NAS-Port = 1812 
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=183, length=128 
        Aruba-User-Role = "guest-cp" 
        Framed-Protocol = PPP 
        Reply-Message = "guest-cp" 
        Service-Type = Framed-User 
        Class = 0xa2d309ba0000013700010200ac1000c400000000314aa86d004b0d4a01ccd58794f3b4c40000000000000d97 
        MS-Link-Utilization-Threshold = 50 
        MS-Link-Drop-Time-Limit = 120

 I can in fact see the Aruba-user-role VSA being applied in the controller..  It's just that it won't trigger the mac account creation.

 

 

Feb 16 15:35:19 :522038:  <INFO> |authmgr|  username=mylogon MAC=00:18:de:a5:cd:57 IP=192.168.10.231 Authentication result=Authentication Successful method=Web server=amigopod
Feb 16 15:35:19 :522016:  <INFO> |authmgr|  MAC=00:18:de:a5:cd:57 IP=?? Derived role 'guest-cp' from Aruba VSA
Feb 16 15:35:19 :522049:  <INFO> |authmgr|  MAC=00:18:de:a5:cd:57,IP=192.168.10.231 User role updated, existing Role=guest-logon-amigo/guest-logon-amigo, new Role=guest-logon-amigo/guest-cp, reason=User authenticated with auth type:1role derivation:7 l3 assigned role:None
Feb 16 15:35:19 :522050:  <INFO> |authmgr|  MAC=00:18:de:a5:cd:57,IP=192.168.10.231 User data downloaded to datapath, new Role=guest-cp/73, bw Contract=0/0,reason=Download driven by user role setting
Feb 16 15:35:19 :522008:  <NOTI> |authmgr|  User Authentication Successful: username=mylogon MAC=00:18:de:a5:cd:57 IP=192.168.10.231 role=guest-cp VLAN=4001 AP=tech SSID=amigo AAA profile=aaa-amigo auth method=Web auth server=amigopod
Feb 16 15:35:19 :522038:  <INFO> |authmgr|  username=mylogon MAC=00:18:de:a5:cd:57 IP=192.168.10.231 Authentication result=Authentication Successful method=radius-accounting server=amigopod

 

So what am I missing? How do I get amigopod to run the radius role I'm sending it?

 

 

PS, you might want to clearly add a version number on your documents.. I had no idea I was using an old version. The data that is mentioned on the docs was identical (March 2011).

Also, the new document has some typos in the Annotated Expression. I count at least 2 closing brackets that are missing)

Could somebody confirm what I'm trying to do is/should actually be possible? Using AmigoPods internal database with a fail through to an external radius server (amigopod as a radius proxy) Then use radius VSA's returned by that external radius server to

1) automatically create a mac account for the device of that user

2) have different mac accounts (duration, role, ...) depending on which radius VSA was returned by that external radius server?

 

Support says this is not possible and has redirected me to using ldap/ad instead of the external radius. Wich I prefer to not use whenever possible.

I think it should be possible, but its not something I've done or heard of anyone else doing either. Typically, when an account is created or fails to be created, there are some messages in the application log on the Amigopod server. Are you seeing any?

Nothing realy strikes out.

Anyway, got it working through ldap now so I'll try and tackle this when everything else is working.

Glad you found a work around.  This can be done using RADIUS however.  It comes with a caveat that none of the original RADIUS attributes will be passed back to the controller.

 

You need to select "Use PHP code to assign a user role".  If you click the Help link from the RADIUS Proxy edit page you should be able to find an example.  In your case it would look something like.

 

if (stripos($user['Aruba-User-Role'],'guest-cp') !== false) return 4;
if (stripos($user['Aruba-User-Role'],'Role 2') !== false) return 5;
return 2;

 

In this scenario, the 4 and 5 would be two new roles you created that contain the MAC Caching code.  I showed two as an example, you may be fine with 1.  The final '2' is the default Guest role, and again here for example only.

 

Any attrbiutes replied by your server will be available in the $user object.

 

There is a tech note on the Amigopod section of the Aruba support site that has a more advanced MAC Cache statement.

Thanks will try that tomorrow.. would love to get ldap/ad out of my config altogether. :smileyhappy: