Security

We want to use Windows server 2012 NPS RADIUS for both read-write management access and read-only management access and we have configured an Aruba 3200 controller to point to the radius server and Windows Active directory groups for differentiating administrative access from non-administrative or read-only access.  

I log in with my normal account (dbell) with putty (SSH) and I get limited > access. I can then login with my Privileged AD account (dbell-pr) and gain admin privileged access.  On the web gui I log in with my dbell-pr and get admin access and if I log in with my normal dbell account I still get privileged access (admin).  Do you have any ideas on how to eliminate administrative access through the web gui for my normal non-privileged account?  We are using 14823 as directed by limited documentation we have found.  We are currently using a 1 for the vendor assigned attribute number and it works to limit access through putty to only read-only, but does nothing to limit read-write access on the web GUI.  Am I missing something here?

 

You should make sure that on the Aruba controller the default role for administrative access is set to "no access". That way, only someone who has the administrative VSA of root will get root.

Doing this will completly lock you out of managing the controller.

No, If local authentication is enabled you can still log in using your root credential.

No you are wrong> Try it

if "no access" is enabled, local authentication will not work unless the radius server is not responding at which point local access will work again.

---

@pmonardo wrote:
if "no access" is enabled, local authentication will not work unless the radius server is not responding at which point local access will work again.

---

pmonardo,

 

"No Access" means do not allow access to anyone who does not send a Administrative Role in the Aruba VSA during Authentication.  Which means that people that simply pass authentication in Radius, cannot access the controller.

 

If you uncheck "Allow Local Authentication", local users cannot authenticate, when radius is still responding.

 

Combining both means only a user who authenticates successfully via radius and his user sends a VSA will be able to access the controller, when the radius server is reachable.  If the radius server is not reachable, local admin accounts will work with both of these options enabled.

 

 

I just want to make it clear those two options are different things.

 

 

Yes my mistake. Thanks for clearing that up Cjoseph. I was thinking about "Allow local authentication".

We finally have RADIUS working the way we anticipated it would. Most of our issues were with the Windows NPS server. We created two policies - one with the Aruba Vendor Specific Attributes and using a 3 (#show aaa radius-attributes) to return Administrative access.  The read-only that had alluded us was configured with the help of Aruba Technical Support - we created a standard policy to match the string readonly. On the Aruba 3200 controller under MANAGEMENT>ADMINISTRATION we (as was wisely pointed out here) we checked Allow Local Authentication to retain administrative access when RADIUS was not available. We pointed to our previously configured RADIUS server group and then added a server rule. The rule used the attribute "class" to match our Windows Server 2012 policy that we had created with the "class" attribute. with the operation >" equals" and our operand "readonly" Tyoe "string"  with action "set role" and value "network-operations"   I also had to go back after looking at "show logginsessions" on the controller and seeing that my administrative role had changes due to changing the Default role on the configuration for management to read-only. I changed this back to root and then my role for administrative access worked again.  So now we have a Windows AD group that;s members have only read-only access and another Windows AD group that has read-write access. This is to satisfy our two teams one being a security team that needs read-only nad another team that has read-write access for network operation.  I really appreciate the help here and I understand that sometimes the solutions need a little bit of teamwork to resolve 

I disconnected from the network and have a controlable controller once again.

Still do not have a solution for read-only access for network auditors.  Will have to point them at AMP I guess?

dbell6809,

 

For your network auditors you would return the attribute of "read-only" to give them read only access from radius.  Your returned attribute has to match an administrative role exactly for users to gain access:

 

If you had to disconnect from the network, you have "allow local authentication" unchecked.  You will need to correctly be sending back that radius attribute from the document as either "root" or "read-only" to give users access when "no access" is enabled.  If you have anything besides "no access" enabled, any user who simply passes radius authentication has access to your controller and that is not a good thing.

We are trying to get that to work but have not found the correct VSA
attribute to return read-only for the Web GUI. Our configuration works
correctly for putty or SSH access but not the gui.

Thanks

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*

Did you read the document from the post that I linked to here?  http://community.arubanetworks.com/t5/Monitoring-Management-Location/Management-Authentication-using-Windows-2008-as-a-Radius-Server/ta-p/174672

 

There is an attached document that details how to do this.

 

The same administrative rights should work on both GUI and SSH.

 

You certainly would think so. They however do not. Like I said putty works
fine but the GUI allows full administrative access using the non-privileged
user account. I would have expected putty to work the same way. I guess I
should go back in with putty and if although I have pound prompt, I may
not be able to make changes.

Thanks

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*

Type show loginsessions to see what role admin users get.

So in the first example you see me logged in with my normal non-privileged
account. Then I logged in with my pr account and connected and I could run
the command and the sh loginsessions shows that with my non-privileged
account I am also logged in as root, but If you look you will see that with
dbell I have the greater then sign and can't make changes exactly the way
it is supposed to work although it is displaying it incorrectly:: Thanks

login as: dbell
dbell@152.61.213.8's password:



Legacy database exported to /flash/config/legacy_db.udb. Please save to
external server and delete it.


WARNING: This controller has RAP whitelist data
stored in pre-6.3 format, which is consuming excess flash space. You will
need this data if you ever need to downgrade the software to pre-6.3
release. If you have backed up your flash already, you may delete the
pre-6.3 data by running the command 'local-userdb-ap del all'

(Aruba_Dev) >?
enable Turn on Privileged commands
exit Exit this session. Any unsaved changes are lost.
help Help on CLI command line processing and a
Description of the interactive help system
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to the specified ip address.
tracepath Trace path to the specified IPv6 address.
traceroute Trace route to the specified ip address.

(Aruba_Dev) >sh loginsessions

login as: dbell-pr
dbell-pr@152.61.213.8's password:
Last login: Tue Jul 7 07:30:15 2015 from 152.61.42.6



Legacy database exported to /flash/config/legacy_db.udb. Please save to
external server and delete it.


WARNING: This controller has RAP whitelist data
stored in pre-6.3 format, which is consuming excess flash space. You will
need this data if you ever need to downgrade the software to pre-6.3
release. If you have backed up your flash already, you may delete the
pre-6.3 data by running the command 'local-userdb-ap del all'

(Aruba_Dev) #show loginsessions

Session Table
-------------
ID User Name User Role Connection From Idle Time Session Time
-- --------- --------- --------------- --------- ------------
1 dbell root 152.61.42.6 00:00:45 00:08:01
2 dbell-pr root 152.61.42.6 00:00:00 00:00:05
3 dbell root 152.61.42.6 00:02:09 00:03:22

(Aruba_Dev) #

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*

In the NPS server eventviewer, see which attribute is being sent for each authentication.

 

Waiting for logs -- how would i capture the Aruba end in the Aruba logs.
Here is my current logging

LOGGING LEVELS
--------------
Facility Level
-------- -----
arm warnings
network warnings
security warnings
system warnings
user warnings
wireless warnings

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*

It does not say specifically what attribute it sent back.

 

Turn on radius debugging:

 

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

Authenticate, then type "show log security 50" to see what attributes are sent back.

 

Jul 7 09:49:24 :124004: |authmgr| Select server for
method=Management, user=dbell, essid=<>, server-group=RADIUS-Admin-auth,
last_srv <>
Jul 7 09:49:24 :124004: |authmgr| server=IGSKMNCNVS091, ena=1,
ins=1 (1)
Jul 7 09:49:24 :124038: |authmgr| Selected server IGSKMNCNVS091
for method=Management; user=dbell, essid=<>, domain=<>,
server-group=RADIUS-Admin-auth
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_api.c:972] Radius
authenticate user dbell MS-CHAPv2 using server IGSKMNCNVS091
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_api.c:1283] :L2 User
lookup failed, skipping Aruba-Port-ID
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_request.c:52] Add
Request: id=32, srv=152.61.192.225, fd=82
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1576] Sending
radius request to IGSKMNCNVS091:152.61.192.225:1812 id:32,len:222
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
NAS-IP-Address: 152.61.213.9
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
NAS-Port-Id: 0
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
NAS-Port-Type: 5
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
User-Name: dbell
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Service-Type: Administrative-User
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Calling-Station-Id: 152.61.42.6
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Called-Station-Id: 000B866DC3C4
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Framed-IP-Address: 152.61.42.6
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Vendor-Specific: \204\220YqW\273\354D\240\365x\241\017={\025
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Vendor-Specific:
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-Essid-Name:
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-Location-Id: N/A
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-AP-Group: N/A
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-Device-Type:
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Message-Auth: %\2447\276\213~cl\037&\276z
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_request.c:76] Find
Request: id=32, srv=152.61.192.225, fd=82
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_request.c:82] Current
entry: srv=152.61.192.225, fd=82
Jul 7 09:49:25 :121041: |authmgr| User dbell MAC=00:00:00:00:00:00
not found.
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_request.c:37] Del
Request: id=32, srv=152.61.192.225, fd=82
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1139]
Authentication Successful
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1141] RADIUS
RESPONSE ATTRIBUTES:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156] {Aruba}
Aruba-User-Role:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
Framed-Protocol: PPP
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
Service-Type: Framed-User
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156] Class:
\313\301\012\266
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-MPPE-Recv-Key:
\200i)#\373gu.\3355\363U\306\373uphW%\257hx\335:@
\345\205I\257\020\245\035\026\264
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-MPPE-Send-Key:
\200jy\274\214\025\260\002\200>\014\343\270kzGH}\360\215\216\272b\250\363\2753p\011&49*\261
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-CHAP2-Success: EEDD138311144709217664E5020A48DE520BD
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-CHAP-Domain:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
PW_RADIUS_ID:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
Rad-Length: 236
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
PW_RADIUS_CODE: \002
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
PW_RAD_AUTHENTICATOR: \250\364V\037\353\231\3626?\223\351M/\210\321\247
Jul 7 09:49:25 :124066: |authmgr| Administrative User
result=Authentication Successful(0), method=Management, username=dbell
IP=152.61.42.6 auth server=IGSKMNCNVS091
Jul 7 09:49:25 :124003: |authmgr| Authentication
result=Authentication Successful(0), method=Management,
server=IGSKMNCNVS091, user=152.61.42.6
Jul 7 09:49:25 :124004: |authmgr| Auth server 'IGSKMNCNVS091'
response=0
Jul 7 09:49:25 :124004: |authmgr| server_cbh (462)(DEC) : os_auths
0, s IGSKMNCNVS091 type 2 inservice 1 markedD 0 sg_name RADIUS-Admin-auth
Jul 7 09:49:25 :124446: |authmgr| mschap2: found chap2 success
attribute
Jul 7 09:49:25 :124025: |authmgr| Administrative user 'dbell'
authenticated successfully (role=root, privileged=0)
Jul 7 09:49:33 :124004: |authmgr| Auth GSM: Num dev_id_cache
entries aged = 0
Jul 7 09:49:33 :121031: |authmgr| |aaa| [rc_sequence.c:115]
seq_num_timeout_handler: Freed 0 entries

(Aruba_Dev) #


--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*

You are sending back an Aruba-User-Role attribute instead of an Aruba Administrative Role attribute.  

 

Create a separate remote access policy and put it on the top of your policies.  The condition Must have type of Virtual or VPN so it can be differentiated from Wireless Users.  Virtual or VPN is used for administrative access:

You then Add your Vendor Specific Attribute with Aruba's VSA Number or Vendor Code:

You click on Configure Attribute to Configure What you are sending Back:  The Vendor Assigned Attribute of 4 is the Aruba's VSA for Aruba-Admin-Role:

(Aruba7005-US) #show aaa radius-attributes | include Aruba-Admin-Role
Aruba-Admin-Role                  4      String       Aruba      14823

So, I configure it with the number 4 and put in the "read-only" string that I want to send back:

 

When I login, this is what is seen on the controller to validate who I am, my role and how I got that role:

 

 

(Aruba7640-US) #    whoami
user employee - role read-only 
(Aruba7640-US) #show loginsessions 

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   employee   read-only  192.168.1.84     00:00:00   00:01:36
2   admin      root       192.168.1.84     00:01:44   00:01:49
3   admin      root       192.168.1.84     00:03:08   00:03:30

Jul 7 11:36:15 :124038:  <INFO> |authmgr|  Selected server NPS for method=Management; user=employee,  essid=<>, domain=<>, server-group=NPS
Jul 7 11:36:15 :124004:  <DBUG> |authmgr|  aal_authenticate (851)(INC) : os_auths 1, s NPS type 2 inservice 1 markedD 0 sg_name NPS
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:471] Radius authenticate user (employee) PAP using server NPS
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1319] :L2 User lookup failed, skipping Aruba-Port-ID
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:53] Add Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1740] Sending radius request to NPS:192.168.1.25:1812 id:9,len:162 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-IP-Address: 192.168.1.3 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-Port-Id: 0 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-Port-Type: 5 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  User-Name: employee 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1756]  Password: ***** 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Service-Type: Administrative-User 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Calling-Station-Id: 192.168.1.84 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Called-Station-Id: 000B86B8B5F8 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Framed-IP-Address: 192.168.1.84 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Essid-Name:  
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Location-Id: N/A 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-AP-Group: N/A 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Device-Type:  
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Message-Auth: \327\324\2531\315R\275\265\367u\024uImM\272 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:77] Find Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:83]  Current entry: srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121041:  <DBUG> |authmgr|  User employee MAC=00:00:00:00:00:00 not found.
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:38] Del Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1175] Authentication Successful
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1177] RADIUS RESPONSE ATTRIBUTES:
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  {Aruba} Aruba-Admin-Role: read-only 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Framed-Protocol: PPP 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Service-Type: Framed-User 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Class: \246\217\010\315 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RADIUS_ID: \011 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Rad-Length: 95 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RADIUS_CODE: \002 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RAD_AUTHENTICATOR: \032GL\3508X\240\337\214OQ\022\247\335\311@ 
Jul 7 11:36:15 :124066:  <INFO> |authmgr|  Administrative User result=Authentication Successful(0), method=Management, username=employee IP=192.168.1.84 auth server=NPS
Jul 7 11:36:15 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=Management, server=NPS, user=192.168.1.84 
Jul 7 11:36:15 :124607:  <DBUG> |authmgr|  server_cbh(): response=0 from Auth server 'NPS for client:9 proto:1 eap-type:0'.
Jul 7 11:36:15 :124004:  <DBUG> |authmgr|  server_cbh (392)(DEC) : os_auths 0, s NPS type 2 inservice 1 markedD 0 sg_name NPS
Jul 7 11:36:15 :124612:  <DBUG> |authmgr|  AuthSurv_onAuthSucc(authsurv:0): Entered, proto:1 eap-type:0x0 for username:'employee' auth-server:'NPS'.
Jul 7 11:36:15 :124025:  <NOTI> |authmgr|  Administrative user 'employee' authenticated successfully  (role=read-only, privileged=0)
Jul 7 11:36:17 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:115] seq_num_timeout_handler: Freed 0 entries

---

@dbell6809 wrote:

Doing this will completly lock you out of managing the controller.

---

Nope.  Local management accounts will still work, if they were working before.  Local accounts already have attributes assigned so they always work.

You are wrong. I am locked out completely!!!!!

Dbell6809,

 

If you do not allow local accounts to authenticate while Radius is working, and you are NOT sending back an adminstrative role in the VSA, you would not be able to access your controller, no.

Dbell,

 

If you are completely locked out, please look at the document in the post here: http://community.arubanetworks.com/t5/Monitoring-Management-Location/Management-Authentication-using-Windows-2008-as-a-Radius-Server/ta-p/174672

 

The post is for Airwave.  The controller just requires the attribute "root" instead of "Admin" on page 18 for it to work.

 

Thanks! I did get in by disconnecting the network cable briefly and logging
in from the console port. My issues were due to the fact that I do not
have RADIUS administrative rights anymore.

--

<Personal Info Removed>