Security

Reply
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

So in the first example you see me logged in with my normal non-privileged
account. Then I logged in with my pr account and connected and I could run
the command and the sh loginsessions shows that with my non-privileged
account I am also logged in as root, but If you look you will see that with
dbell I have the greater then sign and can't make changes exactly the way
it is supposed to work although it is displaying it incorrectly:: Thanks

login as: dbell
dbell@152.61.213.8's password:



Legacy database exported to /flash/config/legacy_db.udb. Please save to
external server and delete it.


WARNING: This controller has RAP whitelist data
stored in pre-6.3 format, which is consuming excess flash space. You will
need this data if you ever need to downgrade the software to pre-6.3
release. If you have backed up your flash already, you may delete the
pre-6.3 data by running the command 'local-userdb-ap del all'

(Aruba_Dev) >?
enable Turn on Privileged commands
exit Exit this session. Any unsaved changes are lost.
help Help on CLI command line processing and a
Description of the interactive help system
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to the specified ip address.
tracepath Trace path to the specified IPv6 address.
traceroute Trace route to the specified ip address.

(Aruba_Dev) >sh loginsessions

login as: dbell-pr
dbell-pr@152.61.213.8's password:
Last login: Tue Jul 7 07:30:15 2015 from 152.61.42.6



Legacy database exported to /flash/config/legacy_db.udb. Please save to
external server and delete it.


WARNING: This controller has RAP whitelist data
stored in pre-6.3 format, which is consuming excess flash space. You will
need this data if you ever need to downgrade the software to pre-6.3
release. If you have backed up your flash already, you may delete the
pre-6.3 data by running the command 'local-userdb-ap del all'

(Aruba_Dev) #show loginsessions

Session Table
-------------
ID User Name User Role Connection From Idle Time Session Time
-- --------- --------- --------------- --------- ------------
1 dbell root 152.61.42.6 00:00:45 00:08:01
2 dbell-pr root 152.61.42.6 00:00:00 00:00:05
3 dbell root 152.61.42.6 00:02:09 00:03:22

(Aruba_Dev) #

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

In the NPS server eventviewer, see which attribute is being sent for each authentication.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Waiting for logs -- how would i capture the Aruba end in the Aruba logs.
Here is my current logging

LOGGING LEVELS
--------------
Facility Level
-------- -----
arm warnings
network warnings
security warnings
system warnings
user warnings
wireless warnings

--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Network Policy Server granted access to a user.
 
User:
Security ID:GS\dbell
Account Name:dbell
Account Domain:GS
Fully Qualified Account Name:/Dennis C Bell
 
Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
OS-Version:-
Called Station Identifier:000B866DC3C4
Calling Station Identifier:My workstation
 
NAS:
NAS IPv4 Address:152.61.213.9
NAS IPv6 Address:-
NAS Identifier:-
NAS Port-Type:Virtual
NAS Port:0
 
RADIUS Client:
Client Friendly Name:A-CTRL-Aruba-DEV
Client IP Address 192.168.0.1
 
Authentication Details:
Connection Request Policy Name:Extreme Switch RO or RW
Network Policy Name:Aruba Wireless RO Access
Authentication Provider:Windows
Authentication Server:MY RADIUS server.gs.doi.net
Authentication Type:MS-CHAPv2
EAP Type:-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
 
Quarantine Information:
Result:Full Access
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

It does not say specifically what attribute it sent back.

 

Turn on radius debugging:

 

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

Authenticate, then type "show log security 50" to see what attributes are sent back.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

Jul 7 09:49:24 :124004: |authmgr| Select server for
method=Management, user=dbell, essid=<>, server-group=RADIUS-Admin-auth,
last_srv <>
Jul 7 09:49:24 :124004: |authmgr| server=IGSKMNCNVS091, ena=1,
ins=1 (1)
Jul 7 09:49:24 :124038: |authmgr| Selected server IGSKMNCNVS091
for method=Management; user=dbell, essid=<>, domain=<>,
server-group=RADIUS-Admin-auth
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_api.c:972] Radius
authenticate user dbell MS-CHAPv2 using server IGSKMNCNVS091
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_api.c:1283] :L2 User
lookup failed, skipping Aruba-Port-ID
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_request.c:52] Add
Request: id=32, srv=152.61.192.225, fd=82
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1576] Sending
radius request to IGSKMNCNVS091:152.61.192.225:1812 id:32,len:222
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
NAS-IP-Address: 152.61.213.9
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
NAS-Port-Id: 0
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
NAS-Port-Type: 5
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
User-Name: dbell
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Service-Type: Administrative-User
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Calling-Station-Id: 152.61.42.6
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Called-Station-Id: 000B866DC3C4
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Framed-IP-Address: 152.61.42.6
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Vendor-Specific: \204\220YqW\273\354D\240\365x\241\017={\025
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Vendor-Specific:
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-Essid-Name:
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-Location-Id: N/A
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-AP-Group: N/A
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Aruba-Device-Type:
Jul 7 09:49:24 :121031: |authmgr| |aaa| [rc_server.c:1586]
Message-Auth: %\2447\276\213~cl\037&\276z
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_request.c:76] Find
Request: id=32, srv=152.61.192.225, fd=82
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_request.c:82] Current
entry: srv=152.61.192.225, fd=82
Jul 7 09:49:25 :121041: |authmgr| User dbell MAC=00:00:00:00:00:00
not found.
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_request.c:37] Del
Request: id=32, srv=152.61.192.225, fd=82
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1139]
Authentication Successful
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1141] RADIUS
RESPONSE ATTRIBUTES:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156] {Aruba}
Aruba-User-Role:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
Framed-Protocol: PPP
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
Service-Type: Framed-User
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156] Class:
\313\301\012\266
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-MPPE-Recv-Key:
\200i)#\373gu.\3355\363U\306\373uphW%\257hx\335:@
\345\205I\257\020\245\035\026\264
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-MPPE-Send-Key:
\200jy\274\214\025\260\002\200>\014\343\270kzGH}\360\215\216\272b\250\363\2753p\011&49*\261
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-CHAP2-Success: EEDD138311144709217664E5020A48DE520BD
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
{Microsoft} MS-CHAP-Domain:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
PW_RADIUS_ID:
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
Rad-Length: 236
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
PW_RADIUS_CODE: \002
Jul 7 09:49:25 :121031: |authmgr| |aaa| [rc_api.c:1156]
PW_RAD_AUTHENTICATOR: \250\364V\037\353\231\3626?\223\351M/\210\321\247
Jul 7 09:49:25 :124066: |authmgr| Administrative User
result=Authentication Successful(0), method=Management, username=dbell
IP=152.61.42.6 auth server=IGSKMNCNVS091
Jul 7 09:49:25 :124003: |authmgr| Authentication
result=Authentication Successful(0), method=Management,
server=IGSKMNCNVS091, user=152.61.42.6
Jul 7 09:49:25 :124004: |authmgr| Auth server 'IGSKMNCNVS091'
response=0
Jul 7 09:49:25 :124004: |authmgr| server_cbh (462)(DEC) : os_auths
0, s IGSKMNCNVS091 type 2 inservice 1 markedD 0 sg_name RADIUS-Admin-auth
Jul 7 09:49:25 :124446: |authmgr| mschap2: found chap2 success
attribute
Jul 7 09:49:25 :124025: |authmgr| Administrative user 'dbell'
authenticated successfully (role=root, privileged=0)
Jul 7 09:49:33 :124004: |authmgr| Auth GSM: Num dev_id_cache
entries aged = 0
Jul 7 09:49:33 :121031: |authmgr| |aaa| [rc_sequence.c:115]
seq_num_timeout_handler: Freed 0 entries

(Aruba_Dev) #


--

*Dennis Bell*
*Senior Network Engineer*
*Stinger Ghaffarian Technologies (SGT)*
*Contractor to U.S. Geological Survey (USGS)*
*Earth Resources Observation and Science Center (EROS)*
*47914 252nd Street*
*Sioux Falls, SD 57198-0001*
*(605)594-6809*
Guru Elite

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

You are sending back an Aruba-User-Role attribute instead of an Aruba Administrative Role attribute.  

 

Create a separate remote access policy and put it on the top of your policies.  The condition Must have type of Virtual or VPN so it can be differentiated from Wireless Users.  Virtual or VPN is used for administrative access:

vpn.png

You then Add your Vendor Specific Attribute with Aruba's VSA Number or Vendor Code:

vsa.png

You click on Configure Attribute to Configure What you are sending Back:  The Vendor Assigned Attribute of 4 is the Aruba's VSA for Aruba-Admin-Role:

(Aruba7005-US) #show aaa radius-attributes | include Aruba-Admin-Role
Aruba-Admin-Role                  4      String       Aruba      14823

So, I configure it with the number 4 and put in the "read-only" string that I want to send back:

vsa2.png

 

When I login, this is what is seen on the controller to validate who I am, my role and how I got that role:

 

 

(Aruba7640-US) #    whoami
user employee - role read-only 
(Aruba7640-US) #show loginsessions 

Session Table
-------------
ID  User Name  User Role  Connection From  Idle Time  Session Time
--  ---------  ---------  ---------------  ---------  ------------
1   employee   read-only  192.168.1.84     00:00:00   00:01:36
2   admin      root       192.168.1.84     00:01:44   00:01:49
3   admin      root       192.168.1.84     00:03:08   00:03:30


Jul 7 11:36:15 :124038:  <INFO> |authmgr|  Selected server NPS for method=Management; user=employee,  essid=<>, domain=<>, server-group=NPS
Jul 7 11:36:15 :124004:  <DBUG> |authmgr|  aal_authenticate (851)(INC) : os_auths 1, s NPS type 2 inservice 1 markedD 0 sg_name NPS
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:471] Radius authenticate user (employee) PAP using server NPS
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1319] :L2 User lookup failed, skipping Aruba-Port-ID
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:53] Add Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1740] Sending radius request to NPS:192.168.1.25:1812 id:9,len:162 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-IP-Address: 192.168.1.3 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-Port-Id: 0 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  NAS-Port-Type: 5 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  User-Name: employee 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1756]  Password: ***** 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Service-Type: Administrative-User 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Calling-Station-Id: 192.168.1.84 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Called-Station-Id: 000B86B8B5F8 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Framed-IP-Address: 192.168.1.84 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Essid-Name:  
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Location-Id: N/A 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-AP-Group: N/A 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Aruba-Device-Type:  
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1752]  Message-Auth: \327\324\2531\315R\275\265\367u\024uImM\272 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:77] Find Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:83]  Current entry: srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121041:  <DBUG> |authmgr|  User employee MAC=00:00:00:00:00:00 not found.
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:38] Del Request: id=9, srv=192.168.1.25, fd=82
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1175] Authentication Successful
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1177] RADIUS RESPONSE ATTRIBUTES:
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  {Aruba} Aruba-Admin-Role: read-only 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Framed-Protocol: PPP 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Service-Type: Framed-User 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Class: \246\217\010\315 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RADIUS_ID: \011 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  Rad-Length: 95 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RADIUS_CODE: \002 
Jul 7 11:36:15 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1192]  PW_RAD_AUTHENTICATOR: \032GL\3508X\240\337\214OQ\022\247\335\311@ 
Jul 7 11:36:15 :124066:  <INFO> |authmgr|  Administrative User result=Authentication Successful(0), method=Management, username=employee IP=192.168.1.84 auth server=NPS
Jul 7 11:36:15 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=Management, server=NPS, user=192.168.1.84 
Jul 7 11:36:15 :124607:  <DBUG> |authmgr|  server_cbh(): response=0 from Auth server 'NPS for client:9 proto:1 eap-type:0'.
Jul 7 11:36:15 :124004:  <DBUG> |authmgr|  server_cbh (392)(DEC) : os_auths 0, s NPS type 2 inservice 1 markedD 0 sg_name NPS
Jul 7 11:36:15 :124612:  <DBUG> |authmgr|  AuthSurv_onAuthSucc(authsurv:0): Entered, proto:1 eap-type:0x0 for username:'employee' auth-server:'NPS'.
Jul 7 11:36:15 :124025:  <NOTI> |authmgr|  Administrative user 'employee' authenticated successfully  (role=read-only, privileged=0)
Jul 7 11:36:17 :121031:  <DBUG> |authmgr| |aaa| [rc_sequence.c:115] seq_num_timeout_handler: Freed 0 entries

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Aruba WLAN controller RADIUS VSA for non-administrative (read-only) access

We finally have RADIUS working the way we anticipated it would. Most of our issues were with the Windows NPS server. We created two policies - one with the Aruba Vendor Specific Attributes and using a 3 (#show aaa radius-attributes) to return Administrative access.  The read-only that had alluded us was configured with the help of Aruba Technical Support - we created a standard policy to match the string readonly. On the Aruba 3200 controller under MANAGEMENT>ADMINISTRATION we (as was wisely pointed out here) we checked Allow Local Authentication to retain administrative access when RADIUS was not available. We pointed to our previously configured RADIUS server group and then added a server rule. The rule used the attribute "class" to match our Windows Server 2012 policy that we had created with the "class" attribute. with the operation >" equals" and our operand "readonly" Tyoe "string"  with action "set role" and value "network-operations"   I also had to go back after looking at "show logginsessions" on the controller and seeing that my administrative role had changes due to changing the Default role on the configuration for management to read-only. I changed this back to root and then my role for administrative access worked again.  So now we have a Windows AD group that;s members have only read-only access and another Windows AD group that has read-write access. This is to satisfy our two teams one being a security team that needs read-only nad another team that has read-write access for network operation.  I really appreciate the help here and I understand that sometimes the solutions need a little bit of teamwork to resolve 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: