Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Auth Server Group vs. RFC 3576

This thread has been viewed 1 times

  • 1.  Auth Server Group vs. RFC 3576

    Posted Jul 28, 2014 02:53 PM

    Hey all,

     

    I was asked today by a peer to explain the difference between a dot1x-server-group and an RFC 3576 entry, and I was not able to come up with a cohesive answer. Could anyone please explain the difference?

     

    Thank you,

     

    Ryan



  • 2.  RE: Auth Server Group vs. RFC 3576

    EMPLOYEE
    Posted Jul 28, 2014 02:56 PM
    It allows you to separately define your authentication servers and RADIUS CoA servers which may be different in some use cases. Most of the time you can just put the same servers for both.


  • 3.  RE: Auth Server Group vs. RFC 3576

    Posted Jul 28, 2014 02:58 PM

    Thanks for the fast reply, Tim. Could you extrapolate on that and give me a very basic use case?

     

    Thank you,

     

    Ryan



  • 4.  RE: Auth Server Group vs. RFC 3576

    EMPLOYEE
    Posted Jul 28, 2014 03:00 PM
    If you had an external device/server (registration server) that needed to bump users from the network via CoA.


  • 5.  RE: Auth Server Group vs. RFC 3576

    Posted Jul 28, 2014 03:06 PM

    Great, thanks for that. I found this document that explains everything. I'll post the blurb here:

     

    Configuring an RFC-3576 RADIUS Server

     

    You can configure a RADIUS server to send user disconnect, change-of-authorization (CoA), and session timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS)”.

    The disconnect and change-of-authorization messages sent from the server to the controller contains information to identify the user for which the message is sent. The controller supports the following attributes for identifying the users who authenticate with a RFC 3576 server:

     user-name: Name of the user to be authenticated
     framed-ip-address: User’s IP address
     calling-station-id: Phone number of a station that originated a call
     accounting-session-id: Unique accounting ID for the user session.

    If the authentication server sends both supported and unsupported attributes to the controller, the unknown or unsupported attributes are ignored. If no matching user is found the controller sends a 503: Session Not Found error message back to the RFC 3576 server.

     



  • 6.  RE: Auth Server Group vs. RFC 3576

    Posted Jul 28, 2014 05:01 PM

     

    There's a trick here.  If you use an RFC3576 server to send attributes that change the role/vlan, you should ALSO define the server as an auth server and put it in the auth server group.  Use the horribly named "mode" button on that server definition to turn it off.  This will allow the RFC3576 responses to run through the server derivation rules, but will prevent auth/acct requests from being sent to the rfc3576 server.

     

     



  • 7.  RE: Auth Server Group vs. RFC 3576

    Posted Jul 28, 2014 05:11 PM

    Oh that is good. Thanks for that!