Security

Hi all,

Got a problem with an aruba mobility controller ( model 800) running 5.0.4.11 firmware talking to either OSC Radiator or Freeradius 2.2 RADIUS servers.

I've configured the controller to offload peap and only perform mschapv2 auths against the radius server. 

Initially I used the OSC Radiator RADIUS product but kept getting a Bad or unknown response from server when I tried  

aaa test-server mschapv2 ……….

particularly annoying as I was 100% convinced that the config was set up correctly.

I then installed FreeRadius 2.2 on the same server listening on ports 1814 and 1815, tried the aaa test-server…. and everything worked. ……...for a week or so ..... and then it stopped again. Nothing has changed on the radius server and nothing has changed on the aruba controller. The RADIUS server is my OS X Lion home server and runs 24*7 and I fired up the freeradiuss server from a cli. The aruba box sits right next to it on the same switch which also drives a couple of AP125's

Freeradius accepts the auth requests and generates an access accept packet that it sends back to the controller. but the controller still complains.

Logs below are from both the free radius server  and the controller along with the free radius config.

Quick summary is that the aruba box is saying

Received invalid reply digest from RADIUS server

I'd double checked the secret keys on both the server and the 800 and they were the same. I've also checked that the clocks are in sync on both devices. The logs below on the controller say

The keys are the same as the radius server is accepting the request from the aruba box.

What's annoying is that things were working  and then just stopped. It would be one thing if it never worked, but the test function did and so did connections from an iphone, ipad, and macbook. In fact I'd just logged on with my ipad and it worked and then tried from my iphone and it failed..... and stayed failed

Any help appreciated

Rgds

Alex

Freeradius client config

 client 192.168.1.199 {

        require_message_authenticator = no

        secret = "something"

        shortname = "arubamaster"

 }

Freeradius logs

[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

++[mschap] returns ok

++[digest] returns noop

[suffix] Looking up realm "sharaz.info" for User-Name = "alex@sharaz.info"

[suffix] No such realm "sharaz.info"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may 

fail because of this.

++[pap] returns noop

Found Auth-Type = MSCHAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group MS-CHAP {...}

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.

mschap] No NT-Password configured. Trying OpenDirectory Authentication.

[mschap] OD username_string = alex@sharaz.info, OD shortUserName=alexsharaz (length = 10) 

[mschap]        stepbuf server challenge:       

[mschap]        stepbuf peer challenge:         

[mschap]        stepbuf p24:            

[mschap] dsDoDirNodeAuth returns stepbuff: S=72372312161EAD008AB7940F46CC1582C24EFBE7 good"<C3>??qg<D4>B<D3> <BB>a8<D4>^? (len=40) 

++[mschap] returns ok

Login OK: [alex@sharaz.info/<via Auth-Type = MSCHAP>] (from client arubamaster port 0 cli 000000000000)

# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 1 to 192.168.1.199 port 32822

        MS-CHAP2-Success = 0x00533d37323337323331323136314541443030384142373934304634364343313538324332344546424537

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 1 with timestamp +104

Ready to process requests.

on the controller I did 

conf t 

logging level debugging security process authmgr

aaa test-server ………

and then

show logging security all

which gave :--

Mar 14 11:30:26 :124011:  <INFO> |authmgr|  Test authenticating user alex@sharaz.info:****** using server Cotw-radius

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:704] Radius authenticate user alex@sharaz.info MS-CHAPv2 using server Cotw-radius

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:903] L2 User lookup failed, setting nas_port_type to wireless

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:938] :L2 User lookup failed, skipping Aruba-Port-ID

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:703] Opened socket 53 (client=0.0.0.0) for server Cotw-radius

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Add Request: id=1, srv=192.168.1.77, fd=53

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:768] Sending radius request to Cotw-radius:192.168.1.77:1814 id:1,len:202 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  NAS-IP-Address: 192.168.1.199 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  NAS-Port-Id: 0 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  NAS-Port-Type: 19 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  User-Name: alex@sharaz.info 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Calling-Station-Id: 000000000000 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Called-Station-Id: 000B86524A20 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Vendor-Specific: Y3T\264\307OW\366\177\360^\274\272|\257h 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Vendor-Specific:  

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Service-Type: Login-User 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Aruba-Essid-Name:  

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Aruba-Location-Id: N/A 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:777]  Aruba-AP-Group: N/A 

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:60] Find Request: id=1, srv=192.168.1.77, fd=53

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:66]  Current entry: srv=192.168.1.77, fd=53

Mar 14 11:30:26 :121014:  <ERRS> |authmgr| |aaa| Received invalid reply digest from RADIUS server

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:22] Del Request: id=1, srv=192.168.1.77, fd=53

Mar 14 11:30:26 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:850] Bad or unknown response from AAA server

Mar 14 11:30:26 :124004:  <DBUG> |authmgr|  Auth server 'Cotw-radius' response=4

Mar 14 11:30:26 :124019:  <INFO> |authmgr|  Test server response: Bad or unknown response from AAA server

(cotw-800-1) # 

Sigh!

just found the unencrypt command and had a look at my config to tripple check the shared keys used.  The key defined for radius server Cotw-radius was shown as being "*****"  which seems to be the clear text password and not what it really should have been.

Really don't know why

but its fixed now

Rgds

Alex