Security

Reply
Highlighted
Contributor I

MAC TAL with RADIUS and client Whitelist

Hi,

 

We have a several controllers, where users are connected as wired. users arrive on the controller on specific vlan, then the controller applies an aaa profile, using MAC TAL (transparent autologin) authentication, if the client MAC is the firts time that is connected, the RADIUS asigns a paticular role in order to redirect this client to an external captive portal, then, when the client is registered, the RADIUS change the role and the client can reach internet.

 

Next time when this client tries to connect, it will be asigned the permited role directly wiithout being redirected to the captive portal. 

 

The role asigned has a bandwith contract an the client can reach internet during 4 hours with this BW contract, after this time, the radius will change the role to a limited role, where clients can reach internet but with a higher restricted BW contract.

 

What we need to achieve, is avoid Radius authentication and accounting for some mac address. We need to asign a fully permited role for these clients, without any restriction in time and Bandwith.

 

The problem here is, all the clients arrive to the controller in the same vlan, and fall in the same aaa profile wich is pointing to the RADIUS. I have tried to configure user-derivation rules, but is not working, because RADIUS send the role atribute as VSA an if a role is asigned with this method, it takes preference over other role asigments methods.

 

I see in the debugs, that the controllers matches the mac addrres and asigns the role configured in the derivation rule, but in the last step the RADIUS overwrite this config and asigns the role with limeted access. 

No matter if I try to config the user derivation rules and apllies int he aaa profile as user derivation rule or if i do it in the aaa server group.

 

The questions is, if there is any way to avoid the radius authentication and accountig for a particular MAC adddress? any kind of whitelist or exception? If we can configure the controller to use RADIUS for all the clients except some particular MAC address, and this MAC address will fall in a particula role forever.

 

Thanks in advance for your help!

Highlighted
Contributor I

Re: MAC TAL with RADIUS and client Whitelist

Hi,

 

I have found a way to achieve what we need.

 

We can use DHCP fingerprint in order to overwrite the user-role. Just need to identify the DHCP fingerprint of the device. More relieable options are 12, 55, 60, and 81. 

 

https://www.arubanetworks.com/vrd/AOSDHCPFPAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

 

Once the DHCP fingerprint is identified, we need to create a user derivation rule maching this dhcp option.

 

aaa derivation-riles user TEST

set role condition dhcp-option  equals "DHCP fingerprint" set value USER-ROLE

 

Apply this rule to the aaa profile, and when the client connects the role will be asigned by the RADIUS but in the last step the controller will match the derivation rule and will asign the new ROLE. 

 

I'm performing more testing because I'm not sure if the controller change the role in the authentication phase or need to wait for the device to renew the IP address.

 

I hope this help to someone in the same scenario.

 

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: