Security

Hi all.

 

I am new to posting on this forum though I've viewed it many times.  I have searched for the answer but cannot find anything that helps me.

 

I have an Alcatel connected to the Eth1 port on a RAP.  It works.

The problem is is that this port is trusted and because of that if some-one connects a laptop to the Eth1 they get a DHCP IP on our voice network which is ultimately a back door into our network.

 

I have began to investigate MAC authentication on the Wired port as a “Basic” security fix.  I wanted to allow only MAC’s that begin 00:80:9f:**:**:** to become authorised.

 

I’ve created a wired profile that’s “trusted” and a wired port profile.  There is no AAA profile attached.

 

Is it possible that you could tell me the steps I’d need to carry out in order to create MAC-authentication and apply it to my wired port profile?  I would want the default role to be deny but despite going on a course, looking in manuals and reading this forum I am struggling for answers.

 

Thanks in advance.

What version of ArubaOS are you running?

 5.0.3.3 But with the Upgrade taking place this weekend.

In the ArubaOS 5.0 user guide  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=3848, in Chapter 17, entitled "MAC-Based Authentication" it tell you how to do it, step-by-step.

 

In general you need to :

 

create a mac authentication server group that has the internal database

create a mac authentication profile and assign the server group to it

create a AAA profile and assign the mac authentication profile to it

In the AAA profile, configure the mac authentication default role to be your "success" role.

In the same AAA profile, make the initial role a role that blocks all traffic

add a mac address, as a username and password in the internal database in the format that you created the mac authentication profile.

make that wired port untrusted and assign the AAA profile that you created to it.

 

Colin - I'm so close I can smell it..

 

I followed your guide as the link in your previous post was not working. Everything looks pretty good, however, once the phone goes through its boot sequence, it gets an IP, downloads config, attempts to connect and comes back "Bad TFTP"

 

Now, looking at the Debug below it appears to Authenticate as set up on the Internal DB, but it appears to drop it into guest:- Authenticated MAC guest 

 

(Aruba-Master) (config) #  show log user all | include 00:80:9f:5f:2b:56
Feb 1 16:56:42 :522026:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User miss: ingress=0x1191, VLAN=800
Feb 1 16:56:42 :522004:  <DBUG> |authmgr|  Deleting RAP Wired User (tunnel) 00:80:9f:5f:2b:56/10.150.50.238 from STM stats tree
Feb 1 16:56:42 :522004:  <DBUG> |authmgr|  Adding RAP Wired User (tunnel) 00:80:9f:5f:2b:56 to STM stats tree
Feb 1 16:56:42 :522004:  <DBUG> |authmgr|  {10.150.50.238} autTable ("00:80:9f:5f:2b:56 Authenticated MAC guest   ")

 

I cannot find anywhere in my  config where I point to Guest.   Any ideas?  (Thanks)

Where your mac user is in the internal database change the role to something other than guest.

It is, I've created a VOIP-Wired-Auth - with Allowall...

 

I've got a call out.  It's probably a check box somewhere.  I'll keep you posted.

What is the ROLE of the mac addresses in the internal database, I mean..?

Okay,  I had created a new USER ROLE and added ALLOW ALL firewall policy to the user.

 

00:80:9f:5f:2b:56           ********  Wired-VOIP-Auth                              Yes                      Active                0.0.0.0    admin

 

user-role Wired-VOIP-Auth
 session-acl allowall ap-group rap-ap-ethvoip

 

aaa profile "Voip-AAA-Mauth"
   initial-role "denied-personal-device"
   authentication-mac "VOIP-MAC"
   mac-default-role "Wired-VOIP-Auth"
   mac-server-group "Internal-voip-mac"
   dot1x-default-role "Wired-VOIP-Auth"

 

ap wired-ap-profile "voip-sec-connection"
   wired-ap-enable
   switchport access vlan 800

 

ap wired-port-profile "voip-connection_sec-connection"
   wired-ap-profile "voip-sec-connection"
   enet-link-profile "voip-connection"
   aaa-profile "Voip-AAA-Mauth"

 

ap-group "RAP-AP-EthVoip"
   virtual-ap "Corp-VAP"
   enet1-port-profile "voip-connection_sec-connection"

 

I would be very intrested in the outcome of this, as I am trying to set up something similar.

---

@Will-I-am wrote:

Okay,  I had created a new USER ROLE and added ALLOW ALL firewall policy to the user.

 

00:80:9f:5f:2b:56           ********  Wired-VOIP-Auth                              Yes                      Active                0.0.0.0    admin

 

user-role Wired-VOIP-Auth
 session-acl allowall ap-group rap-ap-ethvoip

 

aaa profile "Voip-AAA-Mauth"
   initial-role "denied-personal-device"
   authentication-mac "VOIP-MAC"
   mac-default-role "Wired-VOIP-Auth"
   mac-server-group "Internal-voip-mac"
   dot1x-default-role "Wired-VOIP-Auth"

 

ap wired-ap-profile "voip-sec-connection"
   wired-ap-enable
   switchport access vlan 800

 

ap wired-port-profile "voip-connection_sec-connection"
   wired-ap-profile "voip-sec-connection"
   enet-link-profile "voip-connection"
   aaa-profile "Voip-AAA-Mauth"

 

ap-group "RAP-AP-EthVoip"
   virtual-ap "Corp-VAP"
   enet1-port-profile "voip-connection_sec-connection"

 

---

That looks about right.  Is it working?

 

No..  I am running back through the config and checking everything through again.  Yesterday, when I ran the >logging level debbuging I saw the VOIP set trying to connect, and now today it doesn't even get that far.  I'll give you an update. Later

What role does the authenticated device end up in?

 

 

No..  I am running back through the config and checking everything through again. I have changed the entry in the Internal DB to point at the RAP-profile ROLE.  Now, when I do that the phnoe get virtually all the way and comes back with bad TFTP.

((That's why I created my own User-Role with an Allow All FW policy)) 

When the Int. DB is set to  RAP-Profile I get the following Debug:-

 

522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Send mobility delete message, flags=0x0
522015:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Remove Bridge Entry
522004:  <DBUG> |authmgr|  Deleting RAP Wired User (tunnel) 00:80:9f:5f:2b:56/10.150.50.238 from STM stats tree
522005:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User entry deleted: reason=unknown
522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 Send Station delete message to mobility
522004:  <DBUG> |authmgr|  00:80:9f:5f:2b:56: station datapath entry deleted
522004:  <DBUG> |authmgr|  Deleting RAP Wired User (0) 00:80:9f:5f:2b:56 from STM stats tree
522026:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User miss: ingress=0x10bd, VLAN=800
522006:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 User entry added: reason=Sibtye
522004:  <DBUG> |authmgr|  Adding RAP Wired User (tunnel) 00:80:9f:5f:2b:56 to STM stats tree
522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238:  MAC auth start: entry-type=L3, bssid=00:00:00:00:00:00, essid= sg=Internal-voip-mac
522004:  <DBUG> |authmgr|  {10.150.50.238} autTable ("00:80:9f:5f:2b:56 Unauthenticated  voice   ")
522038:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Authentication result=Authentication Successful method=MAC server=Internal
522004:  <DBUG> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238: MAC auth success: entry-type=L3, bssid=00:00:00:00:00:00
522017:  <INFO> |authmgr|  MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 Derived role 'RAP-Role' from server rules: server-group=Internal-voip-mac, authentication=MAC
522008:  <NOTI> |authmgr|  User authenticated: Name=00:80:9f:5f:2b:56 MAC=00:80:9f:5f:2b:56 IP=10.150.50.238 method=MAC server=Internal role=RAP-Role
522004:  <DBUG> |authmgr|  {10.150.50.238} autTable ("00:80:9f:5f:2b:56 Authenticated MAC RAP-Role ")]

 

Which looks fine to me, (But as stated before not the phone)

If I change the internal DB to point to my new ROLE (As show in the earlier config snapshot) the phone doent even attempt to authenticate.  I never see it in the Debug logging and the set continues to re-boot.

 

 

 

Looks like it is ending up in the RAP role.  Does the RAP-role have any ACLS?

 

type "show rights RAP-role" to see.

Colin when I type "show rights RAP-role"  it comes back with "Unknown Role RAP-Role"

If I do "Show rights"  I get this:-

 

Name                    ACL  Bandwidth                  ACL List
----                    ---  ---------                  --------
Corp-Access-Role            50   Up: No Limit,Dn: No Limit  allowall/,tftp-acl/voip-rap/voip-rap,tftp-acl/
RAP-Role                        54   Up: No Limit,Dn: No Limit  Rap-policy/

 

 

It is case sensitive.  It looks like you have an acl, "rap policy" attached to that.  Re-run the command with the correct case.

(Aruba-Master) (config) #exit
(Aruba-Master) #show rights RAP-Role

Derived Role = 'RAP-Role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 54/0
 Max Sessions = 65535

access-list List
----------------
Position  Name        Location
--------  ----        --------
1         Rap-policy

Rap-policy
----------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------
1         any     any             svc-papi  permit                           Low
2         any     any             svc-gre   permit                           Low
3         any     any             svc-l2tp  permit                           Low
4         any     mswitch      svc-tftp  permit                           Low
5         any     mswitch      svc-ftp   permit                           Low

Expired Policies (due to time constraints) = 0

 

You appear to be onto something.   I assume that I need another entry in the RAP Policy to enable svc-tftp to our PBX.  My question is where do I do that?  I have set up a destination within Firewall pointint to our PBX but I'm not sure how to add that to my policy. (And how high up in that policy it should sit)

According to the debug, you are getting the role from a server rule in the "internal-voip-mac" server group.  What rule do you have in that server group that is putting your phone in the Rap-role?

aaa server-group "Internal-voip-mac"
   allow-fail-through
 auth-server Internal
 set role condition Role value-of

Okay. So your device is being assigned to the role in the internal database of the Mac address entry. The server rule "set role condition.." is shorthand for assign the role next to the Mac address in the internal database. Modify the Mac address role in the internal database to be something like "authenticated", unplug the phone, then plug it in again.

Fail through is not needed. It is for when you are using multiple servers; it does not apply here, so feel free to uncheck that.

I'm going to leave it now, until after the weekend.  I seem to have taken one step forward and two back with this.  If I do the debug, I know no longer see it trying to connect at all, yet the phone is cycling through it's boot sequence. A wireshark sniff show it doing its TFTP to get code and config, but then the set just restarts.

 

 

---

@Will-I-am wrote:

I'm going to leave it now, until after the weekend.  I seem to have taken one step forward and two back with this.  If I do the debug, I know no longer see it trying to connect at all, yet the phone is cycling through it's boot sequence. A wireshark sniff show it doing its TFTP to get code and config, but then the set just restarts.

 

 

---

You need to trigger the mac auth by unplugging, then plugging in the cable.  Then you will see the mac authentication.  Please open a support case so that they can look over and fix your configuration.

 

You may also need to issue a "aaa user delete A.B.C.D" as the controller will cache the auth. Do a show user-table ip A.B.C.D and see if they are there.