Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RADIUS request without considering username and password

This thread has been viewed 3 times

  • 1.  RADIUS request without considering username and password

    Posted Mar 28, 2017 04:22 AM

    Hi Airheads,


    We're migrating our private APN environment from NPS to Clearpass. The authenticating routers all use the username 'void' for every radius request. The differentiator is the calling station ID, which is the mobile number of the supplicant. The Radius server then responds with a framed-ip-address.

     

    I have set up role mapping and enforcement profiles to match a mobile number with a radius response, but I'm stuck at user authentication because ofcourse user 'void' doesn't exist.

     

    Can someone please point me in the right direction to skip or alternate that check please?

     

    *EDIT*

    I like to keep it simple, but if there's no way around authentication the username, these attributes may be used instead:

     

    '%{Radius:IETF:NAS-Identifier}' as user_id,
    '%{Radius:IETF:NAS-IP-Address}' as user_password

     

    Authentication source may be local or guest, doesn't really matter. I'm not sure how to translate this in a custom source filter.



  • 2.  RE: RADIUS request without considering username and password

    Posted Mar 28, 2017 05:18 AM

    The logs point out that a MAC address is searched in the calling station ID which is a mobile phone number in my case. Auth method is CHAP

     

    2017-03-28 11:13:49,524    [Th 3552 Req 3971458 SessId R000753e3-01-58da294d] INFO RadiusServer.Radius - The attribute 324XXXXXXX does not contain valid MAC Address


    2017-03-28 11:13:49,525    [RequestHandler-1-0x7f5c10561700 r=psauto-1489164657-1499386 h=239 r=R000753e3-01-58da294d] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations



  • 3.  RE: RADIUS request without considering username and password

    Posted Mar 29, 2017 06:16 AM

    I've googled some more. Void means that there's a blank username and/or password in the request.

     

    The NAS devices are not managed by us and the configuration cannot be altered because the Windows NPS-server still has to authenticate during migration to Clearpass.

     

    The NPS connection request policy is very simple:

    Conditions: called station ID + NAS IP address + Calling station ID = Framed IP address x.x.x.x. And flag 'accept users without validating credentials'.


    Is it possible to replicate it and accept any user on one service only? I will use other radius attributes to assign an enforcement profile.