Security

Reply
Highlighted
Occasional Contributor II

Server-derived rule using Filter-Id from FreeRADIUS not working

I'm setting up a wireless lab. I added FreeRADIUS 3.0.15 to my back-end services. I am trying to set up a server-derived rule. The intent is that when guest123, password guest123 authenticates via 802.1X, radius1 (the FreeRADIUS server) returns Filter-Id = labguest, and a rule in the server group containing radius1 sets the user-role to labguest instead.

 

What happens instead is that the user receives the default 802.1X role, "authenticated".

 

Here is the relevant Aruba configuration:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

 

aaa authentication-server radius "radius1"
   host "192.168.18.249"
   key b07f6475f2dcdf6f66ef027b4532fe8b8fb1b5880e755383

 

aaa server-group "lab-emp_srvgrp-ckl54"
 auth-server radius1
 set role condition Filter-Id value-of

 

The following looks good:

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 2.589
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   ,W\332\023\211\277R@c\350\262\333\031\270w\017
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        \263if&\273\027\236y\034:4\270E\372\262\234
           PW_RADIUS_ID        \360
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
           Filter-Id                  labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \202\336
Microsoft  MS-MPPE-Send-Key           \215\270Q\230"\0048\252\301\\377\313b\001\024\360\202u\350\033\217\322Q\025L\365ri\201\340sY\347\011
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               \360
           Rad-Length                 189
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       \347\211\010\362\356\232\017\011\246$\351\314\365\271\370\350

 

The same thing results from the Local1 controller, since both Master1 and Local1 were set up as RADIUS clients at FreeRADIUS.

 

But when guest123/guest123 authenticates via 802.1X, the user-role is "authenticated", when it should be "labguest":

(Local1) #show user mac 44:39:c4:59:e5:64


Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X

...truncated output

 

Just in case this is a FreeRADIUS issue, I also posted the same issue at https://stackoverflow.com/questions/47681051/server-derived-role-based-on-filterid-using-freeradius-not-working

 

Thoughts?


Accepted Solutions
Highlighted
Moderator

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Please work with Aruba TAC. Troubleshooting is difficult on here.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I would like to provide closure:

This turned out to be a FreeRADIUS configuration issue.

Aruba support engineer Akshay Sharma analyzed captured packets and observed:

I would like to inform you that I went through the packet captures and I have attached the screenshots from the same based on what we observed; As seen in the CP-Accept screenshot, we see the Radius Accept, for when the user was authenticating with Captive Portal. We see in the accept packet, that the server is sending the attribute 'labguest' to the controller for the user role to be assigned. In the case of Dot1x-Accept screenshot, we do not see any attribute being sent by the server in the accept packet for when the user was authenticating with dot1x authentication. Please check on the server end if we need to enable sending attribute for MSCHAPv2 along with the PAP protocol, or if there are any specific configurations on the server that are handling the attributes to be sent based on the authentication type.

I then posted to the FreeRADIUS user list, and received this feedback:

“The solution is to move the "files" module to before "eap".  Edit sites-enabled/default.   Look at the "authorize" section.”

 

SDR and Aruba VSAs now work fully with FreeRADIUS.

 

The value to the community is that especially for wireless lab and proof of concept use, FreeRADIUS is a viable alternative to more costly or complicated RADIUS solutions.

 

The configuration I used is:

FreeRADIUS 3.0.15 / Ubuntu 16.04.3 / VMWare Workstation 14

Set up a static IP by editing /etc/network/interfaces. Restart.

Open UDP 1812 and 1813 at the laptop firewall.

Edit users to add usernames, passwords, and returned attributes.

Edit clients.conf to add controller(s).

Update certificates.

Edit sites-enabled/default as explained above.

Start the service via "freeradius -X" to see debug output, or simply "freeradius". If it was already running, then stop it first by "service freeradius stop".

 

 

 

View solution in original post


All Replies
Highlighted
Moderator

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Why are you using filter-id with SDR? Just return the Aruba-User-Role VSA directly.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I'm preparing for a certification with a non-disclosure agreement, so I can't tell you exactly what I'm attempting to solve.

 

However, my setup is also ignoring Aruba-User-Role VSA. I believe an Aruba VSA is supposed to be top priority.

 

This works:

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 3.909
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   \207M>\205\367"[\032\204\304\307^\272k\251\317
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        q\267M\203\016\375\324v]\205\261\2678\020\016Y
           PW_RADIUS_ID        \361
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
Aruba      Aruba-User-Role            labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \206\254\177+\233\010n_\265p\275\333R\011(4\215'\264]\003MEq\204\0064B\340\033\326\244U\322
Microsoft  MS-MPPE-Send-Key           \217\032\251\256\032\230_%\373\32687BF\260dn\305\350\235\246\002\341E\355\317\032\021\277\311I!\246'
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               \361
           Rad-Length                 195
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       3\341\3629\237\242\242 b\3631\372\252\021

 

But when guest123/guest123 authenticates, user-role is still "authenticated":

(Master1) #show user mac 44:39:c4:59:e5:64

Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN

Highlighted
Moderator

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

That role definitely exists on the controller?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Yes. Here it is:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

Highlighted
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I think something may be funky about the exchange with my RADIUS server.

 

I can show you some logs, if you advise which ones to set up prior to authenticating.

Highlighted
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I believe I have a broken lab, in some regard. Here's what I've done to continue to troubleshooting it.

 

Questions: is the RADIUS server behaving properly, from the logs and packet captures? I do see it sending back the AVP "FilterId","labguest" in one of the packets, but not in the accept packet at the end. Should it be there as well? Can someone please do a simple test with a working setup and compare?

 

I attach resulting logs, and RADIUS traffic screenshots from Wireshark.

 

Other notes:

I did a fresh build -- write erase all and set up just the master, AP, switch, and back-end services.

Added radius1 with the correct host IP and key.

Created ACL "dont-ping-controller".

Created user-role "labguest" designed to allow the user to do everything but ping the controller.

Used wlan wizard to make an 802.1X VAP. There was a checkbox to set up SDR based on Filter-Id, so I used it.

 

Here's the relevant part of the resulting config:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

!

aaa authentication-server radius "radius1"
   host "192.168.18.249"
   key fb11664b1c366e5eca38c6f86a95cd0b34ee938842c55450
!
aaa server-group "Lab-Emp_srvgrp-zud62"
 auth-server radius1
 set role condition filter-id value-of
!

 

I notice the code generated by the wizard referred to "filter-id" rather than "Filter-Id". I changed it at the CLI as follows, but it still didn't help. Since Aruba VSAs are also being ignored, that can't be the sole issue in any case.

 

aaa server-group "Lab-Emp_srvgrp-zud62"
 auth-server radius1
 set role condition Filter-Id value-of

 

***This is bad***

(Master1) # show user mac 44:39:c4:59:e5:64


Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN

 

***This is good***

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 6.301
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   \220\024\274\330\2622FP\351\025c\234\234\256Bv
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        \223.1\222\034n\362E\224\217\307\371\211\237\3527
           PW_RADIUS_ID        E
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
           Service-Type               Framed-User
           Filter-Id                  labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \307\354$s\277c\215\262|\246\312F\216\275\025v\032\305K\212\271J\370+\225#\314*i\324\321\001
Microsoft  MS-MPPE-Send-Key           \3137\217\0117<\001#L\212\177\303\023\356\374("\016d#\017\217+a\022\311\214B\273;\260\256V\004
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               E
           Rad-Length                 195
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       \274\335\332\250~*\2647\253\321\210\370\016aA.

Highlighted
Occasional Contributor II

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

I attach Wireshark screenshots and controller logs. Still not working. Can anyone tell if the exchange with RADIUS is right?

Highlighted
Moderator

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Please work with Aruba TAC. Troubleshooting is difficult on here.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted

Re: Server-derived rule using Filter-Id from FreeRADIUS not working

Have you tested with an actual wireless client?  The SDR rules are applied to the server-group, but the aaa test is done by specifying a server.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: