Security

I'm setting up a wireless lab. I added FreeRADIUS 3.0.15 to my back-end services. I am trying to set up a server-derived rule. The intent is that when guest123, password guest123 authenticates via 802.1X, radius1 (the FreeRADIUS server) returns Filter-Id = labguest, and a rule in the server group containing radius1 sets the user-role to labguest instead.

What happens instead is that the user receives the default 802.1X role, "authenticated".

Here is the relevant Aruba configuration:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

aaa authentication-server radius "radius1"
   host "192.168.18.249"
   key b07f6475f2dcdf6f66ef027b4532fe8b8fb1b5880e755383

aaa server-group "lab-emp_srvgrp-ckl54"
 auth-server radius1
 set role condition Filter-Id value-of

The following looks good:

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 2.589
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   ,W\332\023\211\277R@c\350\262\333\031\270w\017
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        \263if&\273\027\236y\034:4\270E\372\262\234
           PW_RADIUS_ID        \360
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
           Filter-Id                  labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \202\336
Microsoft  MS-MPPE-Send-Key           \215\270Q\230"\0048\252\301\\377\313b\001\024\360\202u\350\033\217\322Q\025L\365ri\201\340sY\347\011
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               \360
           Rad-Length                 189
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       \347\211\010\362\356\232\017\011\246$\351\314\365\271\370\350

The same thing results from the Local1 controller, since both Master1 and Local1 were set up as RADIUS clients at FreeRADIUS.

But when guest123/guest123 authenticates via 802.1X, the user-role is "authenticated", when it should be "labguest":

(Local1) #show user mac 44:39:c4:59:e5:64

Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X

...truncated output

Just in case this is a FreeRADIUS issue, I also posted the same issue at https://stackoverflow.com/questions/47681051/server-derived-role-based-on-filterid-using-freeradius-not-working

Thoughts?

I'm preparing for a certification with a non-disclosure agreement, so I can't tell you exactly what I'm attempting to solve.

However, my setup is also ignoring Aruba-User-Role VSA. I believe an Aruba VSA is supposed to be top priority.

This works:

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 3.909
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   \207M>\205\367"[\032\204\304\307^\272k\251\317
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        q\267M\203\016\375\324v]\205\261\2678\020\016Y
           PW_RADIUS_ID        \361
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
Aruba      Aruba-User-Role            labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \206\254\177+\233\010n_\265p\275\333R\011(4\215'\264]\003MEq\204\0064B\340\033\326\244U\322
Microsoft  MS-MPPE-Send-Key           \217\032\251\256\032\230_%\373\32687BF\260dn\305\350\235\246\002\341E\355\317\032\021\277\311I!\246'
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               \361
           Rad-Length                 195
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       3\341\3629\237\242\242 b\3631\372\252\021

But when guest123/guest123 authenticates, user-role is still "authenticated":

(Master1) #show user mac 44:39:c4:59:e5:64

Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN

Yes. Here it is:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

I think something may be funky about the exchange with my RADIUS server.

I can show you some logs, if you advise which ones to set up prior to authenticating.

I believe I have a broken lab, in some regard. Here's what I've done to continue to troubleshooting it.

Questions: is the RADIUS server behaving properly, from the logs and packet captures? I do see it sending back the AVP "FilterId","labguest" in one of the packets, but not in the accept packet at the end. Should it be there as well? Can someone please do a simple test with a working setup and compare?

I attach resulting logs, and RADIUS traffic screenshots from Wireshark.

Other notes:

I did a fresh build -- write erase all and set up just the master, AP, switch, and back-end services.

Added radius1 with the correct host IP and key.

Created ACL "dont-ping-controller".

Created user-role "labguest" designed to allow the user to do everything but ping the controller.

Used wlan wizard to make an 802.1X VAP. There was a checkbox to set up SDR based on Filter-Id, so I used it.

Here's the relevant part of the resulting config:

user-role labguest
 access-list session global-sacl
 access-list session apprf-labguest-sacl
 access-list session dont-ping-controller
 access-list session allowall
 access-list session v6-allowall

!

aaa authentication-server radius "radius1"
   host "192.168.18.249"
   key fb11664b1c366e5eca38c6f86a95cd0b34ee938842c55450
!
aaa server-group "Lab-Emp_srvgrp-zud62"
 auth-server radius1
 set role condition filter-id value-of
!

I notice the code generated by the wizard referred to "filter-id" rather than "Filter-Id". I changed it at the CLI as follows, but it still didn't help. Since Aruba VSAs are also being ignored, that can't be the sole issue in any case.

aaa server-group "Lab-Emp_srvgrp-zud62"
 auth-server radius1
 set role condition Filter-Id value-of

***This is bad***

(Master1) # show user mac 44:39:c4:59:e5:64

Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN

***This is good***

(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose

Authentication Successful
Processing time (ms) : 6.301
Attribute value pairs in request
--------------------------------
Vendor     Attribute           Value
------     ---------           -----
           NAS-IP-Address      192.168.18.254
           NAS-Port-Id         0
           NAS-Port-Type       Wireless-IEEE802.11
           User-Name           guest123
           Service-Type        Login-User
           Calling-Station-Id  0.0.0.0
           Called-Station-Id   000B86BE91F0
Microsoft  MS-CHAP-Challenge   \220\024\274\330\2622FP\351\025c\234\234\256Bv
Microsoft  MS-CHAP2-Response
Aruba      Aruba-Essid-Name
Aruba      Aruba-Location-Id   N/A
Aruba      Aruba-AP-Group      N/A
Aruba      Aruba-Device-Type
           Message-Auth        \223.1\222\034n\362E\224\217\307\371\211\237\3527
           PW_RADIUS_ID        E
           Rad-Length          199
Attribute value pairs in response
---------------------------------
Vendor     Attribute                  Value
------     ---------                  -----
           Service-Type               Framed-User
           Filter-Id                  labguest
Microsoft  MS-CHAP2-Success
Microsoft  MS-MPPE-Recv-Key           \307\354$s\277c\215\262|\246\312F\216\275\025v\032\305K\212\271J\370+\225#\314*i\324\321\001
Microsoft  MS-MPPE-Send-Key           \3137\217\0117<\001#L\212\177\303\023\356\374("\016d#\017\217+a\022\311\214B\273;\260\256V\004
Microsoft  MS-MPPE-Encryption-Policy
Microsoft  MS-MPPE-Encryption-Types
           PW_RADIUS_ID               E
           Rad-Length                 195
           PW_RADIUS_CODE             \002
           PW_RAD_AUTHENTICATOR       \274\335\332\250~*\2647\253\321\210\370\016aA.

Attachment(s)

Wireshark screenshots - SDR.docx   1.05 MB 1 version

logs - SDR.txt   63 KB 1 version

I attach Wireshark screenshots and controller logs. Still not working. Can anyone tell if the exchange with RADIUS is right?

Attachment(s)

Wireshark screenshots - SDR.docx   1.05 MB 1 version

logs - SDR.txt   63 KB 1 version

Have you tested with an actual wireless client?  The SDR rules are applied to the server-group, but the aaa test is done by specifying a server.

I connect wirelessly to SSID Lab-Emp. It prompts for username and password, does 802.1X authentication based on radius1 which is in the group with the SDR. RADIUS returns Filter-Id labguest and accepts the authentication request. The user is then connected but with the role "authenticated" rather than "labguest". I tried both from the laptop, and from a Samsung phone.

On the other hand, I set up another SSID called Lab-Guest using captive portal and radius1 with the same SDR in the server group. guest123/guest123 does receive the role "labguest" after captive portal (L3) authentication. Just not when authenticating L2/802.1X.

I won't hammer this board, based on Tim's feedback. I'll open a case at TAC, but still check here from time to time. I think someone may have an idea what's going on.

Thanks all!

I would like to provide closure:

This turned out to be a FreeRADIUS configuration issue.

Aruba support engineer Akshay Sharma analyzed captured packets and observed:

I would like to inform you that I went through the packet captures and I have attached the screenshots from the same based on what we observed; As seen in the CP-Accept screenshot, we see the Radius Accept, for when the user was authenticating with Captive Portal. We see in the accept packet, that the server is sending the attribute 'labguest' to the controller for the user role to be assigned. In the case of Dot1x-Accept screenshot, we do not see any attribute being sent by the server in the accept packet for when the user was authenticating with dot1x authentication. Please check on the server end if we need to enable sending attribute for MSCHAPv2 along with the PAP protocol, or if there are any specific configurations on the server that are handling the attributes to be sent based on the authentication type.

I then posted to the FreeRADIUS user list, and received this feedback:

“The solution is to move the "files" module to before "eap".  Edit sites-enabled/default.   Look at the "authorize" section.”

SDR and Aruba VSAs now work fully with FreeRADIUS.

The value to the community is that especially for wireless lab and proof of concept use, FreeRADIUS is a viable alternative to more costly or complicated RADIUS solutions.

The configuration I used is:

FreeRADIUS 3.0.15 / Ubuntu 16.04.3 / VMWare Workstation 14

Set up a static IP by editing /etc/network/interfaces. Restart.

Open UDP 1812 and 1813 at the laptop firewall.

Edit users to add usernames, passwords, and returned attributes.

Edit clients.conf to add controller(s).

Update certificates.

Edit sites-enabled/default as explained above.

Start the service via "freeradius -X" to see debug output, or simply "freeradius". If it was already running, then stop it first by "service freeradius stop".

Thank you, thank you, thank you.  I've been struggling so long trying to figure out why my Aruba-VLAN tag was not working.  Move files before EAP solved the problem.

“The solution is to move the "files" module to before "eap".  Edit sites-enabled/default.   Look at the "authorize" section.”

This !

Had trouble understanding exaclty what to do, but once I found the "authorize section" it was more clear. I had this exact problem yesterday aswell. Was setting up a lab with ArubaOS8 and using Aruba-User-Role. Couldn´t for my life understand why it wouldn´t work.

Awesome that you took the time to post this follow up, thank you!