Security

Hi All

I am Muthu from Nokia ( Fromerly Alcatel-lucent)

would like to know how to define Vendor ID in the radius Dictionary file.

The product we are using is ISAM 7360. The vendor id is 637

Please refer to the attachment.  In the radius attribute i see only vendor id 800 and 3041 for alcatel. Would like to include the vendor ID 637 and use it for our testing . Please guide how to do it.

Thanks,

S.Muthukannan

Thanks Cappalli will try that

Hi Cappalli,

I am unable to upload the file back to Clearpass The error is

" File contains invalid XML tags. Try export to see the valid XML tags"

Attached the file for reference can you point out anything i missed out

Attachment(s)

alcatel-637-id.xml.docx   12 KB 1 version

Its a 2 byte value  defined in Hexadecimal. can i change that to integer and load it ?

After changing to Integer as well same issue

Attachment(s)

alcatel-637-id-ver2.docx   12 KB 1 version

Hi Muthu,

I think, there is a confusion between attribute ID vs attribute values. You need the correct attribute IDs to import the dictinory. I

see you have converted the hex values to decimel and added them as IDs. That will not work, I haven't seen IDs of 4 digits yet :)

For Ex: 0x06A1 >> 1697.

Is "0x06A1" hex value need to be return with the attribute "A-ESAM-PoL-Fwd-ID"?

If yes, then find out the correct IDs for the below three attributes and then import the dictionary. 

A-ESAM-PoL-Fwd-ID
A-ESAM-PoL-Vp-ID

A-ESAM-PoL-Client-Type

Notes:

You need to use the type "Unsigned32" instead of "Integer".

If you want to return hex values, then use the type "OctetArray".

Saravanan,

Let me try that and get back. In the mean time is there a way to define attributes length from the Clearpass GUI /CLI . here in this case looking for 2 bytes value to be defined

Thanks

S.Muthukannan

You do not need to define the attribute length, whatever the type you choose will take the 2 bytes value. Do test and let us know if you face any issue.

Saravanan,

Thanks i am able to upload the file now. will test and get back for any help

Thanks once again

S.Muthukannan

Hi Saravan,

Now able to load the dictionary file. I proceeded with the testing, i am facing issue "Failed to classify request to service"

Attached the failure message and configuration done. can you please help.

if i need to post this issue in separate thread let me know that as well.

Thanks,

S.Muthukannan

Attachment(s)

aruba-cfg.zip   2 KB 1 version

failure-mesg-inaruba.zip   2 KB 1 version

Hi,

The service rules are incorrect.

Most of the below attributes are meant to be passed in the enforcement profiles. You need to use NAS-IP-address in the rules and not the Framed-IP-Address.

Basically, the service rules should match the incoming radius attributes in the authentication request to categorize the service.

Incoming attributes in the request:

Input RADIUS Attributes -
Radius:IETF:Acct-Session-Id = 145:02:59:00003
Radius:IETF:Calling-Station-Id = 0x1035000001 [.5...]
Radius:IETF:NAS-Identifier = MyNASID
Radius:IETF:NAS-IP-Address = 135.x.x.x
Radius:IETF:NAS-Port = 79825984
Radius:IETF:NAS-Port-Id = eth 1/1/03/2/4/1/1
Radius:IETF:NAS-Port-Type = 15
Radius:IETF:User-Name = polclient1

Your service rule.

I strongly recommend you to refer the ClearPass user guide or browser the community for better understanding of Service creation.

You can start with the below service rules and proceed the testing.

Do let me know if you have any further queries.

Hi Saravanan,

i  will try out that i. Before your reply i tried with attribute set as given below in  clearpass server i see authentication has been successful but in our box ( ISAM 7360 the vlan attribute not passed successfuly and it has failed)

 Name  Operator  Value 
1.  Connection Protocol EQUALS RADIUS
2.  Radius:IETF Service-Type EQUALS Framed-User (2)
3.  Radius:IETF Framed-IP-Address EQUALS x.x.x.x
4.  Radius:IETF Framed-IP-Netmask EQUALS x.x.x.x
5.  Radius:IETF Framed-MTU EQUALS 1500
6.  Radius:IETF Tunnel-Type EQUALS VLAN (13)
7.  Radius:IETF Tunnel-Medium-Type EQUALS IEEE-802 (6)
8.  Radius:IETF Tunnel-Private-Group-Id EQUALS 100
9.  Radius:Alcatel-lucent A-ESAM-PoL-Fwd-ID EQUALS 230
10.  Radius:Alcatel-lucent A-ESAM-PoL-Vp-ID EQUALS 230
11.  Radius:Alcatel-lucent A-ESAM-PoL-Client-Type EQUALS 1

Thanks,

S.Muthukannan

I believe, you had the service rule set to matches ANY. You need to pass the VLAN 100 in an enforcement profile.

You can import the attached sample service and check the enforcement policy/profile.

Attachment(s)

Service.xml.zip   2 KB 1 version

Hi Saravanan,

Thanks a lot for  your help

I loaded the file you have given and tested . It worked fine. Meaning the authentication was successful and the vlan 100 was assigned. ( Tunnel ID).

Now i choosen only VSA attributes and trying to assign vlan which is failing. The issue i figure out from the radius response is the vlan to be assigned by radius to the user which is defined by the VSA A-ESAM-PoL-Fwd-ID whose value defined is 230 but the radius server is returning 0x323330 because of which authentication has failed. i have defined this attribute as Octet array ( note in Free radius defined the same as string) Attached the service, enforcement profile and policy. can you please let me know anything else to be changed.

Thanks,
S.Muthukannan

Attachment(s)

aruba-dvlan-fail-octet-array.zip   5 KB 1 version

Change the data type to string for A-ESAM-PoL-Fwd-ID in the dictionary and re-import it. Test the authentication after the import and test the result.

Saravanan,

tried that as well , still same issue.  Suspect its not recongnising it as 2 bytes value not sure.

Debug msg from our box states

"Length of Alcatel Vendor sub attribute is more than Main attribute length"

"Validation of the Attributes in the Received packet failed"

This issue is not seen with Free radius

i did not reboot the Aruba Clear pass  after setting the attribute to String

i will try that as well.

Thanks,

S.Muthukannan.

Can you also try the type as integer (Unsigned32)?

Restart the radius and policy services after importing the dictionary.

Navigate to: Administration >> Server Manager >> Server Configuration >> <click on ClearPass server name> >> Services Control and stop/start the services.

You can dump the packet capture from freeradius and check the radius Accept packet to understand the returned attribute and compare it with ClearPass radius accept (output).

Hi Saravan

tried both the string and unsigned both the times ISAM fails it.

But in the free radius with attribute defined as string it works fine.

Surprisingly the radius message output of both the unsigned and string shows value as 230 from aruba which i am expecting but the encoding/formatting is creating the problem.

very close to the solution but still eluding can you please help

details from radius, the error message from the box when it fails for unsigned and string are given below

Authentication successful when done from free radius server
atribute set as string and hexadecimal
user profile in free radius
=====================
polclient2  Cleartext-Password := "xxxxxxxxxx"
       Service-Type = Framed-User,
       Framed-IP-Address = 135.249.41.194,
       Framed-IP-Netmask = 255.255.255.0,
       Framed-MTU = 1500,
       A-ESAM-PoL-Fwd-ID = 230,
       A-ESAM-PoL-Vp-ID = 230,
       A-ESAM-PoL-Client-Type = 1,

response From free radius server
===========================
Sending Access-Accept of id 96 to 135.249.41.194 port 10000
        Service-Type = Framed-User
        Framed-IP-Address = 135.249.41.194
        Framed-IP-Netmask = 255.255.255.0
        Framed-MTU = 1500
        A-ESAM-PoL-Fwd-ID = "230"
        A-ESAM-PoL-Vp-ID = 230
        A-ESAM-PoL-Client-Type = 1
        EAP-Message = 0x03020004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "polclient2"

From ISAM box
============
Received packet on the Authentication Port.
Auth Server Address 87f92ffb
 Received ACCESS_ACCEPT.
ATTRIBUTES in the Received Packet:-
FRAMED_IP_ADDRESS:      -2013713982
VSA dynamic sVlan=0, cVlan=230,forwarder Id: e6
VSA dynamic user Vlan Id: 230

when set as string and unsigned both the times authentication failed.
when set as string fails with More than attribute length
when set as unsigned failes with minimum length not matched

when set as string in aruba dictionary
======================================

From ISAM box
=============
Received packet on the Authentication Port.
Auth Server Address 87f92b6f
Length of Alcatel Vendor sub attribute is more than Main attribute length
Validation of the Attributes in the Received packet failed

when set as unsigned integer in aruba dictionary
========================================
Received packet on the Authentication Port.
Auth Server Address 87f92b6f
Minimum length of Alcatel Vendor sub attribute is not valid
Validation of the Attributes in the Received packet failed

Saravanan

can you look into this and suggest way to define the attribute

Thanks,

S.Muthukannan

Hi, 

Please open a TAC case for this.

This needs investigation.

saravanan,

will open a TAC case

Thanks,

S.Muthukannan

raised case 5328193205                                                                                                

Thanks,

S.Muthukannan

Hi there,

Has this issue been resolved?

Thanks

This has been resolved using Aruba clearpass Hotfix

Hi Cappalli,

I am unable to upload the file back to Clearpass The error is

" File contains invalid XML tags. Try export to see the valid XML tags"

Attached the file for reference can you point out anything i missed out