Security

Hi,

 

I have reached kind of a dead end with this. Having working simple solution 802.1X authentication and FreeRADIUS, simply authentication users defined in RADIUS users file with password. After successful auth default role 'authenticated' is applied. 

 

... but I can't get role deriviation from Aruba VSA Aruba-User-Role. I have configured another role 'authenticated-vsa' on the controller, on RADIUS in 'users' file I have bob Cleartext-Password := "bob123" and Aruba-User-Role := "authenticated-vsa"

 

As I checked FreeRADIUS configuration, dictrionary.aruba file with definitions is already included. I have also read that there is no need for explicit server derivation rule on the controller to apply VSA attribute.

 

Anybody can give me a hint?

 

UPDATE: see FreeRADIUS debug below, it seems radius is sending VSA Aruba-User-Role so the problem is on the controller site. I have tried with or withoud server rules, no change

 

[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 105 to 172.16.0.254 port 59329
        Aruba-User-Role := "authenticated-vsa"
        EAP-Message = 0x010300160410b5302d12e3b0bc39b6a55d1963ba5815
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x52e1d8da52e2dc053abe7d46171537b4

 

[peap] Got tunneled reply code 2
        Aruba-User-Role := "authenticated-vsa"
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
        MS-MPPE-Send-Key = 0x03fc70495b61ff2bc92d0a920d5bf71e
        MS-MPPE-Recv-Key = 0xdfa3cb0c9501b992af40543ccc728b94
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "bob"

[peap] Got tunneled reply RADIUS code 2
        Aruba-User-Role := "authenticated-vsa"
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
        MS-MPPE-Send-Key = 0x03fc70495b61ff2bc92d0a920d5bf71e
        MS-MPPE-Recv-Key = 0xdfa3cb0c9501b992af40543ccc728b94
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "bob"
[peap] Tunneled authentication was successful.
[peap] SUCCESS

Hi Seba, Have you verified logs at the controller? Do you have a role named "authenticated-vsa" at the controller side? Regards,

Hi Maro!

 

Yep, there is 'authenticated-vsa' role on the controller, but after looking into controller logs (don't know if chosen right) I began to wonder on using some packet sniffer, because to my eyes there is nothing incoming VSA related in controller logs...

 

See below logging level debugging security process authmgr output

 

|authmgr| |aaa| [rc_api.c:146] Radius authenticate raw using server MY-RADIUS
|authmgr| |aaa| [rc_request.c:52] Add Request: id=203, srv=172.16.0.200, fd=63
|authmgr| |aaa| [rc_server.c:1576] Sending radius request to MY-RADIUS:172.16.0.200:1812 id:203,len:259
|authmgr| |aaa| [rc_server.c:1586]  User-Name: bob
|authmgr| |aaa| [rc_server.c:1586]  NAS-IP-Address: 172.16.0.254
|authmgr| |aaa| [rc_server.c:1586]  NAS-Port-Id: 0
|authmgr| |aaa| [rc_server.c:1586]  NAS-Identifier: 172.16.0.254
|authmgr| |aaa| [rc_server.c:1586]  NAS-Port-Type: 19
|authmgr| |aaa| [rc_server.c:1586]  Calling-Station-Id:
|authmgr| |aaa| [rc_server.c:1586]  Called-Station-Id:
|authmgr| |aaa| [rc_server.c:1586]  Service-Type: Login-User
|authmgr| |aaa| [rc_server.c:1586]  Framed-MTU: 1100
|authmgr| |aaa| [rc_server.c:1586]  EAP-Message: \002\012
|authmgr| |aaa| [rc_server.c:1586]  State: \244n@\366\243dY2\257+o\012\36332E
|authmgr| |aaa| [rc_server.c:1586]  Aruba-Essid-Name: Galaxy
|authmgr| |aaa| [rc_server.c:1586]  Aruba-Location-Id: IAP225-c6:e5:3a
|authmgr| |aaa| [rc_server.c:1586]  Aruba-AP-Group: TEST-group
|authmgr| |aaa| [rc_server.c:1586]  Aruba-Device-Type: Win 7
|authmgr| |aaa| [rc_server.c:1586]  Message-Auth: \332\017(6k\302\320\213\231\202*5\235\032\376\005
|authmgr| |aaa| [rc_request.c:76] Find Request: id=203, srv=172.16.0.200, fd=63
|authmgr| |aaa| [rc_request.c:82]  Current entry: srv=172.16.0.200, fd=63
|authmgr| |aaa| [rc_request.c:37] Del Request: id=203, srv=172.16.0.200, fd=63
|authmgr| |aaa| [rc_api.c:1139] Authentication Successful
|authmgr| |aaa| [rc_api.c:1141] RADIUS RESPONSE ATTRIBUTES:
|authmgr| |aaa| [rc_api.c:1156]  {Microsoft} MS-MPPE-Recv-Key: \221\026\<cut>
|authmgr| |aaa| [rc_api.c:1156]  {Microsoft} MS-MPPE-Send-Key: \236\013\<cut>
|authmgr| |aaa| [rc_api.c:1156]  EAP-Message: \003\012
|authmgr| |aaa| [rc_api.c:1156]  Message-Auth: \\250\241\2254\200\017\243\364\273\3507z\314/\256
|authmgr| |aaa| [rc_api.c:1156]  User-Name: bob
|authmgr| |aaa| [rc_api.c:1156]  PW_RADIUS_ID: \313
|authmgr| |aaa| [rc_api.c:1156]  Rad-Length: 167
|authmgr| |aaa| [rc_api.c:1156]  PW_RADIUS_CODE: \002
|authmgr| |aaa| [rc_api.c:1156]  PW_RAD_AUTHENTICATOR: 5\235\212\226\217+\246: \262&J\330\233_T
|authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=MY-RADIUS, user=
|authmgr|  Auth server 'MY-RADIUS' response=0
|authmgr|  Setting authserver 'MY-RADIUS' for user 0.0.0.0, client 802.1x.
|authmgr|  {L2} Authenticating Server is MY-RADIUS.
|authmgr|  get_traffic_prio_from_role_name: |TC-PROF GET|: Profile Name (Default) Role name (authenticated) val(15)
|authmgr|  user_download: |TC-PROF|: Role (authenticated)  Traffic Prio(15)
|authmgr|  Create ipuser 172.16.0.10 for user
|authmgr|  Called ip_user_new() for ip 172.16.0.10.
|authmgr|  sta_add_l3: mac
|authmgr|  get_traffic_prio_from_role_name: |TC-PROF GET|: Profile Name (Default) Role name (authenticated) val(15)
|authmgr|  user_download: |TC-PROF|: Role (authenticated)  Traffic Prio(15)
|authmgr|  Enforcing L2 check for mac
|authmgr|  download-L3: ip=172.16.0.10 acl=60/0 role=authenticated, Ubwm=0, Dbwm=0 tunl=0x0x1000c, PA=0, HA=1, RO=0, VPN=0, MAC

The VSA is not configured properly, or it is not being sent.  You would see it in the debug message.  Try sending a standard radius attribute, like filter-id to see if you see it appear.