Wireless Access

Hello All,

I'm attempting to do Server Derivation Policies on the Controller integrating to a Free Radius Server (running on Linux).

However, it seems that the Mobility Controller is not responding to any Radius requests/reponse regarding the attributes sent to it.

As long as the User exists on the Customer's E-Directory Server and Radius sends the attribute confirming the User is not part of the Group, the Controller still gives access to the User.

Has anyone seen this behaviour with Free Radius?

---

@eosuorah wrote:

Hello All,

 

I'm attempting to do Server Derivation Policies on the Controller integrating to a Free Radius Server (running on Linux).

 

However, it seems that the Mobility Controller is not responding to any Radius requests/reponse regarding the attributes sent to it.

 

As long as the User exists on the Customer's E-Directory Server and Radius sends the attribute confirming the User is not part of the Group, the Controller still gives access to the User.

 

Has anyone seen this behaviour with Free Radius?

 

 

---

I would turn on debugging for radius attributes and see what is being passed back to the controller:

config t
logging level debugging security process authmgr

logging level debugging security subcat aaa


show log security 50

Thx will try that out tomorrow.

I finally got it to work.

However, when I do the debug, I don't see the attribute being sent back to the Controller.

I have captured a Failed Authentication and a Successful Authentication as well.

On the Failed Authentication, I see their Radius Server successfully authenticating the User, but an attribute was not sent which should make the Controller deny access.

Also on the Successful Authentication, I see their Radius Server successfully authenticating the User, but an attribute was also not sent which should make the Controller deny access. But it assigned the User the appropriate "root" role.

So, for sure, the Controller is getting something for it to be able to differentiate both Users, but I don't see it. Any ideas?

Successful Authentication:

(ArubaControllerA-7240) #show log security 50 | include balbir

Aug 23 08:45:35 :124546:  <DBUG> |authmgr|  aal_authenticate user:balbirghori vpnflags:0.

Aug 23 08:45:35 :124004:  <DBUG> |authmgr|  Select server for method=Management, user=balbirghori, essid=<>, server-group=Trent-RADIUS, last_srv <>

Aug 23 08:45:35 :124038:  <INFO> |authmgr|  Selected server Internal for method=Management; user=balbirghori,  essid=<>, domain=<>, server-group=Trent-RADIUS

Aug 23 08:45:35 :133019:  <ERRS> |localdb|  User balbirghori was not found in the database

Aug 23 08:45:35 :133006:  <ERRS> |localdb|  User balbirghori Failed Authentication

Aug 23 08:45:35 :124004:  <DBUG> |authmgr|  Local DB auth failed for user balbirghori, error (User not found in UserDB)

Aug 23 08:45:35 :124064:  <NOTI> |authmgr|  Administrative User result=Authentication failed(1), method=Management, username=balbirghori IP=209.42.110.6 auth server=Internal

Aug 23 08:45:35 :124004:  <DBUG> |authmgr|  Select server for method=Management, user=balbirghori, essid=<>, server-group=Trent-RADIUS, last_srv Internal

Aug 23 08:45:35 :124038:  <INFO> |authmgr|  Selected server RADIUS for method=Management; user=balbirghori,  essid=<>, domain=<>, server-group=Trent-RADIUS

Aug 23 08:45:35 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:382] Radius authenticate user (balbirghori) PAP using server RADIUS

Aug 23 08:45:35 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1224]  User-Name: balbirghori 

Aug 23 08:45:36 :124066:  <INFO> |authmgr|  Administrative User result=Authentication Successful(0), method=Management, username=balbirghori IP=209.42.110.6 auth server=RADIUS

Aug 23 08:45:36 :124004:  <DBUG> |authmgr|  match_rule Value Pair to match User-Name : balbirghori

Aug 23 08:45:36 :124025:  <NOTI> |authmgr|  Administrative user 'balbirghori' authenticated successfully  (role=root, privileged=0)

(ArubaControllerA-7240) #