Wireless Access

Hi,

I'm  looking at using one of our Aruba controllers to provide an l2tp/ipsec service for network staff  who need to have unfettered access to our network from outside our network. Back end auth is against our RADIUS service and I'm generating a specific Filter-Id radius attribute to indicate that they're l2tp/ipsec users. A successful auth then places them in a specific role and away they go. 

My concern however is that I've set up the correct Filter-Id attribute value. The radius server copes with eap and mschapv2 auths from all over the place and may well have Service-Type=Login-User from other devices

Looking at the the RADIUS Access-Request packet sent by the controller, I've got

NAS-IP-Address -- <ip address of controller>

NAS-Port = 0

Nas-Port-Type - Wireless-802.11

User-name - me

Calling station id - 000000000000

Called-Station-Id - mac address of client

Framed-ip address - ip address of client machine

MS-CHap stuff

Service-Type - Login-User

Aruba-Location-Id - "N/A"

Aruba-AP-Group - "default"

Message-Authenticator - <stuff>

At the moment I'm checking for my username, the Aruba-Location-Id, the Aruba-AP-Group and the Service-Type but I'm not entirely convinced that the combination of those 3 uniquely identify an auth request associated with an l2tp?ipsec connection.

Any way of really really identifying the auth request as being associated with an l2tp/ipsec connect request? Can I add an atribute at the controller end to say this is an l2tp/ipsec auth request?

Rgds

Alex

Nas Port type should be VPN or Virtual for VPN authentication.

Would be good if it was but  it's set to Wireless-802.11

We've got a whole batch of RAPs out there as well

Rgds

Alex

If you have RAPs along with VPN clients, I suggest you open a support case so that you do no break anything with your RAPs.

If you are running ArubaOS 6.x, in Security> Authentication> L3 Authentication there are different ways to handle authentication depending on if it is a RAP, or incoming VPN connection.

Sounds like a good idea. FWIW once I've authenticarted over an l2tp/ipsec connection and have a look at the clients that are loggged on, I can see that my auth type is VPN

and yes, we're running ArubaOS 6.1.3.7

Rgds

Alex

Allright.

Your 802.1x clients have a server group.  In Configuration> Security> authentication> L3 Authenticatin> VPN, THAT has a server group.

You could create a new server that is the exact duplicate of your 802.1x server, except you add a parameter in the NAS-ID, like VPN.  Create a new server group, and add that server to it.  Replace the server group in Configuration> Security> authentication> L3 Authenticatin> VPN with that new server group.  On your radius server, the NAS ID of VPN will let you know that it is an incoming VPN connection.

ust read your message again. Already set up the rught stuff in the layer 3 auth. There are 3 profiles there, default, default-cap anbd default-rap. I've pointed default at our radius servers and left the default-rap alone so they're stil running o.k.

Rgds

Alex