Security

Who Me Too'd this topic

New Contributor

server-derived role from VSA RADIUS

Hi,

 

I have reached kind of a dead end with this. Having working simple solution 802.1X authentication and FreeRADIUS, simply authentication users defined in RADIUS users file with password. After successful auth default role 'authenticated' is applied. 

 

... but I can't get role deriviation from Aruba VSA Aruba-User-Role. I have configured another role 'authenticated-vsa' on the controller, on RADIUS in 'users' file I have bob Cleartext-Password := "bob123" and Aruba-User-Role := "authenticated-vsa"

 

As I checked FreeRADIUS configuration, dictrionary.aruba file with definitions is already included. I have also read that there is no need for explicit server derivation rule on the controller to apply VSA attribute.

 

Anybody can give me a hint?

 

UPDATE: see FreeRADIUS debug below, it seems radius is sending VSA Aruba-User-Role so the problem is on the controller site. I have tried with or withoud server rules, no change

 

[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 105 to 172.16.0.254 port 59329
        Aruba-User-Role := "authenticated-vsa"
        EAP-Message = 0x010300160410b5302d12e3b0bc39b6a55d1963ba5815
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x52e1d8da52e2dc053abe7d46171537b4

 

[peap] Got tunneled reply code 2
        Aruba-User-Role := "authenticated-vsa"
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
        MS-MPPE-Send-Key = 0x03fc70495b61ff2bc92d0a920d5bf71e
        MS-MPPE-Recv-Key = 0xdfa3cb0c9501b992af40543ccc728b94
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "bob"

[peap] Got tunneled reply RADIUS code 2
        Aruba-User-Role := "authenticated-vsa"
        MS-MPPE-Encryption-Policy = 0x00000002
        MS-MPPE-Encryption-Types = 0x00000004
        MS-MPPE-Send-Key = 0x03fc70495b61ff2bc92d0a920d5bf71e
        MS-MPPE-Recv-Key = 0xdfa3cb0c9501b992af40543ccc728b94
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "bob"
[peap] Tunneled authentication was successful.
[peap] SUCCESS

Who Me Too'd this topic