MAC address Authentication – Amigopod Radius

advertisement
MAC address Authentication – Amigopod Radius
Release 6.1.3.0 – Controller
Release 3.5 – Amigopod
March 2012
MJR
Contents
Configure a Firewall Policy ...................................................................................................................................................... 2
Configure a User Role ............................................................................................................................................................. 2
Configure a Radius Server (Amigopod) ................................................................................................................................... 2
Configure a Server Group ....................................................................................................................................................... 3
Configure a MAC address Profile ............................................................................................................................................ 3
Configure a MAC address AAA ................................................................................................................................................ 3
Configure a MAC address SSID................................................................................................................................................ 4
Configure a Virtual AP ............................................................................................................................................................. 4
Configure the AP Group Profile............................................................................................................................................... 4
Testing ..................................................................................................................................................................................... 5
Logging .................................................................................................................................................................................... 5
Configure a Firewall Policy
Configure a User Role
Configure a Radius Server (Amigopod)
(Remember to add the Aruba controller in the Radius as an NAS)
Configure a Server Group
Configure a MAC address Profile
Configure a MAC address AAA
Configure a MAC address SSID
Configure a Virtual AP
Configure the AP Group Profile
Testing
Add the MAC address of the User / device to the Radius Server User database
Test Authentication between the Radius server and the Aruba controller
Logging
Set the Controller Logs to the following – set to “Debugging”
Configure the Aruba Controller to send LOG information to your PC IP Address.
Open your Syslog on your PC (in this example 3CDaemon was used)
(You can use the Controller Logs but an external Syslog will display all the messages in one place)
Test the User / Device by connecting to the MAC address SSID
If successful you should see something similar to the messages below in the 3CDaemon syslog
MAC=f8:7b:7a:68:f5:da IP=0.0.0.0: MAC auth start: entry-type=L2, bssid=00:24:6c:12:dc:31, essid=macadd sg=macadd-serv
MAC=f8:7b:7a:68:f5:da IP=0.0.0.0: MAC auth success: entry-type=L2, bssid=00:24:6c:12:dc:31
(authentication started)
MAC=f8:7b:7a:68:f5:da Station authenticate(start): method=MAC, role=guest//, VLAN=1/1/0/0/0, Derivation=10/0, Value Pair=1
MAC=f8:7b:7a:68:f5:da IP=?? Derived role 'myemployee-role' from Aruba VSA
{L2} Update role from guest to myemployee-role for IP=0.0.0.0
(User / device authenticated – layer 2)
MAC=f8:7b:7a:68:f5:da,IP=0.0.0.0 User role updated, existing Role=guest/none, new Role=myemployee-role/none, reason=Station
Authenticated with auth type: 2
download: acl=61/0 role=myemployee-role, tunl=0x108f, PA=0, HA=1, RO=0, VPN=0
MAC=f8:7b:7a:68:f5:da,IP=0.0.0.0 User data downloaded to datapath, new Role=myemployee-role/61, bw
Contract=0/0,reason=Download driven by user role setting
Station authenticate has l2 role :myemployee-role default role guest logon role logon
Valid Dot1xct, remote:0, assigned:1, default:1,current:1,termstate:0, wired:0,dot1x enabled:0, psk:0 static:0 bssid=00:24:6c:12:dc:31
Vlan assignment is not needed during station authentication
MAC=f8:7b:7a:68:f5:da def_vlan 1 derive vlan: 0 auth_type 2 auth_subtype 2
(User authenticated by MAC, role assigned, vlan if any)
MAC=f8:7b:7a:68:f5:da Station authenticate: method=MAC, role=myemployee-role//, VLAN=1/1/0/0/0, Derivation=7/0, Value
Pair=1
MAC=f8:7b:7a:68:f5:da def_vlan 1 derive vlan: 0 auth_type 2 auth_subtype 2
(DHCP successful, User IP address, server providing IP address)
DHCP ACK mac f8:7b:7a:68:f5:da, client ip 172.16.0.252, server ip 172.16.0.3
MAC=f8:7b:7a:68:f5:da IP=172.16.0.252 User miss: ingress=0x108f, VLAN=1
{L3} Update role from myemployee-role to guest for IP=0.0.0.0
AC=f8:7b:7a:68:f5:da,IP=0.0.0.0 User role updated, existing Role=myemployee-role/none, new Role=myemployee-role/guest,
reason=First IP user created
Reset BWM contract: IP=0.0.0.0 role=guest, contract= (0/0), type=Per role
MAC=f8:7b:7a:68:f5:da IP=172.16.0.252 User entry added: reason=Sibtye
Station inherit: IP=172.16.0.252 start bssid:00:24:6c:12:dc:31 essid: macadd port:0x108f (0x108f)
{L3} Update role from guest to myemployee-role for IP=172.16.0.252
User Authentication Successful: username=f8:7b:7a:68:f5:da MAC=f8:7b:7a:68:f5:da IP=172.16.0.252 role=myemployee-role
VLAN=1 AP=ap1 SSID=macadd AAA profile=macadd-aaa auth method=MAC auth server=amigopod-rad
station inherit IP=172.16.0.252 bssid:00:24:6c:12:dc:31 essid: macadd auth:1 type:MAC role:myemployee-role port:0x108f
Amigopod Radius Debugging – MAC address User authentication successful
Ready to process requests.
# Executing section authorize from file /etc/raddb/radiusd.conf
rlm_sql (sql): Reserving sql socket id: 18
rlm_sql_postgresql: query: SELECT id, UserName, CASE WHEN Attribute = 'password' THEN 'CleartextPassword' ELSE Attribute END, Value, CASE WHEN Attribute = 'password' THEN ':=' ELSE Op END FROM
radcheck WHERE LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da') ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 2 , fields = 5
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE
LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da') ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE
LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName,
radgroupcheck.Attribute, radgroupcheck.Value, radgroupcheck.Op FROM radgroupcheck, usergroup WHERE
LOWER(usergroup.UserName)=LOWER(E'f8:7b:7a:68:f5:da') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply, usergroup WHERE
LOWER(usergroup.UserName)=LOWER(E'f8:7b:7a:68:f5:da') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): Released sql socket id: 18
# Executing section session from file /etc/raddb/radiusd.conf
rlm_sql (sql): Reserving sql socket id: 17
rlm_sql_postgresql: query: SELECT COUNT(*) FROM radacct WHERE
LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da') AND AcctStopTime IS NULL AND
CallingStationId<>E'F87B7A68F5DA' AND (EXTRACT(EPOCH FROM (NOW() - AcctStartTime)) COALESCE(AcctSessionTime, 0)) < 86400
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
rlm_sql (sql): Released sql socket id: 17
Login OK: [f8:7b:7a:68:f5:da] (from client aruba3200 port 0 cli F87B7A68F5DA)
# Executing section post-auth from file /etc/raddb/radiusd.conf
rlm_extautz: In postauth
rlm_extautz: extautz_postauth: time-to-connect: |0.000616|
rlm_extautz: extautz_postauth: content-length-time: |0.000068|
rlm_extautz: extautz_postauth: content-send-time: |0.095240|
rlm_extautz: extautz_postauth: Received response with extautz status: 200 OK includes|0.012591|
action|0.099951| total|0.112542|
rlm_extautz: extautz_postauth: round-trip-time: |0.121493|
rlm_extautz: extautz_postauth: time-to-process: |0.121554|
rlm_sql (sql): Reserving sql socket id: 16
rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
(E'f8:7b:7a:68:f5:da', E'f8:7b:7a:68:f5:da', E'Access-Accept', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 16
Waking up in 4.9 seconds.
Ready to process requests.
Download