MAC Address Authentication Amigopod Radius

MAC address Authentication – Amigopod Radius

Release 6.1.3.0 – Controller

Release 3.5 – Amigopod

March 2012

MJR

Contents

Configure a Firewall Policy 2

Configure a User Role 2

Configure a Radius Server (Amigopod) 2

Configure a Server Group 3

Configure a MAC address Profile 3

Configure a MAC address AAA 3

Configure a MAC address SSID 4

Configure a Virtual AP 4

Configure the AP Group Profile 4

Testing 5

Logging 5

Configure a Firewall Policy

Configure a User Role

Configure a Radius Server (Amigopod)

(Remember to add the Aruba controller in the Radius as an NAS)

Configure a Server Group

Configure a MAC address Profile

Configure a MAC address AAA

Configure a MAC address SSID

Configure a Virtual AP

Configure the AP Group Profile

Testing

Add the MAC address of the User / device to the Radius Server User database

Test Authentication between the Radius server and the Aruba controller

Logging

Set the Controller Logs to the following – set to “Debugging”

Configure the Aruba Controller to send LOG information to your PC IP Address.

Open your Syslog on your PC (in this example 3CDaemon was used)

(You can use the Controller Logs but an external Syslog will display all the messages in one place)

Test the User / Device by connecting to the MAC address SSID

If successful you should see something similar to the messages below in the 3CDaemon syslog

MAC=f8:7b:7a:68:f5:da IP=0.0.0.0: MAC auth start: entry-type=L2, bssid=00:24:6c:12:dc:31, essid=macadd sg=macadd-serv

MAC=f8:7b:7a:68:f5:da IP=0.0.0.0: MAC auth success: entry-type=L2, bssid=00:24:6c:12:dc:31

(authentication started)

MAC=f8:7b:7a:68:f5:da Station authenticate(start): method=MAC, role=guest//, VLAN=1/1/0/0/0, Derivation=10/0, Value Pair=1

MAC=f8:7b:7a:68:f5:da IP=?? Derived role 'myemployee-role' from Aruba VSA

{L2} Update role from guest to myemployee-role for IP=0.0.0.0

(User / device authenticated – layer 2)

MAC=f8:7b:7a:68:f5:da,IP=0.0.0.0 User role updated, existing Role=guest/none, new Role=myemployee-role/none, reason=Station Authenticated with auth type: 2

download: acl=61/0 role=myemployee-role, tunl=0x108f, PA=0, HA=1, RO=0, VPN=0

MAC=f8:7b:7a:68:f5:da,IP=0.0.0.0 User data downloaded to datapath, new Role=myemployee-role/61, bw Contract=0/0,reason=Download driven by user role setting

Station authenticate has l2 role :myemployee-role default role guest logon role logon

Valid Dot1xct, remote:0, assigned:1, default:1,current:1,termstate:0, wired:0,dot1x enabled:0, psk:0 static:0 bssid=00:24:6c:12:dc:31

Vlan assignment is not needed during station authentication

MAC=f8:7b:7a:68:f5:da def_vlan 1 derive vlan: 0 auth_type 2 auth_subtype 2

(User authenticated by MAC, role assigned, vlan if any)

MAC=f8:7b:7a:68:f5:da Station authenticate: method=MAC, role=myemployee-role//, VLAN=1/1/0/0/0, Derivation=7/0, Value Pair=1

MAC=f8:7b:7a:68:f5:da def_vlan 1 derive vlan: 0 auth_type 2 auth_subtype 2

(DHCP successful, User IP address, server providing IP address)

DHCP ACK mac f8:7b:7a:68:f5:da, client ip 172.16.0.252, server ip 172.16.0.3

MAC=f8:7b:7a:68:f5:da IP=172.16.0.252 User miss: ingress=0x108f, VLAN=1

{L3} Update role from myemployee-role to guest for IP=0.0.0.0

AC=f8:7b:7a:68:f5:da,IP=0.0.0.0 User role updated, existing Role=myemployee-role/none, new Role=myemployee-role/guest, reason=First IP user created

Reset BWM contract: IP=0.0.0.0 role=guest, contract= (0/0), type=Per role

MAC=f8:7b:7a:68:f5:da IP=172.16.0.252 User entry added: reason=Sibtye

Station inherit: IP=172.16.0.252 start bssid:00:24:6c:12:dc:31 essid: macadd port:0x108f (0x108f)

{L3} Update role from guest to myemployee-role for IP=172.16.0.252

User Authentication Successful: username=f8:7b:7a:68:f5:da MAC=f8:7b:7a:68:f5:da IP=172.16.0.252 role=myemployee-role VLAN=1 AP=ap1 SSID=macadd AAA profile=macadd-aaa auth method=MAC auth server=amigopod-rad

station inherit IP=172.16.0.252 bssid:00:24:6c:12:dc:31 essid: macadd auth:1 type:MAC role:myemployee-role port:0x108f

Amigopod Radius Debugging – MAC address User authentication successful

Ready to process requests.

# Executing section authorize from file /etc/raddb/radiusd.conf

rlm_sql (sql): Reserving sql socket id: 18

rlm_sql_postgresql: query: SELECT id, UserName, CASE WHEN Attribute = 'password' THEN 'Cleartext-Password' ELSE Attribute END, Value, CASE WHEN Attribute = 'password' THEN ':=' ELSE Op END FROM radcheck WHERE LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da') ORDER BY id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 2 , fields = 5

rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da') ORDER BY id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 5

rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da')

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 1 , fields = 1

rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value, radgroupcheck.Op FROM radgroupcheck, usergroup WHERE LOWER(usergroup.UserName)=LOWER(E'f8:7b:7a:68:f5:da') AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 5

rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply, usergroup WHERE LOWER(usergroup.UserName)=LOWER(E'f8:7b:7a:68:f5:da') AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 5

rlm_sql (sql): Released sql socket id: 18

# Executing section session from file /etc/raddb/radiusd.conf

rlm_sql (sql): Reserving sql socket id: 17

rlm_sql_postgresql: query: SELECT COUNT(*) FROM radacct WHERE LOWER(UserName)=LOWER(E'f8:7b:7a:68:f5:da') AND AcctStopTime IS NULL AND CallingStationId>E'F87B7A68F5DA' AND (EXTRACT(EPOCH FROM (NOW() - AcctStartTime)) - COALESCE(AcctSessionTime, 0)) < 86400

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 1 , fields = 1

rlm_sql (sql): Released sql socket id: 17

Login OK: [f8:7b:7a:68:f5:da] (from client aruba3200 port 0 cli F87B7A68F5DA)

# Executing section post-auth from file /etc/raddb/radiusd.conf

rlm_extautz: In postauth

rlm_extautz: extautz_postauth: time-to-connect: |0.000616|

rlm_extautz: extautz_postauth: content-length-time: |0.000068|

rlm_extautz: extautz_postauth: content-send-time: |0.095240|

rlm_extautz: extautz_postauth: Received response with extautz status: 200 OK includes|0.012591| action|0.099951| total|0.112542|

rlm_extautz: extautz_postauth: round-trip-time: |0.121493|

rlm_extautz: extautz_postauth: time-to-process: |0.121554|

rlm_sql (sql): Reserving sql socket id: 16

rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (E'f8:7b:7a:68:f5:da', E'f8:7b:7a:68:f5:da', E'Access-Accept', NOW())

rlm_sql_postgresql: Status: PGRES_COMMAND_OK

rlm_sql_postgresql: query affected rows = 1

rlm_sql (sql): Released sql socket id: 16

Waking up in 4.9 seconds.

Ready to process requests.