Identity and Policy Control
Reply
Visitor
Patofissy
Posts: 2
Registered: ‎04-17-2009
0

Check SSID Vendor Specific Attribute with SBR into Radius Access Request

Hi All,

 

I'am trying to set up SBR to check SSID used by a WLAN user when he tries to connect..
I'am using Colubris Access Points and SSID info is being sent into the Radius Request via Colubris specific attributes (AVP).

SBR was configured with the Colubris SSID AVP into the Radius check list but I keep on getting an error msg (below in red)

 

04/17/2009 17:43:57 Doing inventory check on request

04/17/2009 17:43:57 EAP MS-CHAP-V2 sub-protocol received success response

04/17/2009 17:43:57 Determined that \\PCU01\corporate of class NT-Domain-User is the user

04/17/2009 17:43:57 Getting attribute info on requesting user

04/17/2009 17:43:57 Getting profile info for requesting user

04/17/2009 17:43:57 Merging saved attributes with user info

04/17/2009 17:43:57 Merging profile info with user info

04/17/2009 17:43:57 Comparing checklist items with user/profile items

04/17/2009 17:43:57 Found checklist attribute Colubris-AVPAIR but missing required value for user \\PCU01\corporate

04/17/2009 17:43:57 request items don't match user/profile items, Rejecting

 

 

When replacing the Colubris SSID AVP with the standard NAS-Identifier attribute into the check list, it works ok.

 

Would you have any idea why it is not working ?

 

Kind rgds

 

/Patofissy 

 

Contributor
zopilote
Posts: 14
Registered: ‎12-09-2008
0

Re: Check SSID Vendor Specific Attribute with SBR into Radius Access Request

Hi  

I think you are using PEAP protocol.

In PEAP and TTLS protocol, two users exist, inner user and outer user.

The outer user is used for establishing securely encrypted tunnel.

The inner user is actually used for authentication through the tunnel.

And the check list is applied only at inner authentication.

The reason that the check list isn't applied if using PEAP or TTLS is

Most adjunctive attributes, stuff like Colubris-AVPAIR, NAS-Identifier, are attached to outer user.

Thus, the check list can't find these attributes.

If you want to check these attributes, you must enable "Request filters" feature.

The Request filters can copy outer attributes to inner authentication.

The configuration steps are below

 

1. Open the admin GUI.

2. Create a new filter, Select "allow", Specify the attribute name you want to copy.

3. When you finished, Click "Authentication Policies, Double click "PEAP"

Select "Request Filters", enable "Transfer Outer Attribs to New" and "Transfer Outer Attribs to Continue"

and select the filter you created. 

 

If the check list still doesnt be applied, change the LogLevel to 2 and  the TraceLevel to 1 in the radius.ini.

then, Check the debug log starting with "Tunneled Authentication Request",

you can detect whether the attributes are copied to inner authentication. 

 

04/02/2009 11:30:47 -----------------------------------------------------------

04/02/2009 11:30:47 Tunneled Authentication Request

04/02/2009 11:30:47 Packet : Code = 0x1 ID = 0x32

04/02/2009 11:30:47 Client Name = <ANY> Dictionary Name = Radius.dct

04/02/2009 11:30:47 Vector =

04/02/2009 11:30:47 000: 478c56d2 43358b89 ad959947 16ffbfcb |G.V.C5.....G....|

04/02/2009 11:30:47 Parsed Packet =

04/02/2009 11:30:47 User-Name : String Value = testsuser

04/02/2009 11:30:47 User-Password : String Value = <suppressed>

04/02/2009 11:30:47 -----------------------------------------------------------

Visitor
Patofissy
Posts: 2
Registered: ‎04-17-2009
0

Re: Check SSID Vendor Specific Attribute with SBR into Radius Access Request

Hi,

 

SBR was configured to pass the Colubris Radius attributes from outer to inner authentication method.

Eventually, I managed to make it work ...

 

The issue is that Colubris AVPair is using structured attributes (ie several Colubris attributes can be included into a single AVPair) which is not "supported" with version 6 of SBR (SBR will interpret the series of Colubris attributes as a single Radius attribute)

So if you need to check a specific Colubris attribute, you need to manipulate string of caracters into the AVPair ...

 

SBR version 7 seems to bring support for structured attributes.

 

 

Thx for your help

 

/Pat

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.