Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
Hello All, There are quite a few components coming into play here so I'm not exactly sure whats breaking where. Let me start with explaining our setup: We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department. This works perfectly fine with our Apple Laptops, iPhones, and iPads. However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following: When joining from the Apple devices, the User-Name comes accross as Tue Aug 10 17:13:03 2010 User-Name = "someone@somehwere.net" When Joining from my Android, it comes accross as: Tue Aug 10 11:26:53 2010 User-Name = "1fT6ESzC4Dbj9oIpiJjjfg==" (A few chars changed to prevent the username from being figured out) This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name. Has anyone seen this before or have any leads I should follow? Thanks! -=Tom Donnelly
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010 User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name.
Has anyone seen this before or have any leads I should follow?
Do a promiscuous packet capture and verify the Outer Identity the Android phone is sending in the EAP-Identity-Response. If it matches the User-Name above then you've found your problem. -Arran
Thomas Donnelly wrote:
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010 User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
Arg. Base-64 encoded?
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name.
As *always*, run the server in debugging mode to see why.
Has anyone seen this before or have any leads I should follow?
I haven't seen it before. The follow-up should be to go after the Android developers, and tell them this is a stupid idea. Alan DeKok.
--On 10 August 2010 17:24 -0500 Thomas Donnelly <tad1214@gmail.com> wrote:
Hello All,
There are quite a few components coming into play here so I'm not exactly sure whats breaking where.
Let me start with explaining our setup:
We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller
This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department.
This works perfectly fine with our Apple Laptops, iPhones, and iPads.
However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following:
When joining from the Apple devices, the User-Name comes accross as
Tue Aug 10 17:13:03 2010 User-Name = "someone@somehwere.net"
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010 User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name.
Has anyone seen this before or have any leads I should follow?
Hi Tom, Several small devices (phones etc) send a string such as above as the *outer* user-name - if you don't like this you need to re-config the device where possible [1]. More importantly, it seems you might be deciding VLAN based on the outer user-name in the request - this is bad (arbitrarily spoofable). You should use the EAP inner user-name. * Upgrading to 2.1.x will make the inner/outer sessions much easier to configure and verify. * Running radiusd -X [& post here] will confirm if this is the problem. [1] Maemo: After configuring, you need to click the Advanced-settings button, change to the EAP page, select 'Use manual user name' and enter whatever you want in the box. ( <http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies> ) Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net --
On Wed, 11 Aug 2010 00:46:56 -0500, James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
--On 10 August 2010 17:24 -0500 Thomas Donnelly <tad1214@gmail.com> wrote:
Hello All,
There are quite a few components coming into play here so I'm not exactly sure whats breaking where.
Let me start with explaining our setup:
We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller
This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department.
This works perfectly fine with our Apple Laptops, iPhones, and iPads.
However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following:
When joining from the Apple devices, the User-Name comes accross as
Tue Aug 10 17:13:03 2010 User-Name = "someone@somehwere.net"
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010 User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name.
Has anyone seen this before or have any leads I should follow?
Hi Tom,
Several small devices (phones etc) send a string such as above as the *outer* user-name - if you don't like this you need to re-config the device where possible [1].
More importantly, it seems you might be deciding VLAN based on the outer user-name in the request - this is bad (arbitrarily spoofable). You should use the EAP inner user-name.
* Upgrading to 2.1.x will make the inner/outer sessions much easier to configure and verify.
* Running radiusd -X [& post here] will confirm if this is the problem.
[1] Maemo: After configuring, you need to click the Advanced-settings button, change to the EAP page, select 'Use manual user name' and enter whatever you want in the box. ( <http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies> )
Regards, James
-- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net --
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This totally worked on my n900. Thank you very much. I am going to track down a user with a 2.1 phone and give it a run. I will report back with my results I will also track down what I need to do to get it to auth on the inner username. Thanks a ton! -=Tom -- Using Opera's revolutionary email client: http://www.opera.com/mail/
On Wed, 11 Aug 2010 00:46:56 -0500, James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
--On 10 August 2010 17:24 -0500 Thomas Donnelly <tad1214@gmail.com> wrote:
Hello All,
There are quite a few components coming into play here so I'm not exactly sure whats breaking where.
Let me start with explaining our setup:
We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller
This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department.
This works perfectly fine with our Apple Laptops, iPhones, and iPads.
However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following:
When joining from the Apple devices, the User-Name comes accross as
Tue Aug 10 17:13:03 2010 User-Name = "someone@somehwere.net"
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010 User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name.
Has anyone seen this before or have any leads I should follow?
Hi Tom,
Several small devices (phones etc) send a string such as above as the *outer* user-name - if you don't like this you need to re-config the device where possible [1].
More importantly, it seems you might be deciding VLAN based on the outer user-name in the request - this is bad (arbitrarily spoofable). You should use the EAP inner user-name.
* Upgrading to 2.1.x will make the inner/outer sessions much easier to configure and verify.
* Running radiusd -X [& post here] will confirm if this is the problem.
[1] Maemo: After configuring, you need to click the Advanced-settings button, change to the EAP page, select 'Use manual user name' and enter whatever you want in the box. ( <http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies> )
Regards, James
-- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net --
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just to finish my follow up. Using the link provided by James my n900 now works perfectly. Using Android 2.2 I had to put the username in both the identity and the anonymous identity and it worked correctly. I am still figuring out how to make it auth based on the internal username rather than the external. Thanks again for everyone who replied it was very helpful. -=tom -- Using Opera's revolutionary email client: http://www.opera.com/mail/
Hi,
Using Android 2.2 I had to put the username in both the identity and the anonymous identity and it worked correctly.
I am still figuring out how to make it auth based on the internal username rather than the external.
use the EAP section and ensure that its an EAP part - but this is a whole lot cleaner and easier with FreeRADIUS 2.x - in which the EAP inner gets sent to a new virtual server (by default named 'inner-tunnel') in which you do the authentications and....more importantly authorizations. regarding the auth on internal - copy the EAP inner to the outer identity (eap.conf - check the peap and ttls sections) - and then do the VLAN part in the post-auth section. I'm trying to think back to when I used 1.x and realise that I couldnt do - or at least trivially do! half of the stuff I can do with 2.x - its well worth the migration! alan
Hi,
We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller
are you using PEAP or EAP-TTLS? we have Android clients, 1142 (and 1131, 1242 etc) APs with WISM (4404) controllers and are running version 7 of the code. we are also running 2.1.9 of FreeRADIUS I know that we are now probably comparing apples with oranges at this stage... but I can say that we see the User-Name as expected with Android devices that I've just hunted down - though I cannot say whether they are 1.4/1.5/2.0/2.1 etc (cupcake, donut, eclair for those in that club ;-) ) are you copying the inner tunnel info to the outer? an obfuscated radiusd -X might also help..... alan
Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller
are you using PEAP or EAP-TTLS?
we have Android clients, 1142 (and 1131, 1242 etc) APs with WISM (4404) controllers and are running version 7 of the code.
we are also running 2.1.9 of FreeRADIUS
Someone wandered into my office yesterday with an Android 2.1 shiny toy. We use TTLS and a WLC 4404 running 6.0.199.0 and they connected with no problems straight away. No base64 'goodness' in my logs or RADIUS packets. Cheers -- Alexander Clouter .sigmonster says: PURGE COMPLETE.
participants (6)
-
Alan Buxey -
Alan DeKok -
Alexander Clouter -
Arran Cudbard-Bell -
James J J Hooper -
Thomas Donnelly