Any interoperability issues with Aruba and Freeradius
Hi All, I'm sure the answer to this is nope, but ... At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a "No" against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of "tweaking" for Aruba? I really can't imaging that it would be the case, but just thought I'd check. Rgds Alex
Alex Sharaz wrote:
At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility).
The surprising bit was the fact that there was a "No" against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS.
I fail to see how that can be true. Aruba sells access points. Not supplicants. APs are supposed to pass EAP from the supplicant to the RADIUS server. With no changes. Unless Aruba is doing something *truly* stupid, it should work.
Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of "tweaking" for Aruba? I really can't imaging that it would be the case, but just thought I'd check.
I haven't heard of any issues If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Alan DeKok.
On 08/02/13 16:19, Alan DeKok wrote:
If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly.
Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to the list that were solved by turning all that off, but this was a couple of years ago.
On 8 Feb 2013, at 16:31, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to the list that were solved by turning all that off, but this was a couple of years ago.
Certainly when we first set up eduroam on our Aruba controllers back in the ArubaOS 3.x days (2007-8) we had issues with local EAP termination. A colleague set this up and I don't think he would have ticked the box to do it, so I assume it was there by default. We disabled it back then and have never had trouble since -- but our configuration has been gradually ported through upgrades from 3.x to 5.x to 6.x, so we may have migrated that change. However, a test controller I have running 6.x doesn't have EAP termination enabled and I think I didn't explicitly configure that, so it may have changed as a default since 3.x. The setting is probably in the "default" dot1x authentication profile: (aruba) # show aaa authentication dot1x default | include Termination Termination Disabled Termination EAP-Type N/A Termination Inner EAP-Type N/A ... if that says "Enabled" you can turn it off: (aruba) (config)# aaa authentication dot1x default (aruba) (config ...)# no termination enable ... the help for that option says "Default is disabled" in ArubaOS 6.1.3.4. If you want to offload (as you've just mentioned in your further email), then EAP-TTLS is not an option: (aruba) (802.1X Authentication Profile "default") #termination eap-type ? eap-peap Select EAP-PEAP as the authentication protocol eap-tls Select EAP-TLS as the authentication protocol FWIW, we have provided eduroam on ArubaOS 3.x, 5.x and 6.x talking to FreeRADIUS 2.x (with a PostgreSQL backend for passwords, not an AD) for years with this and support EAP-TTLS/xxx without problems*, although most of our users use EAP-PEAP but we don't do any offloading (I'm not sure why you'd want to, unless your RADIUS backend doesn't support the desired methods - but FreeRADIUS does). - Bob * there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. -- Bob Franklin <rcf34@cam.ac.uk> +44 1223 748479 Network Division, University of Cambridge Computing Service
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part.
I've got a strange thing here as well. In the inner-tunnel config there's a commented option that says uncomment this if you want to pass back the inner user-name attribute to the outer level. I uncommented this on my 2.2 server and tested that things worked o.k. using windoze, os/x and iOS clients manually configured. I then used the test utility from wpa-supplicant to try different combinations of inner/outer user-names and that worked as well. Imagine my surprise when I connected with my iPhone which was configured using our XpressConnect setup which failed telling me that i had an identity mismatch. When I commented out the config option again, my iPhone started working again. Interestingly enough even without the commented config, the User-Name appears in the outgoing Access-Accept packet. Haven't looked to see why yet, got other issues. Rgds Alex
Hi,
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part.
stick something like this into your 'inner-tunnel" authorize section: # Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes # If we use both methods we get duplicate User-Name attributes. # if(("%{outer.request:EAP-Type}" == 'EAP-TTLS') && ("%{control:Auth-Type}" == 'MSCHAP')) { update reply { User-Name := "%{User-Name}" } } alan
Thanks for this one Alan, fixes one of my outstanding issues Rgds Alex Sent from my iPhone On 8 Feb 2013, at 17:59, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part.
stick something like this into your 'inner-tunnel" authorize section:
# Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes # If we use both methods we get duplicate User-Name attributes. # if(("%{outer.request:EAP-Type}" == 'EAP-TTLS') && ("%{control:Auth-Type}" == 'MSCHAP')) { update reply { User-Name := "%{User-Name}" } }
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility).
The surprising bit was the fact that there was a "No" against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS.
Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of "tweaking" for Aruba? I really can't imaging that it would be the case, but just thought I'd check.
its likely that this is if you do something nasty like terminate EAP locally on the controller. alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alex Sharaz -
Phil Mayers -
Robert Franklin