Cisco – Using RADIUS to restrict SSID on Cisco Aironet

aironetciscoradiuswireless

I would like to use my RADIUS server to restrict access to configured SSID on a per user basis.

According to the documentation linked above i add the following attribute to a test user:

ospite-5vh Cisco-AVPair += "ssid=Interactive_Ospiti"

So, enabling debug radius authentication, i see:

Jun 12 08:30:08.266: RADIUS(00001A96): Send Access-Request to 212.183.164.38:1812 id 1645/128, len 177
Jun 12 08:30:08.266: RADIUS:  authenticator CC C9 63 16 B0 62 74 52 - A7 95 DF 1D 93 F3 08 37
Jun 12 08:30:08.267: RADIUS:  User-Name           [1]   12  "ospite-5vh"
Jun 12 08:30:08.267: RADIUS:  Framed-MTU          [12]  6   1400                      
Jun 12 08:30:08.267: RADIUS:  Called-Station-Id   [30]  16  "8478.acf0.9002"
Jun 12 08:30:08.267: RADIUS:  Calling-Station-Id  [31]  16  "2064.3267.44ca"
Jun 12 08:30:08.267: RADIUS:  Vendor, Cisco       [26]  29  
Jun 12 08:30:08.267: RADIUS:   Cisco AVpair       [1]   23 "ssid=Interactive_Test"
Jun 12 08:30:08.267: RADIUS:  Service-Type        [6]   6   Login                     [1]
Jun 12 08:30:08.267: RADIUS:  Message-Authenticato[80]  18  
Jun 12 08:30:08.267: RADIUS:   7D 95 ED 39 3D 12 82 9F 30 8D 1F F4 84 04 43 C9  [}??9=???0?????C?]
Jun 12 08:30:08.267: RADIUS:  EAP-Message         [79]  17  
Jun 12 08:30:08.267: RADIUS:   02 01 00 0F 01 6F 73 70 69 74 65 2D 35 76 68     [?????ospite-5vh]
Jun 12 08:30:08.267: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
Jun 12 08:30:08.267: RADIUS:  NAS-Port            [5]   6   7037                      
Jun 12 08:30:08.268: RADIUS:  NAS-Port-Id         [87]  6   "7037"
Jun 12 08:30:08.268: RADIUS:  NAS-IP-Address      [4]   6   10.132.0.253              
Jun 12 08:30:08.268: RADIUS:  Nas-Identifier      [32]  13  "UFFICIO-AP1"
Jun 12 08:30:08.325: RADIUS: Received from id 1645/128 212.183.164.38:1812, Access-Challenge, len 95
Jun 12 08:30:08.325: RADIUS:  authenticator 8A C9 30 9B 1B 13 20 91 - 4C D6 FE B3 2A 1E F7 85
Jun 12 08:30:08.325: RADIUS:  Vendor, Cisco       [26]  31  
Jun 12 08:30:08.325: RADIUS:   Cisco AVpair       [1]   25  "ssid=Interactive_Ospiti"
Jun 12 08:30:08.325: RADIUS:  EAP-Message         [79]  8   
Jun 12 08:30:08.325: RADIUS:   01 02 00 06 19 20                                [????? ]
Jun 12 08:30:08.325: RADIUS:  Message-Authenticato[80]  18  
Jun 12 08:30:08.325: RADIUS:   31 7D 79 7B C3 67 7E 71 5A FA 53 D4 76 2E 9D A4  [1}y{?g~qZ?S?v.??]
Jun 12 08:30:08.326: RADIUS:  State               [24]  18  
Jun 12 08:30:08.326: RADIUS:   9E B6 71 EA 9E B4 68 7A 8E 86 18 54 AF BD AF 55  [??q???hz???T???U]
Jun 12 08:30:08.326: RADIUS(00001A96): Received from id 1645/128

So i would expect the request to be refused since the "association SSID" does not match the RADIUS one, instead it is acknowledged and the user gets connected.

Relevant configurations follow:

aaa authentication login default group radius
aaa authentication login eap_methods group radius
aaa authorization network default if-authenticated 
aaa accounting nested
aaa accounting update periodic 5
aaa accounting network eap_methods start-stop group radius
!
dot11 ssid Interactive
   vlan 1
   authentication open 
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 01120101551F035F7324DB1194F0ABEE1C0B03175B5C51
!
dot11 ssid Interactive_Ospiti
   vlan 4
   authentication open 
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 15475E1D0725242D262D265D12730301204
!
dot11 ssid Interactive_Test
   vlan 5
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa version 2
   accounting eap_methods
   mbssid guest-mode
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption vlan 4 mode ciphers aes-ccm tkip 
 encryption vlan 1 mode ciphers aes-ccm tkip 
 encryption vlan 5 mode ciphers aes-ccm tkip 
 ssid Interactive
 ssid Interactive_Ospiti
 ssid Interactive_Test
 antenna gain 0
 mbssid
 no short-slot-time
 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0
 channel 2457
 station-role root
!
interface Dot11Radio0.1
 description LAN Interactive
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.4
 description LAN Ospiti
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
 bridge-group 4 spanning-disabled
!
interface Dot11Radio0.5
 description LAN Test
 encapsulation dot1Q 5
 no ip route-cache
 bridge-group 5
 bridge-group 5 subscriber-loop-control
 bridge-group 5 block-unknown-source
 no bridge-group 5 source-learning
 no bridge-group 5 unicast-flooding
 bridge-group 5 spanning-disabled
!
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 4 10.132.0.253
radius-server host 10.132.0.99 auth-port 1812 acct-port 1813 non-standard key 7 131312061E3811242A142A7C79
radius-server vsa send accounting
radius-server vsa send authentication

And here's the output of # show versione

Cisco IOS Software, C1040 Software (C1140-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 11-Aug-11 02:58 by prod_rel_team

ROM: Bootstrap program is C1040 boot loader
BOOTLDR: C1040 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)

UFFICIO-AP1 uptime is 8 weeks, 2 days, 8 hours, 27 minutes
System returned to ROM by power-on
System restarted at 22:39:10 UTC Tue Apr 16 2013
System image file is "flash:/c1140-k9w7-mx.124-25d.JA1/c1140-k9w7-mx.124-25d.JA1"

Can anyone help?

Best Answer

Try changing the operator in the freeradius config to "=~" :

ospite-5vh Cisco-AVPair =~ "ssid=Interactive_Ospiti"

Related Solutions

Cisco – Setup Cisco AP 1602 to broadcast 2.4 & 5Ghz on the same SSID

This is how you would set up dual-band 2.4Ghz / 5Ghz on a Cisco autonomous AP for Open auth... Basically just associate the SSID with Dot11Radio0 and Dot11Radio1; Substitute these WPA PSK configs if you want WPA PSK.

I can add PEAP or other EAP methods after I get home, but I haven't got access to my EAP notes right now.

!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Cisco_AP
!
!
logging rate-limit console 9
enable secret cisco
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
no ip source-route
no ip routing
no ip cef
!
!
!
!
login on-failure log
login on-success log
dot11 syslog
!
dot11 ssid OUR_SSID
   vlan 1
   max-associations 50
   authentication open
   mbssid guest-mode
!
!
dot11 guest
!
!
!
username Cisco password Cisco
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid OUR_SSID
 !
 antenna gain 0
 stbc
 mbssid
 station-role root
 world-mode dot11d country-code US indoor
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 ssid OUR_SSID
 !
 antenna gain 0
 peakdetect
 dfs band 3 block
 stbc
 mbssid
 channel dfs
 station-role root
 world-mode dot11d country-code US indoor
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 192.0.2.10 255.255.255.0
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Switch – Regarding Dot1X dynamic VLAN assignment

Alex, hеllo there!

Ive builded test environmet for you, so i am using freeradius 2.1.12+dfsg-1.2 (on debian), and switch hp 2650. Ive just repeated your config, and have no problems with this. My test procurve ip 10.0.10.29, test freeradius ip 192.168.2.60.

procurve config:

Running configuration:

; J4899A Configuration Editor; Created on release #H.10.83

hostname "ProCurve Switch 2650"
interface 1
   no lacp
exit
interface 2
   no lacp
exit
interface 3
   no lacp
exit
interface 4
   no lacp
exit
interface 5
   no lacp
exit
interface 6
   no lacp
exit
interface 7
   no lacp
exit
interface 8
   no lacp
exit
interface 9
   no lacp
exit
interface 10
   no lacp
exit
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 11-50
   ip address dhcp-bootp
   no untagged 1-10
   exit
vlan 100
   name "success"
   untagged 1-10
   exit
vlan 200
   name "fail"
   exit
aaa authentication port-access eap-radius
radius-server host 192.168.2.60 key test
aaa port-access authenticator 1-10
aaa port-access authenticator 1 unauth-vid 200
aaa port-access authenticator 2 unauth-vid 200
aaa port-access authenticator 3 unauth-vid 200
aaa port-access authenticator 4 unauth-vid 200
aaa port-access authenticator 5 unauth-vid 200
aaa port-access authenticator 6 unauth-vid 200
aaa port-access authenticator 7 unauth-vid 200
aaa port-access authenticator 8 unauth-vid 200
aaa port-access authenticator 9 unauth-vid 200
aaa port-access authenticator 10 unauth-vid 200
aaa port-access authenticator active

/etc/freeradius/users:

<...>
testuser User-Password := test
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = "100"
<...>

/etc/freeradius/radiusd.conf:

<...>
client switch {
        ipaddr          = 10.0.10.29
        secret          = test
        require_message_authenticator = no
        nastype     = other
}
<...>

And i`ve used this manual, to enable 8021x in windows:

http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7

But, I`ve disabled usage of logged user creds.

So, if user creds are correct, i have this message in /var/log/freeradius/radius.log

tail -f /var/log/freeradius/radius.log
Fri Sep  5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep  5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)

and on my switch ive got:

ProCurve Switch 2650(eth-1)# sh vlans ports 1

 Status and Counters - VLAN Information - for ports 1

  802.1Q VLAN ID Name         Status       Voice
  -------------- ------------ ------------ -----
  100            success      Port-based   No

If creds are incorrect:

Fri Sep  5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep  5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)


ProCurve Switch 2650(eth-1)# sh vlans ports 1

 Status and Counters - VLAN Information - for ports 1

  802.1Q VLAN ID Name         Status       Voice
  -------------- ------------ ------------ -----
  200            fail         Port-based   No

maybe you havent enabled 8021x in windows? I hope this helps to you man.

Best Answer

Related Solutions

Cisco – Setup Cisco AP 1602 to broadcast 2.4 & 5Ghz on the same SSID

Switch – Regarding Dot1X dynamic VLAN assignment

Related Topic