Re: Any interoperability issues with Aruba and Freeradius
Thanks for this one Alan, fixes one of my outstanding issues
Rgds
Alex
Sent from my iPhone
On 8 Feb 2013, at 17:59, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
* there is one problem that FreeRADIUS doesn't return the inner ID into the
outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is
nothing Aruba-specific and probably a configuration error in FreeRADIUS on
our part.
stick something like this into your 'inner-tunnel authorize section:
# Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply attributes
# If we use both methods we get duplicate User-Name attributes.
#
if((%{outer.request:EAP-Type} == 'EAP-TTLS') (%{control:Auth-Type}
== 'MSCHAP')) {
update reply {
User-Name := %{User-Name}
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any interoperability issues with Aruba and Freeradius
Hi All, I'm sure the answer to this is nope, but ... At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Alex Sharaz wrote: At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility). The surprising bit was the fact that there was a No against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS. I fail to see how that can be true. Aruba sells access points. Not supplicants. APs are supposed to pass EAP from the supplicant to the RADIUS server. With no changes. Unless Aruba is doing something *truly* stupid, it should work. Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of tweaking for Aruba? I really can't imaging that it would be the case, but just thought I'd check. I haven't heard of any issues If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
On 08/02/13 16:19, Alan DeKok wrote: If it requires tweaking for Aruba, then Aruba has failed to implement the standards correctly. Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2 and mangling it? I seem to recall a flurry of posts to the list that were solved by turning all that off, but this was a couple of years ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Rgds Alex On 8 Feb 2013, at 16:46, freeradius-users-requ...@lists.freeradius.org wrote: Re: Any interoperability issues with Aruba and Freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
I have to say that in their defence, the eap offloading is switched off by default and you do actually have to switch it on. A On 8 Feb 2013, at 17:27, Alan DeKok al...@deployingradius.com wrote: Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. That is a stupid response from them. If they follow the specs, they should pass EAP straight through to the RADIUS server. If they do anything else, they are *intentionally* breaking inter-operability. So you're forced to buy their crappy RADIUS server. All of the other WiFi vendors can get EAP to work. If Aruba can't, it's because (a) they're incompetent, or (b) being rude about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
* there is one problem that FreeRADIUS doesn't return the inner ID into the outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is nothing Aruba-specific and probably a configuration error in FreeRADIUS on our part. I've got a strange thing here as well. In the inner-tunnel config there's a commented option that says uncomment this if you want to pass back the inner user-name attribute to the outer level. I uncommented this on my 2.2 server and tested that things worked o.k. using windoze, os/x and iOS clients manually configured. I then used the test utility from wpa-supplicant to try different combinations of inner/outer user-names and that worked as well. Imagine my surprise when I connected with my iPhone which was configured using our XpressConnect setup which failed telling me that i had an identity mismatch. When I commented out the config option again, my iPhone started working again. Interestingly enough even without the commented config, the User-Name appears in the outgoing Access-Accept packet. Haven't looked to see why yet, got other issues. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
Hi,
* there is one problem that FreeRADIUS doesn't return the inner ID into the
outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is
nothing Aruba-specific and probably a configuration error in FreeRADIUS on
our part.
stick something like this into your 'inner-tunnel authorize section:
# Workaround for EAP-TTLS MsCHAPv2, not adding outer.reply
attributes
# If we use both methods we get duplicate User-Name attributes.
#
if((%{outer.request:EAP-Type} == 'EAP-TTLS')
(%{control:Auth-Type} == 'MSCHAP')) {
update reply {
User-Name := %{User-Name}
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any interoperability issues with Aruba and Freeradius
On 08/02/13 17:14, Alex Sharaz wrote: Aruba now say they only support eap-tls and eap-peap when you offload eap onto their mobility controllers. Well, don't do offload - it's a pretty bad idea anyway, and vendors have a history of mangling it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
