Add 802.1X user role support to Aruba Switches

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.

https://packetfence.org

GNU General Public License v2.0

1.37k stars 287 forks source link

Add 802.1X user role support to Aruba Switches #3842

Closed horsitis closed 4 years ago

horsitis commented 5 years ago

Description

Add support for Aruba Switches 802.1X authentication. Aruba Switches (eg. 2930F) require user role (string) to be sent with this VSA : Vendor Code : 11 Attribute number : 25 Attribute : HP-User-Role Currently this is not the case when using PacketFence - no user role is sent. Rest of 802.1X for Aruba 2930F Switches works the same as ProCurve ones (ex. "HP ProCurve 2920 Series").

Impacts

Switches

horsitis commented 5 years ago

FreeRadius pull request

horsitis commented 5 years ago

2nd FreeRadius pull request

erSitzt commented 4 years ago

Are the changes in those PRs the only thing that needs to be done ?

erSitzt commented 4 years ago

seems to be enough... added a dictionary.hp to be included in radius and modified the 2930M Aruba module a little

Now i get the matching user-role defined on the switch

This is the Radius-Accept with the added attribute

2020-06-15 15:08:19.287066 (2) Access-Accept Id 223 ens192:192.168.4.19:1812 <- 192.168.1.89:1812 +0.084 +0.084
        Attr-26.11.25 = 0x6775657374
        Authenticator-Field = 0x715a1093506145a78aba66083e7548fe

0x6775657374 == guest

fdurand commented 4 years ago

You can use the switch template now instead of doing some modifications in the switch module.

erSitzt commented 4 years ago

Ok, thanks i will try that.

Is adding/modifying the dictionary the correct way to add vendor specific stuff ? @fdurand And is it normal to be displayed as Attr-26.11.25 instead of the name in the dictionary ?

nqb commented 4 years ago

@erSitzt, if you use PacketFence v10.0.1, you should be able to directly find FreeRADIUS attributes from GUI using Switch Templates menu:

Capture d’écran de 2020-06-17 12-08-16

Also since this issue has been opened we created a new switch template for Aruba switches.

Perhaps you can try to edit this switch template and see if you fit your need.

erSitzt commented 4 years ago

@nqb i tried that, i configured my template that way, but the radius attributes are missing HP-User-Role As Aruba is HP now, i think Aruba-User-Role is no longer working for Aruba 2920 / 2930... (not tested)

Where does the UI get the radius attribute available in the dropdown ? It does not use the dictionary i added it seems.

My old install is still pf 5.1 so i have to get up to speed with all the changes ( nice work btw :) )

nqb commented 4 years ago

Where does the UI get the radius attribute available in the dropdown ? It does not use the dictionary i added it seems.

You need to edit FreeRADIUS dictionnary then you need to run ./addons/dev-helpers/bin/generator-radius-attributes.sh to generate this dictionnary in Perl (used by PacketFence API)sh

erSitzt commented 4 years ago

Thanks I will try that

erSitzt commented 4 years ago

I guess a full "dev" setup is needed then ?

erSitzt commented 4 years ago

And to get back to the topic of this issue, what needs to be done to add support for the current Aruba/HP dictionary ? Do you add it as an extra file in raddb or are the attributes added somewhere in a master file ?

nqb commented 4 years ago

I guess a full "dev" setup is needed then ?

Normally, you can run following command on a PF server:

# install golang environment
make -C /usr/local/pf/go go-env

# get golang dependencies
go get github.com/inverse-inc/go-radius/dictionary

# generate RADIUS attributes
/usr/local/pf/addons/dev-helpers/bin/generator-radius-attributes.sh

nqb commented 4 years ago

And to get back to the topic of this issue, what needs to be done to add support for the current Aruba/HP dictionary ?

What is your exact issue ?

Do you add it as an extra file in raddb or are the attributes added somewhere in a master file ?

It seems that all dictionnary files under /usr/share/freeradius will be read by the generator-radius-attributes.sh

I'm not sure if the paths and the script will correctly work on Debian.

erSitzt commented 4 years ago

The attributes posted by @horsitis are not available by default in packetfence and HP-User-Role should be added, because it's the attribute used by all current HPE Aruba Switches

I'll try setting up the go env

erSitzt commented 4 years ago

It only reads /usr/local/pf/lib/pf/util/combined_dictionary which includes /usr/local/pf/raddb/dictionary.inverse

Is there a reason not using /usr/local/pf/raddb/dictionary which in term has the following include where i added the HP stuff

$INCLUDE    /usr/local/pf/raddb/dictionary.inverse
$INCLUDE    /usr/local/pf/raddb/dictionary.hp
#ATTRIBUTE      My-Local-String         3000    string
#ATTRIBUTE      My-Local-IPAddr         3001    ipaddr
#ATTRIBUTE      My-Local-Integer        3002    integer
ATTRIBUTE       AD-Samaccountname       3003    string

I hope i dont annoy anyone :) I'm just trying to figure out the correct way to support Aruba 2920/2930 Switches as i have lots of them and i want to stay as close to a standard installation of PF as possible ;)

nqb commented 4 years ago

Combined dictionnary should include all FreeRADIUS dictionnary:

https://github.com/inverse-inc/packetfence/blob/e736ce57aebf93b6eb43c843995ecfb5610db895/lib/pf/util/combined_dictionary.

What is the content of /usr/local/pf/lib/pf/util/combined_dictionary on your setup ?

erSitzt commented 4 years ago

...forget it now i see it... im stupid :)

All default freeradius dictionaries are included, but the freeradius version on debian 9 doesnt seem to include the PR with the updated HP attributes...

sorry

nqb commented 4 years ago

All default freeradius dictionaries are included, but the freeradius version on debian 9 doesnt seem to include the PR with the updated HP attributes...

The 2nd PR mentioned in this issue has been merged but in the latest release of FreeRADIUS (3.0.21) provided with PacketFence 10.1.0, the file doesn't contain this change. It seems to have been replaced by:

ATTRIBUTE   HP-CPPM-Role                27  string

erSitzt commented 4 years ago

HP-CPPM-Role is not a replacement, it is for downloadable user-roles. Roles are then not defined local on the switch, but in ClearPass from where they get downloaded.

Both are supported.

erSitzt commented 4 years ago

ATTRIBUTE   HP-User-Role                25  string
ATTRIBUTE   HP-Management-Protocol          26  integer
ATTRIBUTE   HP-CPPM-Role                27  string

erSitzt commented 4 years ago

still there

nqb commented 4 years ago

Yes, 2nd Pull request added: HPE-CPPM-Role not HP-CPPM-Role.

Last thing I can tell on this issue is that I'm able to create a switch template using all RADIUS attributes you mentioned in https://github.com/inverse-inc/packetfence/issues/3842#issuecomment-646011075 on v10.1.0 using CentOS 7 (not tested on Debian Stretch).

erSitzt commented 4 years ago

After

adding HP-User-Role to the correct dictionary
running the generator script
/usr/local/pf/bin/pfcmd configreload hard
/usr/local/pf/bin/pfcmd service pf restart

I can now select the attribute in the Switch Template UI

I guess this issue can be closed, as it is/was only related to the older version of freeradius on debian ?

nqb commented 4 years ago

Thanks for your feedback @erSitzt.

Yes and as I mentioned, @fdurand bumped FreeRADIUS version to 3.0.21 for 10.1.0 release. So issue has been fixed in v10.1.0.