I am trying to setup a wired and wireless RADIUS based SSO using 802.1X across Aruba IAP-215-US APs, Cisco SG500-52P switches, WatchGuard M400 firewalls, and NPS on a Windows server 2012 R2.
I have successfully configured the actual authentication for both wired and wireless connections and have it correctly authenticating to NPS.
For WatchGuard's RADIUS SSO to function, it is expecting the "User-Name" and "Framed-IP-Address" attributes to be sent in the accounting message being forwarded to it. For the Aruba APs this works correctly and I can see the 2 attributes in WireShark going from the AP to the NPS and then from the NPS to the WatchGuard where it shows the authenticated user. For the SG500 I only see the "User-Name" attribute going from the switch to the NPS and then to the WatchGuard. I am using the same DHCP server across the 2 mediums, it's just a bench test for now.
I have tried enabling DHCP snooping and ARP inspection, and the IP successfully shows up in the DHCP snooping bindings table, as is suggested by some of their docs, but I cannot get it to send the "Framed-IP-Address" to the NPS in its accounting message.
Does any one have any ideas or experience on how to get that attribute to show up in accounting for DHCP assigned addresses?
Thanks in advanced for any help or advice.
Do you have a controller for the APs or are you using them in autonomous mode?
(Note: I don't know much about the Aruba AP's but I'm assuming they're similar to HP APs.)
The Arubas are being used with their virtual controller. Funny thing is the Arubas work correctly. They send the User-Name and Framed-IP-Address attributes to the WatchGuard and the authenticated user (authenticated to the Aruba) shows up in the WatchGuard interface. It is the SG500 switch that is not properly sending the Framed-IP-Address in its accounting message, though it does send the User-Name attribute.
Yeah I saw they were sending, was just curious as I had a huge amount of headache getting my HP APs to get RADIUS working correctly. I didn't have time to troubleshoot it much at the time so I ended up just throwing things against the wall to see what stuck.
If you remove the switch from the variable (i.e. use some dummy non-managed L2 switch) does this work?
Also this may be useful if you haven't read up on it yet:
It may be that the device isn't setup to receive the message, so it can't send it on.
So I was able to give that command a try today but no luck. Looking at the CLI guide for the SG500 I cannot find it there as well. It seems that the SG500 is a sub-variant of Cisco's full iOS command set.
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
I just find it hard to believe that something as minor as sending the IP of the authenticated host is something they would intentionally remove from the switches RADIUS support when they want to market it as 802.1X compatible.
I'm going to keeping digging and pushing to see if something gets it to send that attribute.
Thanks for all the effort and help. Recently signed up for a forum account, and was cool to see what a great community this is.
There's a ton of folks much more intelligent than myself that can help with most issues you may have.I work in a Cisco environment now but I don't have much hands on experience dealing with Cisco switching devices (I'm limited to firewalls and APs) in depth so I can't help you too much beyond where we're at now.
I'll ask one of our Cisco guys next time I see them to see if they may know something but this seems like a pretty odd issue. May want to head over to spiceworks and ask.
Appreciated, and great suggestion, will x-post there.
Just as a reference in case anyone finds this post.
X-Post here: https://community.spiceworks.com/topic/1953468-sg500-framed-ip-address-radius?from_forum=7
So after a lot of digging, and taking a closer look at the CLI guide, according to section 5.13 it looks like the SG500 just does not send interim radius messages of any kind.
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
Since DHCP occurs post start message, the framed-ip-address would normally be sent in the interim update, perhaps some DHCP snooping required. As it does not send this update it will never send that attribute.
Seems like a shame they left that feature out, and someone please gladly correct me if I am wrong.
Does the switch and DHCP server sync time over NTP? It's important for the snooping database on the switch.
I did not have the switch syncing with the DC that was doing the DHCP. I can give that a try though, I still have it setup on the bench. The snooping table was getting populated correctly though. So even though there were entries in the table I never saw the accounting message go through with the IP when using wireshark.
I will give it a try later today and reply back with how it goes.
My experience is from setting up DHCP snooping with IPSG on Catalyst switches but from what I recall it wouldn't work until I got NTP sync going so I'd say it's worth trying as it is the recommended setup.
No cigar?
Yep, no cigar. Thank you for the suggestion though. I have moved on to an agent based approach, just using watchguard's sso agent, to get the user to ip pairing needed to establish the user sessions in the firewall.
Not a huge deal, just a bit less elegant than using built in methods and handling the session creation network side.