topic Re: checking ldap user and radius attribute on NAC Authentication in ExtremeControl

checking ldap user and radius attribute on NAC Authentication

PeterK — Mon, 11 Jan 2021 22:34:12 GMT

Hi,

I’m currently on a migration process from Microsoft NPS to Extreme Control.

We have a Cisco ASA as VPN-Gateway.

I will authenticate VPN-Users and Mgmt-Logins.

In the past we separate this with different “called-station-id” values.

Can I realize this with NAC? AFAIK I can’t check/match LDAP-Criteria (LDAP-User-Group) and Radius-Attribute (Radius-User-Group) at the same time.

Or Is there a way to realize this?

Re: checking ldap user and radius attribute on NAC Authentication

Miguel-Angel_RO — Mon, 11 Jan 2021 22:40:09 GMT

PeterK,

Here a screenshot on how I manage Mgmt logins on Control for ERS/VSP switches.

For the VPN users, you can validate them on the location (originated on the VPN concentrator and User-Groups).

Regards

Mig

Re: checking ldap user and radius attribute on NAC Authentication

PeterK — Mon, 11 Jan 2021 23:12:43 GMT

Hi Mig,

thanks for your answer, but this does not really helps.

Mgmt-Login for XOS Switches is no problem.

I will authenticate users for vpn-login und mgmt-login from Cisco ASA.

So, the source-IP is the same. So I need something to select. In the ASA we have different values which are send in Radius Request as called-station-id to the NAC.

Re: checking ldap user and radius attribute on NAC Authentication

Miguel-Angel_RO — Mon, 11 Jan 2021 23:22:15 GMT

Hi Peter,

Something is still unclear.

You want to

Authenticate VPN users with authentication requests coming from the ASA
Authenticate admin users loging into ASA?

If 2 is correct, the authentication request will be different in terms of inbound radius attributes and should be treated as such by Control.

Here an abstract of the event log of Control for a login on the switches:

This is an administrative request because Calling-Station-Id is not present

What attributes and values are you checking on your existing system?

Mig

Re: checking ldap user and radius attribute on NAC Authentication

PeterK — Mon, 11 Jan 2021 23:28:54 GMT

Hi Mig,

thanks for your answer.

I will have both 1 and 2 (not at the same time).

On the current NPS I check:

NAS-IP (in both cases the same)
the ldap-user-group (different groups, but a user can be member of both groups
called-station-id (in case of VPN - value is WAN-IP; in case of mgmt its LAN-IP)

But in general, can I check/match/validate LDAP and Radius Information from Radius-Request at the same time?

Re: checking ldap user and radius attribute on NAC Authentication

Miguel-Angel_RO — Mon, 11 Jan 2021 23:35:39 GMT

Hi Peter,

I don’t think you can match both at the same time because they are both “User-Group” type.

Can you set an empty called-station-id instead of LAN-IP?

If so, Control will treat this as management access

Mig

Re: checking ldap user and radius attribute on NAC Authentication

Tomasz — Tue, 12 Jan 2021 22:47:37 GMT

Hi Mig, Peter,

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

Hope that helps,

Tomasz

Re: checking ldap user and radius attribute on NAC Authentication

PeterK — Wed, 13 Jan 2021 03:56:24 GMT

Hi Tomasz,

thanks for that idea.

That would be a very dirty workaround, but it should work.

I will test this. I’m excited how that will look in End-System View.

Re: checking ldap user and radius attribute on NAC Authentication

Tomasz — Wed, 13 Jan 2021 04:58:19 GMT

Hi Peter,

This idea came to my mind as in the past there were some issues with LDAP Configuration having both user and computer lookup settings and for computer authentication a separate LDAP Configuration had to be made, with computer-specific attributes and object type in user lookup fields. I don’t remember why it was so, but if it worked, the opposite should also work. Labels are just labels. 😉

Cheers,

Tomasz