RADIUS Attribute Issues regarding RFC5580 (Operator-Name and others) with several RADIUS servers (including Microsoft IAS and NPS)



Similar documents
Microsoft IAS Configuration for RADIUS Authorization

Microsoft IAS and NPS Agent Configuration Guide

Using RADIUS Agent for Transparent User Identification

netld External Authentication Setup Guide

Using Windows NPS as RADIUS in eduroam

The safer, easier way to help you pass any IT exams. Exam : Administering Windows Server Title : Version : V16.

Remote Access Technical Guide To Setting up RADIUS

IDENTITY MANAGEMENT OF USERS IN eduroam

freeradius A High Performance, Open Source, Pluggable, Scalable (but somewhat complex) RADIUS Server Aurélien Geron, Wifirst, January 7th 2011

WiNG 4.X / WiNG 5.X RADIUS Attributes

FreeRADIUS server. Defining clients Access Points and RADIUS servers

Belnet Networking Conference 2013

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Changing Your Cameleon Server IP

RWL Tech Note Wireless 802.1x Authentication with Windows NPS

Cisco ASA Authentication QUICKStart Guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Configure your firewall for administrative access via RADIUS authentication

HOTPin Integration Guide: DirectAccess

Parallels Plesk Panel

Active Directory integration with CloudByte ElastiStor

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

FreeRADIUS Install and Configuration. Joel Jaeggli 05/04/2006

RadSec RADIUS improved. Stig Venaas

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Strong Authentication for Cisco ASA 5500 Series

Configuring the Palo Alto Firewall for use with Juniper Steel-Belted RADIUS.

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

Exchange Server Backup and Restore

Simple Installation of freeradius

Tenrox and Microsoft Dynamics CRM Integration Guide

FortiGate RADIUS Single Sign-On (RSSO) with Windows Server 2008 Network Policy Server (NPS) VERSION 5.2.3

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

DC Agent Troubleshooting

Identikey Server Getting Started Guide 3.1

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Exceed ondemand. Configuring LDAP. Technical Note. April Abstract

Juniper SSL VPN Authentication QUICKStart Guide

3 Setting up Databases on a Microsoft SQL 7.0 Server

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

Splunk Log Management

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

ICE for Eclipse. Release 9.0.1

Installing LearningBay Enterprise Part 2

Your Question. Net Report Answer

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

How to Obtain an APNs Certificate for CA MDM

NAS 322 Connecting Your NAS to a VPN

Eduroam wireless network - Windows 7

Application Note 8: TrendView Recorders DCOM Settings and Firewall Plus DCOM Settings for Trendview Historian Server

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

FieldIT Limited FieldIT CRM. Installation Manual v1.3.i3 (Enterprise Install)

Running eduroam on NPS with Windows 2008 R2 Enterprise

Configuring a Windows 2003 Server for IAS

Network Access Security It's Broke, Now What? June 15, 2010

FTP, IIS, and Firewall Reference and Troubleshooting

Configuring RADIUS Server Support for Switch Services

SafeNet Authentication Service

TIGERPAW EXCHANGE INTEGRATOR SETUP GUIDE V3.6.0 August 26, 2015

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

1 of 10 1/31/2014 4:08 PM

Ascend Interface Service Installation

Chapters. Prerequisites: Eduroam in a Microsoft Windows 2008r2 environment.

If you have questions or find errors in the guide, please, contact us under the following address:

CTERA Agent for Linux

How to configure MAC authentication on a ProCurve switch

Getting Started With Delegated Administration

CTERA Agent for Mac OS-X

Sage 200 Web Time & Expenses Guide

Eduroam wireless network Apple Mac OSX 10.5

EMR Link Server Interface Installation

Orientation Course - Lab Manual

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Using Windows 2008 RADIUS Authentication with Tripp Lite SNMPWEBCARD

Managing User Accounts

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Chapter 3 Authenticating Users

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Charter Business Phone. Online Control Panel Getting Started Guide. Document Version 1.0

Routing and Remote Access Service

IBM Connections Plug-In for Microsoft Outlook Installation Help

Configuring Global Protect SSL VPN with a user-defined port

Pulse Policy Secure. RADIUS Server Management Guide. Product Release 5.1. Document Revision 1.0. Published:

RSA Event Source Configuration Guide. McAfee Database Security

To install the SMTP service:

WHITE PAPER Citrix Secure Gateway Startup Guide

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

Basic SQL Server operations

EventSentry Overview. Part I Introduction 1 Part II Setting up SQL 2008 R2 Express 2. Part III Setting up IIS 9. Part IV Installing EventSentry 11

Transparent Identification of Users

Ingenious Testcraft Technical Documentation Installation Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Transcription:

RADIUS Attribute Issues regarding RFC5580 (Operator-Name and others) with several RADIUS servers (including Microsoft IAS and NPS) The advisory is based on the JANET Roaming Service Advisory (Operator-Name RADIUS Attribute Issues with MS IAS and NPS) issued in November 2010. Background A growing number of eduroam Service Providers are including the Operator-Name RADIUS attribute when sending Access-Request authentication packets to their federation-level RADIUS servers (FLR) for forwarding to the user's responsible eduroam Identity Provider. Operator-Name is a standard RFC5580 RADIUS attribute and can uniquely identify the owner of an access network (e.g. the Service Provider realm name). Including it in the Access-Request is encouraged because this greatly assists in user support given by the eduroam Identity Provider. Being able to identify entries in the RADIUS logs relating to the Service Provider where the user is located helps when inspecting logs during routine problem identification analysis or for real-time troubleshooting a specific problem for a user. Issue A problem has been identified with Microsoft IAS (Internet Authentication Service) on Windows Server 2003 and NPS (Network Policy Server) on Windows Server 2008. It is possible that all Access-Requests containing RFC5580 attributes will be dropped if IAS and NPS have been misconfigured to set the type of client incorrectly to Ascend Communications (the setting's name is RADIUS Clients Vendor Name in IAS and Client Vendor type in NPS). In the case of IAS (additional to the configuration change), a dictionary file fix also needs to be applied for RFC5580 attributes. This problem means that if you are an eduroam Identity Provider using one of these Microsoft products, your users may not be able to gain network connection when visiting other eduroam sites. You are requested to check your IAS and NPS configurations as detailed below. In addition, regarding IAS you must carry out a simple database file modification. This issue is of concern because a user s inability to gain network connection when visiting other eduroam sites will only be detected if the user reports a problem and the Service Provider and Identity Provider begin an investigation; or if the events log is regularly inspected by the Identity Provider. Explanation of Problem Microsoft built into the IAS/NPS product the capability for it to be configured such that remote access policies can be based on the client vendor s attribute. In the RADIUS client s properties configuration window there is an option to select the Vendor Name (or in the case of IAS, Client-Vendor). This results in the relevant dictionary being loaded. The root of the problem is a naming clash between the values in IAS/NPS RADIUS attribute dictionaries and standard RFC 5580 usage. Operator-Name has a standard attribute number of 126 and is a string. Historically, 126 has also been used by other vendors (such as Ascend) for their own purposes.

Unfortunately, attribute 126 has ended up being defined as a 32 bit (4-character) integer in IAS/NPS dictionaries. After a dictionary containing a clashing entry for attribute 126 is loaded, Windows IAS/NPS expects a 4-octet integer value as a value of attribute 126. Sites sending Operator-Name as a string will most likely use a value of length other than 4. Upon receipt of such an attribute, Windows observes attribute definition mismatch and drops the RADIUS packet. The user s authentication attempt then fails and the Service Provider's RADIUS server receives nothing in return to explain why the attempt has failed. The NAS (AP) with which the user is associating may or may not get a response from the RADIUS server, depending on whether it has been configured to send Access-Reject when the proxied request times out. The user simply experiences a failed authentication attempt. However the problem can be identified by an entry in the Events log of the Identity Provider's RADIUS server (malformed radius packet received). MS NPS Check/Fix In the case of NPS, the conflicting attribute will not be enabled if RADIUS Standard has been selected as the Vendor Name. Attribute 126 will be correctly recognised and your eduroam Identity Provider will process Access-Requests containing Operator-Name. The solution for NPS in Win2008 is to check that the Vendor Name for your federation's FLR server is set to RADIUS Standard and not to Ascend Communications in NPS/RADIUS Clients and Servers/RADIUS Clients in the Server Manager configuration tree. Open Server Manager, navigate down Roles/Network Policy and Access Services/NPS/RADIUS Clients and Servers/RADIUS Clients. The RADIUS Clients pane displays the IP Address and Vendor Name (Device Manufacturer) that has been set. Device Manufacturer should be RADIUS Standard. Figure 1 shows configurations for the federation's FLR servers; roaming1 is incorrect and roaming0 is correct. Figure 1: Radius Clients configuration If the Device Manufacturer is not set to RADIUS Standard, right click on the client (e.g. the federation's FLR server roaming0) and select Properties. A dialogue box opens. Set Vendor name to RADIUS Standard, click OK and quit.

Figure 2: roaming1 Properties window MS IAS Fix In the case of IAS, even if the Client-Vendor name is correctly set in the client properties to RADIUS Standard, Access-Requests containing Operator-Name will be dropped. The solution is a little more involved and it is necessary to modify an IAS database file as follows. It is essential that MS IAS sites carry out this fix at the earliest opportunity. 1. Stop the IAS Service. 2. Make a backup copy of c:\windows\system32\ias\dnary.mdb. 3. Open c:\windows\system32\ias\dnary.mdb in MS Access. 4. Open the Attributes table. 5. Scroll down to attribute number 126. 6. Change the Name and Syntax columns to the values in Table 1. 7. : Close Access, and start IAS. Page 3 of 5

Attribute number Name Syntax 126 Operator-Name String Table 1: Name and syntax values The dnary.mdb file can be copied to another machine for editing if you do not have Access on your IAS server. Figure 3: MS IAS RADIUS Client Properties window Consequences The use of Operator-Name is fairly widespread in eduroam in Europe, and its use is endorsed in the eduroam community. Other RFC5580 attributes may also appear sporadically, depending on NAS equipment. An IAS/NPS misconfiguration can affect any given eduroam user whose Identity Provider has not fixed its IAS/NPS configuration. Consequently this MS IAS/NPR issue represents a significant problem. We request that you carry out the recommendations above at your earliest opportunity. Note: Once the above has been carried out, your system will be enabled to not deny service to your users when visiting organisations where Operator-Name insertion is implemented. For those system administrators who would like to implement Operator-Name insertion at their own site, regrettably (following extensive investigations), our conclusions are that neither IAS nor NPS can be configured to insert Operator-Name Page 4 of 5

themselves. Therefore you will not be able to add this valuable functionality using IAS/NPS. We will be addressing this issue with Microsoft. Other RADIUS Servers Attribute definition clashes are known to occur in many popular RADIUS servers. For some implementations, most notably Radiator, FreeRADIUS and radsecproxy, the clashes (if any) do not lead to as severe problems as with IAS and NPS. The only consequence observed so far is that the content of the Operator-Name attribute may become garbled. Besides IAS and NPS, the implementation Navis RADIUS is also known to be problematic. Instructions for fixing Navis RADIUS' dictionary are available on request. If you are using a RADIUS server implementation which is not mentioned in this advisory, we advise you to investigate the consequences of RFC5580 attributes and contact your federation operator, if necessary. Acknowledgements in Original Advisory Many thanks to James Hooper from the University of Bristol and Phil Mayers from Imperial College for identifying and providing a fix for this problem. https://www.wireless.bris.ac.uk/netcomms/ias-radius/ Acknowledgements Many thanks to Ed Wincott, JANET Roaming Service Manager, for making this advisory available to the whole eduroam community. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information