cnMaestro RADIUS client bug Re: NAS-IP-Address attribute

'lo all,

1) I feel stupid for asking this, but what is the official mechanism for filing software bugs with the good folk at Cambium (regardless of product)?

2) Speaking of, I've got a cnMaestro bug to report:

We have a need to configure our RADIUS servers for employee AAA to distinguish between cnMaestro and all other clients, because some gear on our network does not appreciate seeing the unofficial and non-vendor-specific RADIUS attribute 209 "Role" that cnMaestro requires in the Access-Accept reply.

(As an aside, although I agree that the other network gear should respond to the presence of Attribute 209 gracefully, I also believe that using unused AVP IDs in the general namespace without permission of the appropriate standards bodies, rather than either distributing a vendor-specific RADIUS dictionary or allowing the user to configure which attribute the client should key off of for login "roles", is an abuse of the standards and should be corrected by Cambium in a future version of cnMaestro, though I digress...)

The most straightforward way of identifying our cnMaestro On-Premise instance to our RADIUS servers is by looking at the RADIUS check attribute "NAS-IP-Address".  This attribute *should* contain the IP of the *NAS*, which in this case would be the IP address of the host that cnMaestro runs on.  However, cnMaestro sets "NAS-IP-Address" to be the IP address of the RADIUS server!  This is nonsensical.  RFC2865 says: "This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user."  This means "NAS-IP-Address" should contain the IP address of the RADIUS client, not the server.

Thanks,

-- Nathan

Hi Nathan,

Thanks for the feedback . The issue is already fixed and will be available as part of next cnMaestro release.

Thanks,

KR.

1 Like

Good to hear!!  Thanks!

-- Nathan

This is still not properly solved.  I just updated to 1.6.3, and now instead of fixing NAS-IP-Address so that it contains the IP address of the cnMaestro server rather than that of the RADIUS server, NAS-IP-Address is simply not transmitted at all by cnMaestro!!!

RFC2865 is explicitly clear that "either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet."  cnMaestro 1.6.2 sent NAS-IP-Address, but it just did so with the wrong information.  Now, however, 1.6.3 transmits neither NAS-IP-Address nor NAS-Identifier to the server, even though *one or the other should be present* according to the standard.

I'm not sure why eliminating the NAS-IP-Address attribute during Access-Request, instead of simply correcting the value that it sent, was considered an acceptable fix.

-- Nathan

Hi Nathan,

Thanks for the information, we will have a look and fix in 1.6.4 patch release

Rupam

Nathan,

 

We have prioritized the fix and planning to release a new 1.6.3 On-Premises build containing this fix. While going through the RFC, we also observed that it talks about NAS-Port or NAS-Port-Type.  So just wanted to know how relevant is this information, wherein cnMaestro is the NAS.

Here is the excerpt from RFC-2865 highlighting this attribute:

 

An Access-Request SHOULD contain a User-Name attribute.  It MUST

      contain either a NAS-IP-Address attribute or a NAS-Identifier

      attribute (or both).

      An Access-Request MUST contain either a User-Password or a CHAP-

      Password or a State.  An Access-Request MUST NOT contain both a

      User-Password and a CHAP-Password.  If future extensions allow

      other kinds of authentication information to be conveyed, the

      attribute for that can be used in an Access-Request instead of

      User-Password or CHAP-Password.

      An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type

      attribute or both unless the type of access being requested does

      not involve a port or the NAS does not distinguish among its

      ports.

 

Thanks,

Ajay

Hi! Was this issue solved? I have read the Release Notes of version 1.6.3 and they do not mention this.

I have a cnMaestro on Premise in Cloud and the Accounting Request paquets are not sending the necessry NAS-IP-Address atribute properly. They just send the 0.0.0.0 address:

4/1/2019 17:38:37 PM RADIUS Accounting transaction
Client address ["cnMaestro_Public_IP"]
NAS address [0.0.0.0]
UniqueID=771
Realm = (null)
User = Test
Code = Accounting request
ID = 1
Length = 311

Hi there, anyone from Cambium can give support about this issue? Is the cnMaestro giving the Nas-IP-address info correctly?

Even if the AP associated to that cnMaestro has a valid IP, the cnMastro is sending all the Accounting messages with the Nas-IP-Adress=0.0.0.0

This matter is getting urgent. Thanks in advance.

Hi,

I am assuming that you are using RADIUS Proxy feature available in On-Premises version. Earlier issue was related to incorrect NAS IP address for cnMaestro while authenticating cnMaestro users with external RADIUS authentication server. Looks like current issue is related to wireless clients being authenticated through external RADIUS server while associating with cnPilot APs? Please confirm.

Thanks,

Ajay

Dear Ajay,

Exacly, I confirm that we are using a cnMaestro on Premise with the Radius proxy feature enabled. We need this feature because our external Radius Server has a firewall and should receive the Radius packets just from the Wireless controlers's IP adress, not from the AP's IP addresses.

We are trying to use the RADIUS CoA with the APs, but for that purpose we need to receive the attribute NAS-IP-Address correctly, and we receive 0.0.0.0 in the Radius messages as attached below.

Thanks in advance for your help.


@Netting_Tech wrote:

Dear Ajay,

Exacly, I confirm that we are using a cnMaestro on Premise with the Radius proxy feature enabled. We need this feature because our external Radius Server has a firewall and should receive the Radius packets just from the Wireless controlers's IP adress, not from the AP's IP addresses.

We are trying to use the RADIUS CoA with the APs, but for that purpose we need to receive the attribute NAS-IP-Address correctly, and we receive 0.0.0.0 in the Radius messages as attached below.

Thanks in advance for your help.


what is the firmware version on the APs?

Also is your network using RADIUS for guest access authentication, WPA2-Enterprise or for MAC-authentication?

Hi,

Version of the AP:3.10-r6

Model of the AP: cnPilot E410

Version of the cnMaestro on-Premise Controller: 2.1.0r22

We are using external RADIUS for Guest Access Authentication with an External Captive Portal. Radius is Proxied through cnMaestro on Premises running on a VM on AZURE.

Regards,

Hi,

As per RADIUS rfc the "NAS IP Address is only used in Access Requests packets". We are not sending NAS IP attribute in the Accounting packets when AP RADIUS configuration is in proxy mode through cnMaestro. I believe your transactions logs is dumping some local variables which were supposed to be set after parsing RADIUS attributes and as no NAS IP attribute was provided it's showing as "0.0.0.0". If you take packet capture of your RADIUS packets received on your RADIUS server then you would see absence of NAS IP attribute in it.

Thanks,

Kunal