Switches, Hubs, and Modems
1748123 Members
3173 Online
108758 Solutions
New Discussion юеВ

Re: 802.1x NAS-Port format on ProCurve 2600-PWR

 
SOLVED
Go to solution
Jeff Hilfiker
New Member

802.1x NAS-Port format on ProCurve 2600-PWR

I'm in need of deciphering what certain values are set to in the 802.1x packet. Particularly, the NAS-Port attribute. My radius packet looks like :

Framed-MTU = 1480
NAS-IP-Address = 192.168.5.25
NAS-Identifier = "ProCurve Switch 2600-8-PWR"
User-Name = "moe"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-1c-2e-54-47-80"
Calling-Station-Id = "00-1a-4b-6c-42-31"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "85"

I'm wondering what NAS-Port refers to. I'm assuming it maps directly to the ifIndex, but I wanted to make sure that it wasn't a dot1dIndex or some other such attribute as they can be different.

In my code, I need to map the port provided in the radius request to existing port models that are indexed by the ifIndex. That's why I want to be sure that is what this is referring to.

Thanks in advance!
4 REPLIES 4
Jeff Hilfiker
New Member

Re: 802.1x NAS-Port format on ProCurve 2600-PWR

Anyone have any idea? I'm in a jam here.
cenk sasmaztin
Honored Contributor
Solution

Re: 802.1x NAS-Port format on ProCurve 2600-PWR

Framed-MTU = 1480
This attribute indicates the maximum size of an IP packet that may be
transmitted over the wire between the Supplicant and the Authenticator.
IEEE 802.1X authenticators set this to the value corresponding to the
relevant 802 medium, and include it in the RADIUS Access-Request. For
EAP over IEEE 802 media, the Framed-MTU values (which do not include
LLC/SNAP overhead) and maximum frame length values (not including the
preamble) are as follows:

Maximum Frame
Media Framed-MTU Length
========= =============== ==============
Ethernet 1500 1522
802.3 1500 1522

802.4 8174 8193

802.5 (4 Mbps) 4528 4550

802.5 (16 Mbps) 18173 18200

802.5 (100 Mb/s) 18173 18200

----------------------------------------------------------------------

NAS-IP-Address = 192.168.5.25
For use with IEEE 802.1X, the NAS-IP-Address contains the IPv4 address
of the bridge or Access Point acting as an Authenticator. If the IEEE
802.1X authenticator has more than one interface, it may be desirable to
use a loopback address for this purpose so that the Authenticator will
still be reachable even if one of the interfaces were to fail.

-----------------------------------------------------------------------
NAS-Identifier = "ProCurve Switch 2600-8-PWR"
This attribute contains a string identifying the IEEE 802.1X
Authenticator originating the Access-Request.
------------------------------------------------------------------------
User-Name = "moe"

In IEEE 802.1X, the supplicant typically provides its identity via an
EAP-Response/Identity message. Where available, the supplicant identity
is included in the User-Name attribute, and included in the RADIUS
Access-Request and Access-Reply messages as specified in [4].

Alternatively, where Service-Type=Call Check, the User-Name attribute
contains the Calling-Station-ID value, which is set to the Supplicant
MAC address.
----------------------------------------------------------------------
Service-Type = Framed-User
For use with IEEE 802.1X, only the Framed (2), Authenticate Only (8),
and Call Check (10) values have meaning.
---------------------------------------------------------------------
Framed-Protocol = PPP
Since there is no value for 802 media, the Framed-Protocol attribute is
not used by IEEE 802.1X authenticators.
----------------------------------------------------------------------
NAS-Port = 3
For use with IEEE 802.1X, NAS-Port-Type values of Ethernet (15) Wireless
- IEEE 802.11 (19), Token Ring (20) and FDDI (21) may be used.
------------------------------------------------------------------------
NAS-Port-Type = Ethernet
For use with IEEE 802.1X, NAS-Port-Type values of Ethernet (15) Wireless
- IEEE 802.11 (19), Token Ring (20) and FDDI (21) may be used.
------------------------------------------------------------------------

NAS-Port-Id = "3"
This attribute is used to identify the IEEE 802.1X Authenticator port
which authenticates the Supplicant. The NAS-Port-Id differs from the
NAS-Port in that it is a string of variable length whereas the NAS-Port
is a 4 octet value
------------------------------------------------------------------------
Called-Station-Id = "00-1c-2e-54-47-80"
For IEEE 802.1X authenticators, this attribute is used to store the
bridge or Access Point MAC address in ASCII format, with octet values
separated by a "-". Example: "00-10-A4-23-19-C0".
Calling-Station-Id = "00-1a-4b-6c-42-31"
-------------------------------------------------------------------------
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
This attribute is sent by a bridge or Access Point to indicate the
nature of the Supplicant's connection. When sent in the Access-Request
it is recommended that this attribute contain information on the speed
of the Supplicant's connection. For 802.11, the following format is
recommended: "CONNECT 11Mbps 802.11b" or "CONNECT 54Mbps 802.11a". If
sent in the Accounting STOP, this attribute may be used to summarize
statistics relating to session quality. For example, in IEEE 802.11, the
Connect-Info attribute may contain information on the number of link
layer retransmissions. The exact format of this attribute is
implementation specific.
-------------------------------------------------------------------------
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "85"

Tunnel attributes


Reference [20] defines RADIUS tunnel attributes used for authentication
and authorization, and reference [21] defines tunnel attributes used for
accounting. Where the IEEE 802.1X Authenticator supports tunneling, a
compulsory tunnel may be set up for the Supplicant as a result of the
authentication.

In particular, it may be desirable to allow a Supplicant to be placed
into a particular Virtual Lan (VLAN) based on the result of the
authentication. The RADIUS server typically indicates the desired VLAN
by including tunnel attributes within the Access-Accept. However, the
IEEE 802.1X Authenticator may also provide a hint as to the VLAN to be
assigned to the Supplicant by including Tunnel attributes within the
Access-Request. For use in VLAN assignment, the following tunnel
attributes are sent:

Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID

Note that the VLANID is 12-bits, taking a value between 0 and 4095,
inclusive. Since the Tunnel-Private-Group-ID is of type String as
defined in [20], for use with IEEE 802.1X, the VLANID is encoded as a
string, rather than an integer.

6. Security considerations


Since this draft describes the use of RADIUS for purposes of
authentication authorization and accounting in IEEE 802.1X-enabled
networks, it is vulnerable to all of the threats that are present in
other RADIUS applications, with one exception. For a discussion of
these threats, see [6].

Since IEEE 802.1X does not support PAP or CHAP authentication, the
RADIUS User-Password hiding mechanism is not utilized to hide user
passwords. As noted in [4], there are doubts about the security of this
mechanism.














cenk

Jeff Hilfiker
New Member

Re: 802.1x NAS-Port format on ProCurve 2600-PWR

Thanks so much for the very detailed response! I realize that the NAS-Port in this packet is referring to an Ethernet port. However, I'm still unsure of what the value is associated with.

Does it map to the ifIndex of that port? Or is it something else? I've seen many cases where a port index can be a certain value in one mib, and a completely different value in another ( dot1d mib vs if mib for example). I'm just looking to figure out what it is referring to for this particular device.

Re: 802.1x NAS-Port format on ProCurve 2600-PWR

It maps to the physical port on the front of the box, in the case of the 2600-PWR it'll be an integer value ranging from 1-9. I don't know how this works on the modular switches, i'm guessing NAS-Port-ID would be '', and NAS-Port would be the ifIndex.