Switches, Hubs, and Modems

Bypass port-access authentication by entering a static vlan ID

 
DP IT
Occasional Contributor

Bypass port-access authentication by entering a static vlan ID

Hi,

We've setup port-based authentication via a Windows NPS Radius server.
Authenticated clients go into client vlan.
Unauthenticated clients go into guest vlan.
This all works fine...at least we thought so.

During an IT audit we were informed about a potential issue.
I could reproduce this with a brand new laptop that was not part of our AD yet (neither is the local user account).

So there a few vlans defined on a switch.
For example:
vlan 1 default
vlan 20 client
vlan 30 printer
vlan 40 management
vlan 50 guest

Switch config contains these lines:
aaa authentication port-access eap-radius
radius-server host xx.xx.xx.xx key xxxxxxxxx
aaa port-access authenticator 1-24
aaa port-access authenticator 10 unauth-vid 50
aaa port-access authenticator active


My test laptop is connected to port 10.
This port is untagged in vlan 1 and tagged in vlan 20, 30, 40 and 50.

When I connect that laptop to this switch port 10, I get an IP address from our guest vlan so that's good; the authentication failed because the computername and username could not be found in our AD.
But if I go to the properties of the network adapter and I enter a static vlan ID, for example vlan ID 40, I now get an IP address from the management vlan.
If I enter a different vlan ID (for example 35 - servers) I get no IP because that vlan does not exist on that switch.
So even though the port-access authentication seems to work, if I know what vlans are available for that port, I can easily switch to that vlan and get an IP address by entering a static vlan ID in the network adapter properties.

The audit team did not really like this. They managed to do something similar with their testing tool.
Our network partner did this port configuration in the past and they don't see an issue with that so that's why we never questioned that setup.

But is this normal behavior?
Can this be the result of configuring the switch ports as 'tagged' in the various vlans?
Or can somebody think of another reason why it looks like you can bypass the authentication if you know a vlan ID?

Thanks,
Ries

3 REPLIES 3
-Alex-
HPE Pro

Re: Bypass port-access authentication by entering a static vlan ID

Hello  DP IT,

If you are using Aruba OS  you may try the following document as it is important what are the settings on the port and the RADIUS attributes sent.

VLAN assignment in an authentication session (hpe.com)

Hope this helps!

I am an HPE Employee

Accept or Kudo

DP IT
Occasional Contributor

Re: Bypass port-access authentication by entering a static vlan ID

Hi,

Thanks for your reply.

We're still using some older ProCurve models so not sure if this does apply to those older models as well.

But I can't makeup from that document if it has any impact on this field (screenshot below) in the network adapter properties.
If I enter a vlan ID there that does exist on the switch, I can gain access and get an IP address even though the device would otherwise not authenticate and go into the guest vlan.

vlan_id_nic_properties.png

-Alex-
HPE Pro

Re: Bypass port-access authentication by entering a static vlan ID

Hello  DP IT,

I think if the vlan is added dynamically to the port other vlans will not be available so if the tagged traffic from device is received for a vlan whichdoes not exist on the switch at the moment it will be dropped.

Hope this helps!

I am an HPE Employee

Accept or Kudo