Save yourself from insanity: Aruba Captive Portal RADIUS Accounting

raidusI’ve been meaning to post this one for a while but got there in the end! Recently we changed our content filtering provider and one of the aims of the new system was to ensure tighter integration between the Wi-Fi controller and filter for authentication \ identification of users.

We particuarly needed the framed-ip-address attribute as that’s used to tie a device to a user on our particular filtering product. In theory the setup sounds fairly straightforward:

  • set up Windows Network Policy Server to handle RADIUS authentication
  • set up RADIUS authentication profile against a new Wi-Fi SSID
  • set up RADIUS accounting on the wireless controller
  • set up RADIUS accounting on the filtering server

Initially all went well and we were able to authenticate users smoothly onto the Wi-Fi network via the existing captive portal… but (and isn’t there always a but!) we saw nothing on the filtering server, just an empty void of white space where user account activity should’ve been 😦

Initial troubleshooting steps

So I checked the simple things first…

  1. Check RADIUS Interim Accounting option is enabled on the AAA profile
  2. Check if shared secret is too complex \ typo when entering it into various config pages
  3. Ensure accounting server options in Windows NPS are configured correctly
  4. Confirm configuration of accounting server details on Wi-Fi controller
  5. Ensure ports for accounting information are set as they should be

Everything checked out correctly and authentication still worked fine despite me trying to break it, which made accounting failing even more strange. With that in mind it was time to move onto some more in-depth troubleshooting.

Delving deeper

Next step was to try and see if any accounting traffic was actually being sent so trusty Wireshark was spooled up to watch traffic for anything on port 1813. We saw plenty on 1812 for authentication but consistently nothing on 1813. At one stage I was beginning to wonder if the NPS server had something to do with it but replies to my posts to TechNet forums suggested otherwise.

A case was then opened with Aruba support which involved upgrading the controller to latest firmware 6.4.2.12 before further troubleshooting could be performed. A few useful commands came out of this process, which should be ran before upgrading to ensure the controller has enough resources to run the upgrade:

show memory
show storage

As an aside the upgrade did give us a nice new(er) feature called AppRF that basically brings application-level monitoring to the Aruba UI. It saves going through the firewall to find the same information and allows us to see at-a-glance where the bandwidth is going on the wireless network and to which user(s):


image credit: Aruba Networks

The update also made packet captures on the controller a bit simpler, which further proved our theory that no accounting traffic was being sent as the controller itself didn’t log anything on 1813 in its direct captures. However despite the upgrade we were still no closer to resolving the accounting issue.

The breakthrough

After escalating through various levels of Aruba support and product management one of the technical team finally found our issue, which turned out to be a deceptively simple fix. It’s a sneaky little setting squirrelled away named Captive Portal Check for Accounting

The setting in question lives within the Misc. Configuration section of Security > User Roles.

You need to edit the settings of the role that is assigned as the 802.1X User Default Role for the the AAA Profile associated with your RADIUS-enabled VAP (what a sentence that is!)

aruba role misc settings

Basically untick that box and everything starts working…

By default the Captive Portal Check for Accounting box is ticked and therefore accounting won’t work if the user has authenticated via a captive portal. The Aruba documentation has this to say about it:

The check-for-accounting parameter is introduced in ArubaOS 6.3.1.7. If disabled, RADIUS accounting is done for an authenticated users irrespective of the captive-portal profile in the role of an authenticated user. If enabled, accounting is not done as long as the user’s role has a captive portal profile on it. Accounting will start when Auth/XML-Add/CoA changes the role of an authenticated user to a role which doesn’t have captive portal profile. This parameter is enabled by default.

As soon as the box was cleared accounting information came flooding in and I was pleasantly surprised to see how quick the interim updates were also processed, as some vendors’ interpretations of the RADIUS accounting standards aren’t quite so amiable from what I read during my research.

Was certainly a voyage of discovery to get to the solution but we have gained a few new features along the way and I’ve also become well acquainted with the ArubaOS CLI for troubleshooting purposes, so the process has added some valuable knowledge too 🙂

Advertisements

Not the best week for my Android

Although I’m a huge Android fan the past week or so hasn’t been too kind to my HTC One M8, which up until now has been spot on in terms of both hardware and software.

Just in case anyone else experiences the same issues I decided to post this to at least make the problem solving process a bit less painful…

OK Google? O… K Google? Oh…

12605596705_75921dc70eMy favourite feature since getting the M8 (just pipping the IR remote) is Google Now and particularly the “OK Google” voice activation. Having an almost-natural voice interface with the device is something that makes me feel like “the future” has arrived, as well as coming in very handy for in-car use for navigation, music playback etc.

Unfortunately the Play Store forced down a bunch of updates recently and now the activate from any screen system has stopped working 😦

Ref: https://productforums.google.com/forum/#!topic/websearch/jvUlugguDBY

Seems like I’m not the only one it’s affected judging by the slew of comments on the Google forums. The last couple of posts suggesting it’s fixed in the latest beta look promising at least – hurry up Google and get this fixed!

Wi-Fi in slow-motion

Around the same time I’d also noticed loading web pages on my home Wi-Fi had gone back to 56k speeds, or even worse just timing out. For a day or so I just switched to 4G as a workaround but tonight had to try and figure out what was going wrong. After a bit of Googling this struck a chord:

Ref: http://forums.androidcentral.com/htc-one-m8/565952-app-causing-slow-wifi.html

Indeed as soon as I disabled the Bluetooth connection everything went back to normal. I don’t usually have it turned on but since using Android Auto (more on that soon) Bluetooth tends to get left on when I get out the car. May need to invest in some NFC tags and use the Trigger app to control this.

BlinkFeed replacement

One HTC-specific feature I’ve grown to like is BlinkFeed. Initially I dismissed it as a nuisance taking up precious home screen space but as content started rolling in I started spotting some interesting content that I wouldn’t normally see through traditional browsing methods.

With social network updates mixed in as well it became a really useful at-a-glance content consumption method. Needless to say I don’t like the sound of the replacement if the article below about ad-related content is true:

Ref: http://forums.androidcentral.com/htc-one-m9/607607-news-republic-app-replacing-blinkfeed-awful.html

The joys of continuous updates and a quick word on OneDrive

At least two of the issues above come as a result of the continual release cycle we now find ourselves in these days with cloud-first software and services. On one hand getting new features is good but when the releases break (or even worse remove) key functionality then it’s a very different end-user experience.

It would be nice if Google etc. held their hands up when bugs are found to remove the uncertainty over whether it’s one particular device \ installation at fault or if users are suffering from update-related issues; I for one would value the honesty of saying “it’s broken but we’re fixing it” over saving face and staying silent. Fortunately blogs and forums often step in to fill the gap.

Still at least none of these issues are in the same league as Microsoft’s ludicrous bait-and-switch OneDrive retrospective storage downgrade on it’s consumer user base. I’m moving all my backups onto Google Photos right now then dispensing with OneDrive for personal use once the storage limits are applied early next year.

It’s a real shame as I’ve been using the product right from its early SkyDrive days so in my case the reversal from 40GB (15GB + 10GB loyalty + 15GB camera roll) down to 5GB is a real kick in the teeth. At the start of the year I was likely to move up to the paid plan once I went over my last couple of GB but there’s no chance of that now.

40GB
enjoy it while you can…

Fortunately the same stupidity hasn’t been applied to Education (OneDrive for Business) users, which is probably the only bit of good news to come out of the debacle. Ironically all this happened the same week the much-improved (and long overdue) new UI arrived on our O365 tenancy. A real shoot-yourself-in-the-foot moment from Microsoft I feel (as do many, many others).

Ref: https://onedrive.uservoice.com/forums/262982-onedrive/suggestions/10524099-give-us-back-our-storage

Microsoft still has time to reverse this before they lose whatever goodwill they had left among consumers but the clock is ticking…

2016… the year of monetisation of the cloud?

What is interesting the the OneDrive move is that Microsoft have effectively blinked first in the game of which provider stops giving more to consumers. In this case MS have gone one step further and will be actively taking away what we already have.

With enhanced ad-blocking features moving across platforms onto iOS and suchlike I wonder if 2016 may be the year the big cloud players start pushing the boundaries to see how far they can go with monetising their services. This is one prediction I’ll be very happy to see turn out wrong!