Change "Called-Station-ID" using Captive Portal

  • 3
  • Question
  • Updated 5 years ago
  • Answered
Hello everyone,
I'm using v6.1r1, I have two captive portals which I need to identify in our Radius Server. Using other Wireless solution I can change the "Called-Station-ID" to identify it when send the authentication to the Radius Server.

Could I do it in HiveOS? How? thanks.

Regards.
Photo of Ricardo Luis Cañavate Garcia

Ricardo Luis Cañavate Garcia

  • 13 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 3
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Called-Station-ID should look like this: XX-XX-XX-XX-XX-XX:SSID-NAME

If you already have 2 CWPs, you have 2 different SSIDs correct? That being the case, they should already each have a unique Called-Station-ID.
Photo of Ricardo Luis Cañavate Garcia

Ricardo Luis Cañavate Garcia

  • 13 Posts
  • 0 Reply Likes
Thanks Sam for the answer, I have the same SSID-NAME, this it's the problem.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Which other wireless solution is allowing you to change the called-station-id?

You could match on the BSSID which would be the first part of the called-station-id rather than the latter.

XX-XX-XX-XX-XX-XX if you have a handful of APs.
Photo of Mario Sáiz

Mario Sáiz

  • 2 Posts
  • 0 Reply Likes
Veo que alguno se adelanta a mis preguntas. Gracias Ricardo! :)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That translates as: "I see that someone is ahead of my questions. Thanks Richard! :)"
Photo of Ricardo Luis Cañavate Garcia

Ricardo Luis Cañavate Garcia

  • 13 Posts
  • 0 Reply Likes
Hi Mario, we work as a team and all look for the better for us.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Based on what you are doing/circumstances, you may need to guard in any logic that you have against a flapping bug from boot where the Called-Station-Id will flap on-and-off in the form XX-XX-XX-XX-XX-XX: with no SSID.

It is apparently fixed in 6.1r2, but that is not available to us yet.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I have been offline for a few days and am coming into this thread late, but why not use the NAS-ID to differentiate between the two APs?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Good point Mike, you could also use the IP address the request is coming in on. If via a proxy, the the NAS-IP-Address is also available.
Photo of Ricardo Luis Cañavate Garcia

Ricardo Luis Cañavate Garcia

  • 13 Posts
  • 0 Reply Likes
Thanks!!
We try to do it, I think the development department has no doubt about how to do it.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It is probably worth noting that an implementation that allowed the Called-Station-Id to be modified could be considered harmful as it would deviate from the recommended behaviour in RFC 3580:

"3.20. Called-Station-Id

For IEEE 802.1X Authenticators, this attribute is used to store the
bridge or Access Point MAC address in ASCII format (upper case only),
with octet values separated by a "-". Example: "00-10-A4-23-19-C0".
In IEEE 802.11, where the SSID is known, it SHOULD be appended to the
Access Point MAC address, separated from the MAC address with a ":".
Example "00-10-A4-23-19-C0:AP1"."

Yes the use case is not for 802.1X here, but the same principle applies generally.
Photo of Ricardo Luis Cañavate Garcia

Ricardo Luis Cañavate Garcia

  • 13 Posts
  • 0 Reply Likes
Hello everyone,
first thanks for faster answer, we try to do it.

We use Mikrotik hardware with RouterOS software and we can configure it to identify.

See the pictures

regards.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You do have both a NAS-Identifier and a NAS-IP-Address there, either of which you could use in a condition. Would one of those not be preferable to use with RouterOS instead of the Called-Station-Id so that you have a solution that is multi-vendor compatible?

The RADIUS RFC actually stipulates that at least one of those two has to be present. Most NASes will include both.

It is interesting that RouterOS allows you to change the Called-Station-Id. It deviates from the behaviour that I would expect.
Photo of Mario Sáiz

Mario Sáiz

  • 2 Posts
  • 0 Reply Likes
Hi all,

I tested and sniffed traffic also.

Firstly, one of the most important point between Mikrotik and Aerohive is that you can configure the NAS only in the Gateway or the Hotspot Server, that means that you have only one NAS in the network.
In Aerohive, each Access Point has own Hotspot configuration and Radius.

In Aerohive, the only item in RADIUS protocol that you can change, is NAS-Identifier.



You can modify it in Configure Access Points in Hive Manager. The item is Host Name:



I think that the best solution It is change in Radius Sever the attributes for authentification and use NAS-Identifier.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You can combine the Nas-Identifier with the SSID from the Called-Station-Id (splitting the string via the first : from the left) to get a more granular ID if needed.
Photo of Ricardo Luis Cañavate Garcia

Ricardo Luis Cañavate Garcia

  • 13 Posts
  • 0 Reply Likes
Mario, You can change the NAS Identifier using advanced configuration, too