Limit numer of concurrent 802.1X session for a given user

  • 1
  • Question
  • Updated 1 year ago
  • Answered
Is it possible to limit the number of concurrent sessions for any given 802.1X user using Microsoft NPS as an authentication back-end? If not possible using Aerohive componenten anyone has an idea about some software solution running on top of NPS?

Looking forward to sharing ideas regarding this topic.
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I'm not aware of any way to limit that on NPS, but I admit to being a novice at NPS. Some other RADIUS implementations do permit you to restrict the number of concurrent clients using the same credentials, I remember Steel Belted RADIUS from Funk Software (now a part of Juniper Networks) used to do that a decade or so ago...
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You can do this by coding an extension to NPS to maintain a state table based on accounting information, not otherwise.
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
Any chance you have further info on coding this extension? Any help is appreciated Nick Lowe.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Dear Joel,

I assume that you are asking about what to consider when coding such an extension?

If so, and in brief to get you started...

You need to become familiar with the following RADIUS attributes:

  • Class (Binds auth to accounting, ensures that you get access to the EAP inner-identity during auth, the real identity of the client. You can then use when accounting occurs based on this value.)
  • Acct-Session-Id (Session id that is unique for session, to be treated as such only on a per-NAS basis and until that NAS reboots.)
  • Acct-Multi-Session-Id (Session id that is globally unique among all NASes, present for related sessions that share the same EAP authentication and is used in roaming scenarios. Often this is introduced to a session via an Interim-Update so you don't get this information straight away. You need to defer acting upon a Stop where an Acct-Multi-Session-Id is present for a couple of seconds as you may get a new session that uses this if a roam has occurred.)
  • Called-Station-ID (Scopes auth more tightly on a NAS where present. On an AP, this is to a BSS.)
You need to get a familiarity with the RADIUS Access-Accept packet and the various forms of RADIUS Accounting-Request packet (For a session: Start, Interim-Update and Stop. On a per-NAS basis Accounting-On, scoped tighter on a NAS where a Called-Station-Id is present.)

Then you need to design a state machine with formal transitions based on the information you get in these packets, to create, hold, update and evict session state. From the transitions that occur, you can generate events than you can hook elsewhere.

For concurrent session limiting, when an Access-Accept is pending to be sent in response to a RADIUS Access-Request packet, you can decide to allow or disallow the authentication based on a query to the state information that is held based on your desired policy.

A further complication and consideration is that you need to build in a way of performing synchronous replication between multiple instances of your NPS plugin if you run more than one RADiUS server. (In my implementation, I elected to use something based on the PAXOS algorithm for ordered, masterless updates against a given data checkpoint that is fault tolerant. You could use a SQL backend if it is performant enough for your needs as an alternative.)

The extension process (API) for NPS is documented here:

http://msdn.microsoft.com/en-us/library/bb891989.aspx

To get access to the real identity when an Access-Accept is pending to be sent in response to an Accounting-Request packet, use the ratStrippedUsername extended (as in pseudo) RADIUS attribute that gives you the client's identity:

http://msdn.microsoft.com/en-us/library/bb892029(v=vs.85).aspx

Regards,

Nick
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I have just realised that I put a typo in here which I feel the need to correct:

To get access to the real identity when an Access-Accept is pending to be sent in response to an Access-Request packet, use the ratStrippedUsername extended (as in pseudo) RADIUS attribute that gives you the client's identity.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If that sounds complicated, there is also the shorter answer/solution which is that I have already written such an extension and just need to make it available to others.

I have been holding back doing so however because of...

1) An Aerohive issue which pertains to SSO:
https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients_ip...

2) A Microsoft issue which pertains to binding auth to accounting, needed to get the client's identify:
http://www.nicklowe.org/2013/08/nps-class-attribute-bug/
(Aerohive's APs do support multiple Class attributes so are not affected. This is an issue that pertains to having a general, vendor agnostic solution. Based on very recent contact, Microsoft are apparently now looking to get this fixed.)

The problem I have is that I am reluctant to release something that I know does not work perfectly yet in all scenarios because of external factors that are out of my control. I am still pushing to get these two issues fixed.

Nick
(Edited)
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
I appreciate the info. We have ~20k students in our district and we are attempting to implement 802.1x, but also limit the number concurrent sessions. Aside from collecting all the mac addresses in the district or installing certs on every device, we are stuck with using something in the Radius realm. We are also talking with Abby Strong, she actually just linked us to this thread.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Joel,

Based on your need I have just sat and done some further testing with my code against Aerohive APs with a view to releasing it publicly.

Unfortunately, I have just discovered that the same issue that causes the Framed-IP-Address (client's IP) to not become available in a timely manner also affects the Acct-Multi-Session-Id too. This has implications for tracking a client over related sessions (roaming).

The issue means that it is possible to lose track of a session if a roam occurs before the first interim interval has elapsed. I need to raise this with Aerohive as something that should be resolved in HiveOS therefore - optimally to include this attribute in the Start Accounting-Request packet or otherwise to perform a guaranteed, immediate asynchronous Interim-Update as soon the Acct-Multi-Session-Id value becomes available for a session.

(Due to 802.1X re-authentication it is not possible to use the Class attribute as a workaround.)

Nick
(Edited)
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
I appreciate you spending time on this. I will update this thread if we come up with a workable solution. Abby stated she is passing along this info to the engineering team as well.

Thanks Nick!

Joel
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes
Nice to see this thread back alive :-)

From what I've understead from our Aerohive SE is that this feature (limit concurrent dot1x session) is going to be implemented in hiveOS. Proposed launch date was december last year, but as of now it's still not implemented.

Actually I wonder how easy this will be implemented, because from what I learned way back is that hiveOS shares session data only with one hop neighbours, which would make it impossible to implement this feature under these conditions.

@Nick if you are looking for a beta tester, just drop a message. I've been a .NET developer in the past and might be of some use. I am very much interested in your NPS extension.

Cheers,

Steven
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Thanks, Steven.

I have been told that we are likely to see improvements to the RADIUS accounting behaviour  in a release after 6.2r1.

I will definitely let you know if and when we are further on with this!

Regards,

Nick
(Edited)
Photo of James Dodds

James Dodds

  • 13 Posts
  • 2 Reply Likes
Do you think that this is something likely to be released in 6.4x?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I cannot comment on any new features that may be going in to HiveOS that I happen to find out about. It would not be my place to do so. Sorry!
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Just a quick update...

Having tested things with 6.4r1, the Single-Sign-On and concurrent session limiting NPS extension that I wrote works well up-and-until packet loss and RADIUS failover scenarios are exercised.

This is because HiveOS has an issue where the Event-Timestamp attribute is missing from the Accounting-On and Start forms of Accounting-Request packets it sends (it includes them for Interim-Update and Stop forms). This makes things somewhat fragile as retries of these packets do not stipulate when the event actually occurred on the AP which precludes a state machine from handling things correctly.

(The Acct-Delay-Time attribute is also never used by HiveOS so that cannot be used as an alternative. Ideally this attribute ought to be added too to all Access-Request packets for compatibility with systems that do not use the Event-Timestamp attribute.)

All the others issues that I was aware of that relate to SSO / concurrent session limiting have been fixed. Hooray! Hopefully the next release of HiveOS can correct this to finally make this fully viable in a robust and reliable way.

Cheers,

Nick
(Edited)
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes
Hi Nick,

That's great news actually and I really would love to test-drive this NPS extension of yours ;-)

Hopefully Aerohive will implement a session-limit very soon in HiveOS. I know they will make a lot of customers happy with it.

Cheers,

Steven
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Steven,

I have had feedback from Aerohive that the Event-Timestamp issue should be fixed in 6.4r2 so the public release of my extension will mandate that this attribute be present or the Accounting-Request will simply be excluded from consideration/discarded.

It will also use SQL for synchronous replication of session state rather than PAXOS.

This will have the effect of locking out and not supporting the AP110, AP120, AP320/AP340 and AP170 - but as the oldest AP that I personally have to support are AP330s, I am okay with this 

(The Framed-IP-Address ARP spoofing and async fixes came in with 6.4r1, so this also seems to me to be a sensible course of action as SSO is a key feature of the extension.)

I wouldn't hold your breath on concurrent session support within HiveOS: It would be rather tricky to implement it within the APs themselves due to issues with EAP identity privacy and the number of ways you can represent the same user.

You have to use the inner identity to stop identity spoofing and also cope with different ways of representing the same user. Things like: username, domain\username, fully.qualified.domain.name\username, user@domain, user@fully.qualified.domain.name

The inner identity is, of course, only visible to the EAP terminating RADIUS server. When it performs authentication, normalisation concerns can be sorted out there.

You can return the inner identity normalised in an Access-Accept in the User-Name attribute (HiveOS supports processing this) but this strictly breaches intended identity privacy guarantees as we don't yet have RadSec support in HiveOS.

With NPS, you also have to use an extension to return the inner identity in the User-Name AVP of an Access-Accept. With FreeRADIUS and RADIATOR, you can do it with appropriate configuration.

Handling session state at the EAP terminating RADIUS server allows you to perform binding from auth to accounting using the Class attribute so you never have to expose the inner identity to the APs, so it's the gold standard way of doing things.

My plans are that I'll do a test run with others when HiveOS 6.4r2 is available. I really don't want to release software that I know doesn't work reliably.

Cheers,

Nick
(Edited)
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes
Hi Nick,

I understand your concern regarding anonymous outer identity, but since one or two Aerohive AP's could be configured as a Authentication Server using directory integration HiveOS might be able to know the inner identity of the EAP sessions.

Let's see what the great minds behind hiveOS can come up with ;-)

Cheers,

Steven
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Agree it's definitely possible to implement it.

But when directory integrated, HiveOS is just running an embedded RADIUS server and using it via RADIUS, ideally, you would want the feature to be able to work with other external RADIUS severs too.

You would therefore want to do things in a standards compliant way in a way that is vendor agnostic. This would mean returning the inner-identity normalised in the User-Name attribute of an Access-Accept, and you would then use RadSec to ensure the identity isn't leaked if that is a concern. RadSec could be implemented in a very lightweight way using ChaCha20 and Poly1305 with TLS session resumption so the performance impact would be relatively low and almost certainly acceptable:

https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04

https://www.imperialviolet.org/2013/10/07/chacha20.html

http://googleonlinesecurity.blogspot.co.uk/2014/04/speeding-up-and-strengthening-https.html

https://www.zeitgeist.se/2014/04/26/openssl-with-chacha20-poly1305-support/

It has to be said, however, that it may be acceptable even without using RadSec in many use cases due to there being differing degrees of identity privacy, it is not an all or nothing concern, and there is the likely consideration that security should trump absolute identity privacy. The main practical concern that identity privacy solves today is to not leak the identity in to the air of wireless clients in an unencrypted way.

The integrity of the path from the NAS to the RADIUS server is usually of less concern as it is typically over a more physically secured hardwired, back end connection where there is far less of a tangible risk of interception.

Having received a usable, consistent, discrete identity for a user you then have the separate concern of limiting the number of concurrent sessions, which would be in HiveOS proprietary territory and also the concern of the distributed protocols that run between the APs.

Using an encrypted VSA is also possible instead of using the User-Name attribute to return the inner identity normalised, but that would then be Aerohive specific and a layering violation, in my opinion. You would also have to make sure that the encryption was up to muster for the VSA, I say let TLS handle this for you with RadSec.

To specify the maximum session limit intended for a user in the Access-Accept, I would probably use the Port-Limit attribute, a VSA is also possible but, in my view, it's best to stay standards based:

5.42.  Port-Limit

Description

      This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attri... The field is 4 octets, containing a 32-bit unsigned integer with the maximum number of ports this user should be allowed to connect to on the NAS.

Nick
(Edited)
Photo of Phelix Ochieng

Phelix Ochieng

  • 1 Post
  • 0 Reply Likes
I'm faced with the same challenge over here, I'd like to limit concurrent connections to 1. Anybody who has implemented this?
Photo of damiri

damiri

  • 3 Posts
  • 0 Reply Likes
Is this available now since it has been two years?
(Edited)
Photo of Wesley Niels

Wesley Niels

  • 1 Post
  • 0 Reply Likes
Yup, looking for the same answer!
Photo of Libanon Lyceum

Libanon Lyceum

  • 1 Post
  • 0 Reply Likes
Same here, already news?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi,

Nothing is currently available from us where NPS or a third-party RADIUS server is being used for EAP termination and to receive accounting information.

Nick
Photo of damiri

damiri

  • 3 Posts
  • 0 Reply Likes
Any plans?