Thursday, January 17, 2013

1.2 Networking series - Aerohive

As I stated earlier, Aerohive uses thick APs that in our setup act as Radius servers.

This means that they exchange auth/acc messages between the APs that must contain information on user classification. Given that info, we could, normally, redirect accounting messages to another server and use it as user identification.

In fact, Aerohive sends a standard accounting packet that has two vendor specific parameters.These parameters look in WireShark as:

AVP: l=12 t=Vendor-Specific(26) v=Aerohive Networks, Inc.(26928)
VSA: l=6 t=Unknown-Attribute(1): 00000001
Unknown-Attribute: 00000001


AVP: l=12 t=Vendor-Specific(26) v=Aerohive Networks, Inc.(26928)
VSA: l=6 t=Unknown-Attribute(6): 00000ffc
Unknown-Attribute: 00000ffc

One of these parameters, the second one, is of a particular interest to us.
In hex it looks like this: 1a 0c 00006930 06 06 00000ffc
  • 1a 0c => Vendor specific attribute
  • 00006930  => Vendor is Aerohive
  • 06 => sub-type is Aerohive-User-Profile-Attribute
  • 00000ffc => UPID value
This UPID value is the value we are looking for: it is a group to which a user belongs to!

A detailed Aerohive dictionary file that can be used in WireShark looks like this:
# -*- text -*-
#       The Aerohive Vendor-Specific dictionary.
VENDOR        Aerohive                26928   
BEGIN-VENDOR    Aerohive

ATTRIBUTE       Aerohive-User-Vlan                  1       integer   
ATTRIBUTE       Aerohive-Libsip-Patron-Info         3       octets encrypt=2
ATTRIBUTE       Aerohive-Libsip-Action              4       integer   
ATTRIBUTE       Aerohive-Libsip-Additional-Message  5       octets
ATTRIBUTE       Aerohive-User-Profile-Attribute     6       integer
ATTRIBUTE       Aerohive-PPSK-Request               201     octets
ATTRIBUTE       Aerohive-PPSK-PMK                   202     octets
ATTRIBUTE       Aerohive-IDM-Message                203     integer
ATTRIBUTE       Aerohive-NT-Identity                204     integer

#   Integer Translations

#   Aerohive-Libsip-Action Values

VALUE   Aerohive-Libsip-Action            Permit      0
VALUE   Aerohive-Libsip-Action            Restricted  1
VALUE   Aerohive-Libsip-Action            Deny        2

END-VENDOR    Aerohive   

No comments:

Post a Comment