users configuration and certs

gahn ipfreak at yahoo.com
Thu Feb 18 06:34:32 CET 2016


hello:
would you please advice how to proceed this issue?
here is what i am trying to do after authenticated with certs (compiled per "http://deployingradius.com/documents/configuration/certificates.html"):
* radius will assign a vlan id* and IP address
here is the configuration:
user1        User-Password == "user1"
                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-ID = "vlan1",
                Framed-IP-Address = 10.0.0.101,
                Framed-IP-Netmask = 255.255.255.0,
                Framed-Routing = Broadcast-Listen,
                Framed-MTU = 1500,
                Framed-Compression = Van-Jacobsen-TCP-IP

user2        User-Password == "user2"
                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-ID = "vlan2",
                Framed-IP-Address = 10.0.4.101,
                Framed-IP-Netmask = 255.255.255.0,
                Framed-Routing = Broadcast-Listen,
                Framed-MTU = 1500,
                Framed-Compression = Van-Jacobsen-TCP-IP
i tested md5 first and it works (i think) but not able to bring up tunnel, so not able to get vlan id and ip addresses:
Ready to process requests
(0) Received Access-Request Id 148 from 100.64.8.3:51157 to 10.85.19.162:1812 length 170
(0)   User-Name = "tester4"
(0)   NAS-Port = 82
(0)   EAP-Message = 0x0200000c0174657374657234
(0)   Message-Authenticator = 0xb19c034e8325fa37e7c8555a7323de40
(0)   Acct-Session-Id = "8O2.1x81310900000b65a7"
(0)   NAS-Port-Id = "ge-0/0/16.0"
(0)   Calling-Station-Id = "08-ed-2a-81-00-00"
(0)   Called-Station-Id = "00-26-88-7c-c4-00"
(0)   NAS-Identifier = "jtac-EX4200-48T-r064"
(0)   NAS-Port-Type = Ethernet
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "tester4", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x221d73df221c7755
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 148 from 10.85.19.162:1812 to 100.64.8.3:51157 length 0
(0)   EAP-Message = 0x0101001604104f25d10e53221ba2241dc31da1154f5c
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x221d73df221c7755f69b930716c7d1dc
(0) Finished request
Waking up in 4.9 seconds.
Waking up in 6.9 seconds.
Waking up in 13.9 seconds.
Waking up in 30.9 seconds.
(0) Cleaning up request packet ID 148 with timestamp +14
i copied "client.pem" from the server to client side and tried "tls". this time i don't see any outputs from "radiusd -sX" (i think because of failed certs and 802.1x didn't even finish its process)
the client side showed failed message:
"Validated, Test cannot continue, a fatal error encountered when working with certificates"
how could i troubleshoot this? is it an issue of certs?

thanks
_dave





More information about the Freeradius-Users mailing list