IP Camera does not work properly with 802.1X and 3COM 5500 Switch

Vacheslav m_zouhairy at skno.by
Fri Jun 29 15:43:45 CEST 2018 

Why don't you just use mab for stupid devices?



-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Friday, June 29, 2018 4:40 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: IP Camera does not work properly with 802.1X and 3COM 5500 Switch

On Jun 29, 2018, at 9:33 AM, Klein Niklas <Niklas.Klein at geutebrueck.com> wrote:
> I am working for some days now with FreeRADIUS Version 3.0.13. I knew of RADIUS before and have a technical background but not much experience regarding RADOIS, 802.1X or Authentication in particular (PAP, EAP, CHAP…).
> 
> However, my question: I have a working RADIUS-Server, I ensured that as I am able to authenticate a Windows 7 Workstation with 802.1X activated on the switch port it is connected to. When I enter the correct user at domain with the correct password, the switch allows traffic on that port and I can also see an Access-Accept in the RADIUS debug output. My next step is to not use a workstation but an IP camera. I uploaded the “test” certificates and key that were created in /etc/raddp/certs to the IP cam and used the same user I used for the windows 7 authentication. It just wont work like that but I cant figure out why. My debug output is attached.

  Unfortunately, you'll need to read the debug output of the *camera* to see why it's failing.

> IMHO everything looks good until:
> 
> (2) eap: Peer sent packet with method EAP NAK (3)
> (2) eap: Peer NAK'd indicating it is not willing to continue
> (2) eap: Sending EAP Failure (code 4) ID 3 length 4
> (2) eap: Failed in EAP select
> 
> But I have no Idea what that means.

  It means this:

* FreeRADIUS receives an EAP packet
* it responds with EAP-MD5
* the camera NAKs it, and asks for TLS
* FreeRADIUS goes "sure, let's do TLS!"
* the camera NAKs that...

  i.e. the camera asks for EAP-TLS, and then goes "nah, I don't want to do EAP-TLS".

  The camera documentation *might* say what kinds of EAP it supports.  Or maybe even what kind of certificates it supports.

  But most cameras are cheap garbage.  And they write their own EAP code, instead of using wpa_supplicant.  So it's impossible to say what's going wrong.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list