freeRADIUS for switch authentication
Good day, I've had a freeradius + daloradius + mysql setup to be used for the authentication of our Allied Telesis switches at our different branches. I configured the switch to use radius authentication at Login, could someone check whether the output if radius works on the switch? As there is no access-accept message I received on radiusd -X Password is MD5 encrypted, if that helps. Thanks! ----- Ready to process requests. rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, id=0, length=84 User-Name = "netops" NAS-IP-Address = 10.141.1.129 Called-Station-Id = "10.141.1.129" Calling-Station-Id = "10.96.100.72" Acct-Status-Type = Start Acct-Session-Id = "0500001F" Acct-Authentic = Local # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 10.141.1.129,NAS-IP-Address = 10.141.1.129,Acct-Session-Id = "0500001F",User-Name = "netops"' [acct_unique] Acct-Unique-Session-ID = "b320652fa80c290b". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "netops", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 10.141.1.129 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.141.1.129/detail-20130708 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.141.1.129/detail-20130708 [detail] expand: %t -> Mon Jul 8 14:12:31 2013 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> netops rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop [sql] expand: %{User-Name} -> netops [sql] sql_set_user escaped user --> 'netops' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> netops attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 0 to 10.141.1.129 port 49154 Finished request 0. Cleaning up request 0 ID 0 with timestamp +72 Going to the next request Ready to process requests.
Sorry for not including it in the first post, freeradius version used is the latest in CentOS repo. The output on the first post is for the web-based login, I forgot that I only configured it on console login Here is the output: Ready to process requests. rad_recv: Access-Request packet from host 10.141.1.129 port 49154, id=0, length=91 User-Name = "md5password" User-Password = "qwerty" Cisco-AVPair = "shell:priv-lvl=1" NAS-IP-Address = 10.141.1.129 Acct-Session-Id = "05000022" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "md5password", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> md5password [sql] sql_set_user escaped user --> 'md5password' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'md5password' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'md5password' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'md5password' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok Login OK: [md5password] (from client MAAX port 0) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 10.141.1.129 port 49154 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, id=0, length=88 User-Name = "md5password" NAS-IP-Address = 10.141.1.129 Called-Station-Id = "10.141.1.129" Calling-Station-Id = "10.141.59.3" Acct-Status-Type = Start Acct-Session-Id = "05000022" Acct-Authentic = RADIUS # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 10.141.1.129,NAS-IP-Address = 10.141.1.129,Acct-Session-Id = "05000022",User-Name = "md5password"' [acct_unique] Acct-Unique-Session-ID = "ca6b399649f9703b". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "md5password", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: %{Packet-Src-IP-Address} -> 10.141.1.129 [detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.141.1.129/detail-20130708 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.141.1.129/detail-20130708 [detail] expand: %t -> Mon Jul 8 14:55:20 2013 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> md5password rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop [sql] expand: %{User-Name} -> md5password [sql] sql_set_user escaped user --> 'md5password' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> md5password attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 0 to 10.141.1.129 port 49154 Finished request 1. Cleaning up request 1 ID 0 with timestamp +19 Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +19 Ready to process requests.
Hi,
Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS alan
Hi, thanks for the reply. (Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius server, so this md5 encryption I had setup should be sufficient? Last question, could I just create a single user to be used by multiple switches? Is there any conflict going to happen? Switch count on branches ranges from 15-50. Mucho thanks. On Mon, Jul 8, 2013 at 3:19 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS
alan
Hi,
(Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius server, so this md5 encryption I had setup should be sufficient?
what you do is up to you. a standard NAS will have several configuration options - allowing RADIUS for admin access or RADIUS for host/client access or both. why cant you just do 802.1X on thw switch? yes, clients need certs but thats the same as WiFi - you could get a RADIU server cert signed by a known CA in the OS (which isnt best but would allow thigns to just work)
Last question, could I just create a single user to be used by multiple switches? Is there any conflict going to happen? Switch count on branches ranges from 15-50.
once again, depends on config. why do you think you cant? do you have strong user authorization/session checks? its just a user.... alan
Good day, I have a problem wherein daloradius doesn't read the freeradius log file. Do I need to chown or chmod anything? Am using CentOS 6.4, and log file is located in /var/log/radius/radius.log. I already chmod'ded 777 the log file and it still wouldn't open thru daloradius interface. I can open it using cat though.
error reading log file:
looked for log file in '/var/log/freeradius/radius.log, /usr/local/var/log/radius/radius.log, /var/log/radius/radius.log' but couldn't find it. if you know where your freeradius log file is located, set it's location in /rep-logs-radius.php
On Mon, Jul 8, 2013 at 4:37 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
what you do is up to you. a standard NAS will have several configuration options - allowing RADIUS for admin access or RADIUS for host/client access or both.
why cant you just do 802.1X on thw switch? yes, clients need certs but thats the same as WiFi - you could get a RADIU server cert signed by a known CA in the OS (which isnt best but would allow thigns to just work)
once again, depends on config. why do you think you cant? do you have strong user authorization/session checks? its just a user.
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Gab Quidilla