EAP doest work with Cisco Catalyst 2950?
Hi all, I'm new to this list. I have spent hours searching Google but still cant not find the solution for my problem so I decide it's time for the first post. I follow instructions from http://www.linuxjournal.com/article/8017 with the following configuration (instead of WLAN, I'm going to secure my LAN so no access point here) : - Authentication server: Freeradius 1.1.2 + OpenSSL 0.9.8a. The server is my laptop running Ubuntu 6.06. The IP address is 192.168.22.180 - Authenticator: Cisco Catalyst 2950 whose IP is 192.168.22.23 - Suppliant: WinXP service pack 2 This setup never works as expected. WinXP kept complaining "Unable to join to the network". I could not figure out what was the problem. There were no clue in freeradiusd's logfile and ethereal's dumpfile. Or maybe I'm no expert on this subject to see the clue. Please help. You can grab all of my freeradius's configuration, logfile and ethernet's dumpfile from http://innology.com.vn/8021x.tar.gz. Please take a look at it. TIA, Thai Duong. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Thai Duong <thaidn@yahoo.com> wrote:
This setup never works as expected. WinXP kept complaining "Unable to join to the network". I could not figure out what was the problem. There were no clue in freeradiusd's logfile and ethereal's dumpfile.
Read the debug log to see what's going on. You *do* have the Microsoft OID's in the certificates? Alan DeKok.
Hi Alan, --- Alan DeKok <aland@nitros9.org> wrote:
Read the debug log to see what's going on.
You *do* have the Microsoft OID's in the certificates?
Alan DeKok.
yes of course. I follow the instruction from http://www.linuxjournal.com/node/8095/print to generate certificates for the CA, the server and the client. When I looked at the debug log, I saw something like below: - The client sent a Access-Request. - The server replied with a Access-Challenge and then went to sleep. - They started over again with a Access-Request from the client. There was no Accept-Accept or anything but just a Access-request followed by a Access-Challenge. If you take a look at the ethereal dump file, you'll see that the client sent a lot of "Client Hello" packet but the server didnt response. I dont know why. Please help. TIA, Thai Duong. PS: You can download all dump files from http://innology.com.vn/8021x.tar.gz. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Hi Alan, --- Alan DeKok <aland@nitros9.org> wrote:
That is exactly what happens when the certificate doesn't have the proper OID's.
Alan DeKok.
I can be sure the client certificate has the Enhanced Key Usage showing Client Authentication (1.3.6.1.5.5.7.3.2). I have no way to verify whether the server certificate contains proper OID but here is the procedure I generate that certificate: 1. I created a file named xpextensions with the following content: thaidn@inspiron:/etc/ssl$ cat xpextensions [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 2. Create the server signing request: thaidn@inspiron:/etc/ssl$ openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf then sign it: thaidn@inspiron:/etc/ssl$ openssl ca -config ./openssl.cnf \ -policy policy_anything -out server_cert.pem \ -extensions xpserver_ext -extfile ./xpextensions \ -infiles ./server_req.pem 3. Open the signed certificate and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and the key file into a single file thaidn@inspiron:/etc/ssl$ cat server_key.pem server.cert.pem > \ server_keycert.pem The 3rd step is an extra step that the guide (http://www.linuxjournal.com/node/8095/print) told me to do. Is it correct? I doubt maybe the problem remains in the OpenSSL library bunlded with Ubuntu 6.06. Do you think so? Please advise. TIA, Thai Duong __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Thai Duong <thaidn@yahoo.com> wrote:
I can be sure the client certificate has the Enhanced Key Usage showing Client Authentication (1.3.6.1.5.5.7.3.2). I have no way to verify whether the server certificate contains proper OID
OpenSSL? It displays information about the certificate.
Is it correct? I doubt maybe the problem remains in the OpenSSL library bunlded with Ubuntu 6.06. Do you think so? Please advise.
I have no idea. All I know is that the symptoms you're seeing almost always have the same cause. Alan DeKok.
Thai Duong wrote:
I can be sure the client certificate has the Enhanced Key Usage showing Client Authentication (1.3.6.1.5.5.7.3.2). I have no way to verify whether the server certificate contains proper OID but here is
openssl x509 -noout -text -in theserver.crt ...will show things like: X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication ...the latter being the one you're looking for. As Alan says, it's almost certainly oids, but regardless the problem is not at the FreeRadius side - you should look to the debugging on the cisco switch and/or the windows client ("netsh * set tracing on" and logfiles somewhere under c:\windows)
--- Phil Mayers <p.mayers@imperial.ac.uk> wrote:
openssl x509 -noout -text -in theserver.crt
...will show things like:
X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication
...the latter being the one you're looking for.
As Alan says, it's almost certainly oids, but regardless the problem is not at the FreeRadius side - you should look to the debugging on the cisco switch and/or the windows client ("netsh * set tracing on" and logfiles somewhere under c:\windows)
The output of my server certificate contains: X509v3 Extended Key Usage: TLS Web Server Authentication As you advise, I turned tracing on and found that the SSL handshake was not completed, the client kept sending "Client Hello" packet but got no response from the server. But when looking at Ethereal's dump file, I saw that the server actually sent its certificate in the Access-Challenge packet. I even unchecked "Validate server certificate" in the client setting but still no luck. What am I supposed to do now? I'm gonna be crazy please help. TIA, Thai Duong. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 26 Jul 2006, at 12:11, Thai Duong wrote:
As you advise, I turned tracing on and found that the SSL handshake was not completed, the client kept sending "Client Hello" packet but got no response from the server. But when looking at Ethereal's dump file, I saw that the server actually sent its certificate in the Access-Challenge packet. I even unchecked "Validate server certificate" in the client setting but still no luck. What am I supposed to do now? I'm gonna be crazy please help.
Is there a RADIUS or EAP timer set on the switch? If it's set too low, the switch might be ignoring the Access- Challenge from the server. best regards, josh. Josh Howlett, Networking Specialist, University of Bristol. email: josh.howlett@bristol.ac.uk | phone: +44 (0)7867 907076 | internal: 7850
--- Josh Howlett <josh.howlett@bristol.ac.uk> wrote:
Is there a RADIUS or EAP timer set on the switch?
If it's set too low, the switch might be ignoring the Access- Challenge from the server.
best regards, josh.
Yup there're some timers on the switch but as far as I know they have no effect on the communication between the switch and the server. Is there anybody here had used Catalyst 2950 with freeradius before? Searching Google reveals that people seems only configure EAP/TLS to protect wireless LAN, not wired LAN. Where can I find a sucessful EAP/TLS setup with details about hardware/software components? TIA, Thai Duong. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--On Wednesday, 26 July 2006 18:39 -0700 Thai Duong <thaidn@yahoo.com> wrote:
--- Josh Howlett <josh.howlett@bristol.ac.uk> wrote:
Is there a RADIUS or EAP timer set on the switch?
If it's set too low, the switch might be ignoring the Access- Challenge from the server.
best regards, josh.
Yup there're some timers on the switch but as far as I know they have no effect on the communication between the switch and the server. Is there anybody here had used Catalyst 2950 with freeradius before? Searching Google reveals that people seems only configure EAP/TLS to protect wireless LAN, not wired LAN. Where can I find a sucessful EAP/TLS setup with details about hardware/software components?
Hi, We had similar problems. An example of what we put in the switch config to get it to work is here: <http://www.bristol.ac.uk/is/computing/advice/networks/documentation/dot1x/cisco.html> ... as Josh said - pay particular attention to the dot1x & radius server timeout settings - we found the cisco defaults be be generally broken. Regards, James -- James J J Hooper, Information Services University of Bristol --
--- James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
Hi, We had similar problems. An example of what we put in the switch config to get it to work is here:
<http://www.bristol.ac.uk/is/computing/advice/networks/documentation/dot1x/cisco.html>
... as Josh said - pay particular attention to the dot1x & radius server timeout settings - we found the cisco defaults be be generally broken.
Regards, James
Hi James, I follow your guide but still no lucks. It seems that the problem remains in the server or client side settings not in the switch. I always get something like: rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05a8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0080], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 WTF is rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)? Attachment is the debug log of freeradius, please take a look at it. It's been two weeks and I still can not make this work. Deadline is comming, please help. Regards, Thai Duong. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- Thai Duong <thaidn@yahoo.com> wrote:
Attachment is the debug log of freeradius, please take a look at it. It's been two weeks and I still can not make this work. Deadline is comming, please help.
Regards,
Thai Duong.
Sorry forgot to attach the debug log. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
Hi, We had similar problems. An example of what we put in the switch config to get it to work is here:
<http://www.bristol.ac.uk/is/computing/advice/networks/documentation/dot1x/cisco.html>
... as Josh said - pay particular attention to the dot1x & radius server timeout settings - we found the cisco defaults be
be
generally broken.
Regards, James
Attachment is the Ethereal's dump file on the client side. There are five message (>> means traffic from switch to client and vice versa)
eap request identity << eap response identity eap request eap-tls (rfc2716) [aboba] << tls client hello eap unknown code (0x30)
It seems that the switch (Catalyst 2950 with IOS version 12.1(6)EA2c) didnt understand that "Client Hello" packet from the client so it returned something like "unknown code (0x30)". In fact this "Client Hello" never reached the server. Here is my switch dot1x configuration: Global 802.1X Parameters reauth-enabled yes reauth-period 3600 quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 reauth-max 2 max-req 2 802.1X Port Summary Port Name Status Mode Authorized Fa0/1 disabled n/a n/a Fa0/2 enabled Auto (negotiate) no Fa0/3 enabled Auto (negotiate) no aaa new-model aaa authentication dot1x default group radius radius-server host 192.168.2.8 auth-port 1812 acct-port 1813 key <deleted> radius-server retransmit 3 radius-server timeout 10 radius-server deadtime 2 radius-server vsa send authentication Why the switch doesnt understand that Client Hello TLS packet? What should I do now? I installed freeradius into another server, create the certificates from scratch but still NO LUCK. Please advise. Regards, Thai Duong __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
Hi, We had similar problems. An example of what we put in the switch config to get it to work is here:
<http://www.bristol.ac.uk/is/computing/advice/networks/documentation/dot1x/cisco.html>
... as Josh said - pay particular attention to the dot1x & radius server timeout settings - we found the cisco defaults be be generally broken.
Regards, James
More about the debug log on the switch: I just got something like this: 06:15:31: RADIUS: Initial Transmit FastEthernet0/2 id 33 192.168.22.180:1812, Access-Request, len 212 06:15:31: Attribute 4 6 C0A81617 06:15:31: Attribute 5 6 0000C352 06:15:31: Attribute 26 23 0000000902114661 06:15:31: Attribute 61 6 0000000F 06:15:31: Attribute 1 8 74686169 06:15:31: Attribute 31 19 30302D30 06:15:31: Attribute 6 6 00000002 06:15:31: Attribute 24 18 698927AB 06:15:31: Attribute 79 82 02710050 06:15:31: Attribute 80 18 DC8C131A 06:15:31: RADIUS: Received from id 33 192.168.22.180:1812, Access-Challenge, len 1100 06:15:31: Attribute 79 255 0172040A 06:15:31: Attribute 79 255 30373237 06:15:31: Attribute 79 255 0421C4B1 06:15:31: Attribute 79 255 092A8648 06:15:31: Attribute 79 24 6F6F7420 06:15:31: Attribute 80 18 BD53CEE9 06:15:31: Attribute 24 18 C35A3205 That's it. A access-request followed by a access-challenge. Nothing more. Please help. Thai Duong __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--On Friday, July 28, 2006 02:36:42 -0700 Thai Duong <thaidn@yahoo.com> wrote:
--- James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
Hi, We had similar problems. An example of what we put in the switch config to get it to work is here:
<http://www.bristol.ac.uk/is/computing/advice/networks/documentation/dot1 x/cisco.html>
... as Josh said - pay particular attention to the dot1x & radius server timeout settings - we found the cisco defaults be be generally broken.
Regards, James
More about the debug log on the switch: I just got something like this:
06:15:31: RADIUS: Initial Transmit FastEthernet0/2 id 33 192.168.22.180:1812, Access-Request, len 212 06:15:31: Attribute 4 6 C0A81617 06:15:31: Attribute 5 6 0000C352 06:15:31: Attribute 26 23 0000000902114661 06:15:31: Attribute 61 6 0000000F 06:15:31: Attribute 1 8 74686169 06:15:31: Attribute 31 19 30302D30 06:15:31: Attribute 6 6 00000002 06:15:31: Attribute 24 18 698927AB 06:15:31: Attribute 79 82 02710050 06:15:31: Attribute 80 18 DC8C131A 06:15:31: RADIUS: Received from id 33 192.168.22.180:1812, Access-Challenge, len 1100 06:15:31: Attribute 79 255 0172040A 06:15:31: Attribute 79 255 30373237 06:15:31: Attribute 79 255 0421C4B1 06:15:31: Attribute 79 255 092A8648 06:15:31: Attribute 79 24 6F6F7420 06:15:31: Attribute 80 18 BD53CEE9 06:15:31: Attribute 24 18 C35A3205
That's it. A access-request followed by a access-challenge. Nothing more. Please help.
Could you post a 'show run' of your switch please. (obfuscate any passwords or secrets) Regards, James -- James J J Hooper, Information Services University of Bristol --
participants (5)
-
Alan DeKok -
James J J Hooper -
Josh Howlett -
Phil Mayers -
Thai Duong