users configuration and certs
hello: would you please advice how to proceed this issue? here is what i am trying to do after authenticated with certs (compiled per "http://deployingradius.com/documents/configuration/certificates.html"): * radius will assign a vlan id* and IP address here is the configuration: user1 User-Password == "user1" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-ID = "vlan1", Framed-IP-Address = 10.0.0.101, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP user2 User-Password == "user2" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-ID = "vlan2", Framed-IP-Address = 10.0.4.101, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP i tested md5 first and it works (i think) but not able to bring up tunnel, so not able to get vlan id and ip addresses: Ready to process requests (0) Received Access-Request Id 148 from 100.64.8.3:51157 to 10.85.19.162:1812 length 170 (0) User-Name = "tester4" (0) NAS-Port = 82 (0) EAP-Message = 0x0200000c0174657374657234 (0) Message-Authenticator = 0xb19c034e8325fa37e7c8555a7323de40 (0) Acct-Session-Id = "8O2.1x81310900000b65a7" (0) NAS-Port-Id = "ge-0/0/16.0" (0) Calling-Station-Id = "08-ed-2a-81-00-00" (0) Called-Station-Id = "00-26-88-7c-c4-00" (0) NAS-Identifier = "jtac-EX4200-48T-r064" (0) NAS-Port-Type = Ethernet (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "tester4", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 1 length 22 (0) eap: EAP session adding &reply:State = 0x221d73df221c7755 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 148 from 10.85.19.162:1812 to 100.64.8.3:51157 length 0 (0) EAP-Message = 0x0101001604104f25d10e53221ba2241dc31da1154f5c (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x221d73df221c7755f69b930716c7d1dc (0) Finished request Waking up in 4.9 seconds. Waking up in 6.9 seconds. Waking up in 13.9 seconds. Waking up in 30.9 seconds. (0) Cleaning up request packet ID 148 with timestamp +14 i copied "client.pem" from the server to client side and tried "tls". this time i don't see any outputs from "radiusd -sX" (i think because of failed certs and 802.1x didn't even finish its process) the client side showed failed message: "Validated, Test cannot continue, a fatal error encountered when working with certificates" how could i troubleshoot this? is it an issue of certs? thanks _dave
Hi,
user1 User-Password == "user1"
stuff deleted
user2 User-Password == "user2"
stuff deleted
i tested md5 first and it works (i think) but not able to bring up tunnel, so not able to get vlan id and ip addresses:
..and that is because....
(0) Received Access-Request Id 148 from 100.64.8.3:51157 to 10.85.19.162:1812 length 170 (0) User-Name = "tester4"
tester4 ? well, tester4 doesnt appear in your users file and thus has no VLAN etc defined...... thats whhy that isnt working for you. the server isnt magical.
i copied "client.pem" from the server to client side and tried "tls". this time i don't see any outputs from "radiusd -sX" (i think because of failed certs and 802.1x didn't even finish its process) the client side showed failed message: "Validated, Test cannot continue, a fatal error encountered when working with certificates" how could i troubleshoot this? is it an issue of certs?
well, keep working at it - get some more 802.1X experience....but the client itself will need the CA of the RADIUS server as well as the client cert to present to the server (the server will send through the server cert itself if used so no need for client to hold that). if you dont see any output at all from radiusd -X (after the 'Ready to Process requests....' line) then either the 802.1X isnt configured correctly on the NAS - and therefore the client isnt challenged for 802.1X or the client isnt configured correctly. start with basic steps...do the TLS EAP 802.1X stuff locally on the radius server with eg eapol_test before you involve network kit/NAS/remote clients etc alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
gahn