Juniper and Nortel user access
Hi I have a user setup in the /etc/freeradius/users file which can access Juniper routers, but I would like the same user to be able to access Nortel switches, but when I try and combine the user attributes authentication fails. This conf works for both devices:- test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV" test2 Cleartext-Password := "test" Service-Type = Administrative-User When I try and combine auth fails for the Nortels. test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV" Service-Type = Administrative-User cheers Ivan
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Ivan . Sent: Monday, 11 August 2008 10:18 To: freeradius-users@lists.freeradius.org Subject: Juniper and Nortel user access
Hi
I have a user setup in the /etc/freeradius/users file which can access Juniper routers, but I would like the same user to be able to access Nortel switches, but when I try and combine the user attributes authentication fails.
This conf works for both devices:-
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV"
test2 Cleartext-Password := "test" Service-Type = Administrative-User
When I try and combine auth fails for the Nortels.
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV" Service-Type = Administrative-User
You need a comma after the reply attribute: test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV", Service-Type = Administrative-User Regards, Frank Ranner
awesome thanks! that works cheers Ivan On Mon, Aug 11, 2008 at 1:28 PM, Ranner, Frank MR <Frank.Ranner@defence.gov.au> wrote:
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Ivan . Sent: Monday, 11 August 2008 10:18 To: freeradius-users@lists.freeradius.org Subject: Juniper and Nortel user access
Hi
I have a user setup in the /etc/freeradius/users file which can access Juniper routers, but I would like the same user to be able to access Nortel switches, but when I try and combine the user attributes authentication fails.
This conf works for both devices:-
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV"
test2 Cleartext-Password := "test" Service-Type = Administrative-User
When I try and combine auth fails for the Nortels.
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV" Service-Type = Administrative-User
You need a comma after the reply attribute:
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV", Service-Type = Administrative-User
Regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Frank Another question if thats cool? how do you manage user access, as from what I can see the passwords are in clear text in the conf file? And as such the freeradius admin who adds the users will also add the passwords, or am I missing something? I am coming from a Cisco ACS background. cheers Ivan On Mon, Aug 11, 2008 at 1:28 PM, Ranner, Frank MR <Frank.Ranner@defence.gov.au> wrote:
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Ivan . Sent: Monday, 11 August 2008 10:18 To: freeradius-users@lists.freeradius.org Subject: Juniper and Nortel user access
Hi
I have a user setup in the /etc/freeradius/users file which can access Juniper routers, but I would like the same user to be able to access Nortel switches, but when I try and combine the user attributes authentication fails.
This conf works for both devices:-
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV"
test2 Cleartext-Password := "test" Service-Type = Administrative-User
When I try and combine auth fails for the Nortels.
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV" Service-Type = Administrative-User
You need a comma after the reply attribute:
test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV", Service-Type = Administrative-User
Regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, Need help. I'd been doing this for sometimes and can't get it solved. Client try to communicate with server but just can't get it connected. here are the message: Waking up in 4.7 seconds. User-Name = "testing" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x50713d8653743023ce88a0c1a1b930fe EAP-Message = 0x020505c50d80000005bb160301058b0b00037b0003780003753082037130820259a003020102020102300d06092a864886f70d01010405003070310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311730150603550403140e4d6172734e65745f5365727665723120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730383032323630315a170d3131303730383032323630315a306f310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520 EAP-Message = 0x496e632e311730150603550403140e4d6172734e65745f436c69656e74311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d9c82149515d4198e7647e1dd2fdaba3dd274d89fe59259ea656b5550118896812a05a0bad9307dda14f88582a1cfd1b8f475aabfc4e7ee2618d195fdb4fed673093982696a14d7a929c8590bfb32a930ee363d15a2ddadaf398d497527addbb88562c48803840ac7ab5cfd47709718078cee8489a415783ff1149bd2d8c4abd5ed1c83811392890b60e65dcfe3fae892d4ab0e3f98506387d47094656bb EAP-Message = 0xc7b5fdebc4b342b797d0dcc7a3fdd68cfa52490ec10a1e4a5d9cc82decc3f7340611755269c937f882478b6a875c460ea997351f33291f4f94bc7661b7f76a5457479f72639fc9acf815aa5ed438309a1695ffe34f1f967ad8f0b63d2e72f71240050203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101008cb12a5b0e048b822dd0e435fdb3c808a183a2bfe5b8970d24c8d7d8de6183ac6bd0978accaa284093f927e49b512056fd5850cd2211016f0d68099bc90a2bf2fb93ab3f6a2552fe2b094ffb8830aabe7d00871f1f8b882d3bfec10f73a7af1688a51a2e915597276d EAP-Message = 0x0e2c716dbd340dba22124f473ea8396e799c6de451101cb64cc0e8913535dc79d23e6194878814e7d6baa7a1ba616947cfe5d368a83f5db7e71e95e9b90f189033e9851b1d8419c4ab78b988ca9c4ff1163ed3e390e486bfc803e176cb108e7c31b51c5b618e644a046f7a60f232b0d57c47f1626a96115e83d457a3ad661c064986ebdd3629ef50b6a0d67e7b923d4a0d288b3652d98e1000010201003c14f10ae05a07ca00d74116971fd5d146e8640db1f58ebebf6e49c7cd8dabe98da7b6461af55c77e5fbde2336eb2914ceb3a6e09cdb6a46989cd9e22983bc672387ff0483700a70e396a9f844edd9ac4bb95c4b2a3bc45755d9408e41b37034 EAP-Message = 0x32c84f5b11d84870904e298defb383734235d6f67c9d9c0dfe20ed207fa3fe539571566103e2f55ee41cd3c7d6d9019f224594853387f67ccf453aa85ead173fa5059922888c7de3a689745cdc800423fc43522a91ee235704264a60eec90c62d01fde3cdda4f81666c26f8681c08b4a18b447d9971270ce92391e5c54f2537b3f7ff791fe7863daa40f6e0e244a02dab97755b4de554a21973a34dab24815ae0f00010201001b8569aff3bd371c1c7d782df9db0e00468d7806f2b5307f49dd2d4c5507aec96fe0db1fa401a613e021eec225eedf95303d1b2af768c011541086e89933d72b07d56d5a588e96d79906e1672e016fd5694fe694990ded EAP-Message = 0x9dc92e8f839a0e40cc7a7563476be125135d91d45ed4b5c978273b5e1d0e30cb655d8d1a011fe0d7c93e21603ee63e618566dbf126d95e68f8bf1e2bfbf8145a3894ddeb74923d45fbac9fdbde4cd7bf070931c74a4a7d3153a4e5de2d74c4f6f6191e639f57d2d18a256f240726a7b3100fec13048cddc9a99f594c82742aeb918959fe193bd1cb691a81fbf413aaba7e57cca12151350d96dc18a4b0af99d63cb68c1a5214a087a21403010001011603010020251f2329bd8931db05f4268228c4258ec07f3d2bb9281b1b83b584b08b75214d Message-Authenticator = 0xd97d042e7cb701a8720f28f6c5f1292b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 91 expand: Hello, %{User-Name} -> Hello, testing ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS TLS Length 1467 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 037f], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/<via Auth-Type = EAP>] (from client private-network-1 port 0 cli 00:1c:f0:10:56:b8) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request radtest testing testing123-1 localhost 0 testing123 User-Name = "testing" User-Password = "testing123" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Reply-Message = "Hello, testing" Here another error when I do radtest to localhost by return 192.168.1.5 Where should I go to fix those problem? I browse a lot but just have no clue where did I get wrong!
Kwok Sianbin wrote:
I'd been doing this for sometimes and can't get it solved. Client try to communicate with server but just can't get it connected.
Please READ the debug output. It is telling you what's going wrong.
rlm_eap_tls: <<< TLS 1.0 Handshake [length 037f], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
You are doing EAP-TLS. The certificate presented is from a CA that is unknown. Alan DeKok.
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Ivan . Sent: Monday, 11 August 2008 13:58 To: FreeRadius users mailing list Subject: Re: Juniper and Nortel user access [SEC=UNCLASSIFIED]
Hi Frank
Another question if thats cool?
how do you manage user access, as from what I can see the passwords are in clear text in the conf file? And as such the freeradius admin who adds the users will also add the passwords, or am I missing something?
I am coming from a Cisco ACS background.
Having users and password in the users file is generally only used for testing. In production, the users file is mainly used to test group memberships, both user and client, and assign attributes based on those memberships. The actual authentication is done using a password file, ldap directory or SQL queries. Which of these you use is up to you. In my deployment, I use an openldap server, which holds Unix, Netview, dokuwiki and radius Users. Radius users have the radiusprofile objectclass which allows me to specify the radiusGroupName attribute, which specifies what devices the user can access, and what access level. For example a user may have in LDAP: radiusGroupName: passport_service radiusGroupName: juniper_RO In the raddb/users file a rule may be: DEFAULT Huntgroup-Name == juniper, Ldap-Group == juniper_RO Service-Type := NAS-Prompt-User This ties a group of devices to a group of users. In freeradius, a device can belong to only one huntgroup, whereas users can be in many groups. In any case, to address your initial concern, using ldap or sql allows you to use whatever machanism you like for account maintenance, completely independent of the radius server and it's requirements. You have a bit of a learning curve ahead of you, but it is worth it. Use the -X switch on the server to see what it is doing, and make small changes each time so you know where to look when you break it. Regards, Frank Ranner
participants (4)
-
Alan DeKok -
Ivan . -
Kwok Sianbin -
Ranner, Frank MR