axis audio module and EAP-TLS
Hello, I installed a CentOS with freeradius 3.0.20. And I'm a bit confused how to configure it to make it work with an AXIS P8221 I/O Audio Module. In the section 802.1X I uploaded the certificate I geneated with freeradius Makefile from the directory /etc/raddb/certs/ I uploaded the CA certificate and the clients one and client ons plus the key. But when I have to set the EAPOL version, EAP identity and password I don't know what specify and how to configure freeradius to match that parametes. Can someone help me? I tryed to configure a simply user with a password into /etc/raddb/mods-config/files/authorize : testing Cleartext-Password := "password" And using a freeradius client from an ArchLinux client it works doing command line call. But I don't know how configure the AXIS module. Can someone help? I configured the Layer 3 switch correctly to send the freeradius packet to the correct IP address and it works. I mean enabling to use the swicth port to get authentication against that freeradius. But the configuration lack of the correct part. Giovanni
On Jul 19, 2021, at 3:42 AM, Giovanni Venturi <gventuri@nexera.it> wrote:
And I'm a bit confused how to configure it to make it work with an AXIS P8221 I/O Audio Module.
The screen shot you posted shows EAP-TLS. Which doesn't use passwords like YEAP.
In the section 802.1X I uploaded the certificate I geneated with freeradius Makefile from the directory /etc/raddb/certs/
I uploaded the CA certificate and the clients one and client ons plus the key.
Then it should work.
But when I have to set the EAPOL version, EAP identity and password I don't know what specify and how to configure freeradius to match that parametes.
The EAP identity should be the "common name" from the certificate. The password is the password for the client certificate private key. See the client.cnf file for examples.
Can someone help me?
I tryed to configure a simply user with a password into /etc/raddb/mods-config/files/authorize :
testing Cleartext-Password := "password"
That won't work for EAP-TLS.
And using a freeradius client from an ArchLinux client it works doing command line call.
Which isn't using EAP-TLS. Read the debug output to see. Alan DeKok.
Sorry if you received personally the reply. Thunderbird doesn't reply to the list by deafult. Sorry. It will never happen again. Sorry. So it is the camera doesn't send the correct data, I suppose, because I verifyed each certificate and the id and password. Freeradius replies in this way: Mon Jul 19 15:14:29 2021 : Debug: (0) Received Access-Request Id 0 from 192.168.4.248:49156 to 192.168.0.18:1812 length 97 Mon Jul 19 15:14:29 2021 : Debug: (0) NAS-IP-Address = 192.168.4.248 Mon Jul 19 15:14:29 2021 : Debug: (0) NAS-Port-Type = Ethernet Mon Jul 19 15:14:29 2021 : Debug: (0) NAS-Port = 10 Mon Jul 19 15:14:29 2021 : Debug: (0) User-Name = "user@example.org" Mon Jul 19 15:14:29 2021 : Debug: (0) EAP-Message = 0x020100150175736572406578616d706c652e6f7267 Mon Jul 19 15:14:29 2021 : Debug: (0) Message-Authenticator = 0x2b6c4a8dea1185bee804dbe0d7645f75 Mon Jul 19 15:14:29 2021 : Debug: (0) session-state: No State attribute Mon Jul 19 15:14:29 2021 : Debug: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Jul 19 15:14:29 2021 : Debug: (0) authorize { Mon Jul 19 15:14:29 2021 : Debug: (0) policy filter_username { Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name) { Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name) -> TRUE Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name) { Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ / /) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ / /) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /\.\./ ) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /\.\./ ) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: Adding 1 matches Mon Jul 19 15:14:29 2021 : Debug: Clearing 1 old matches Mon Jul 19 15:14:29 2021 : Debug: Adding 3 matches Mon Jul 19 15:14:29 2021 : Debug: (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /\.$/) { Mon Jul 19 15:14:29 2021 : Debug: Clearing 3 old matches Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /\.$/) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /@\./) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (0) if (&User-Name =~ /@\./) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (0) } # if (&User-Name) = notfound Mon Jul 19 15:14:29 2021 : Debug: (0) } # policy filter_username = notfound Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling preprocess (rlm_preprocess) Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) Mon Jul 19 15:14:29 2021 : Debug: (0) [preprocess] = ok Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling auth_log (rlm_detail) Mon Jul 19 15:14:29 2021 : Debug: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree: Mon Jul 19 15:14:29 2021 : Debug: literal --> /var/log/radius/radacct/ Mon Jul 19 15:14:29 2021 : Debug: XLAT-IF { Mon Jul 19 15:14:29 2021 : Debug: attribute --> Packet-Src-IP-Address Mon Jul 19 15:14:29 2021 : Debug: } Mon Jul 19 15:14:29 2021 : Debug: XLAT-ELSE { Mon Jul 19 15:14:29 2021 : Debug: attribute --> Packet-Src-IPv6-Address Mon Jul 19 15:14:29 2021 : Debug: } Mon Jul 19 15:14:29 2021 : Debug: literal --> /auth-detail- Mon Jul 19 15:14:29 2021 : Debug: percent --> Y Mon Jul 19 15:14:29 2021 : Debug: percent --> m Mon Jul 19 15:14:29 2021 : Debug: percent --> d Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: --> /var/log/radius/radacct/192.168.4.248/auth-detail-20210719 Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.4.248/auth-detail-20210719 Mon Jul 19 15:14:29 2021 : Debug: %t Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree: Mon Jul 19 15:14:29 2021 : Debug: percent --> t Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: EXPAND %t Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: --> Mon Jul 19 15:14:29 2021 Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from auth_log (rlm_detail) Mon Jul 19 15:14:29 2021 : Debug: (0) [auth_log] = ok Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling chap (rlm_chap) Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from chap (rlm_chap) Mon Jul 19 15:14:29 2021 : Debug: (0) [chap] = noop Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling mschap (rlm_mschap) Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from mschap (rlm_mschap) Mon Jul 19 15:14:29 2021 : Debug: (0) [mschap] = noop Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling digest (rlm_digest) Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from digest (rlm_digest) Mon Jul 19 15:14:29 2021 : Debug: (0) [digest] = noop Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling suffix (rlm_realm) Mon Jul 19 15:14:29 2021 : Debug: (0) suffix: Checking for suffix after "@" Mon Jul 19 15:14:29 2021 : Debug: (0) suffix: Looking up realm "example.org" for User-Name = "user@example.org" Mon Jul 19 15:14:29 2021 : Debug: (0) suffix: No such realm "example.org" Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm) Mon Jul 19 15:14:29 2021 : Debug: (0) [suffix] = noop Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: calling eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Peer sent EAP Response (code 2) ID 1 length 21 Mon Jul 19 15:14:29 2021 : Debug: (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (0) [eap] = ok Mon Jul 19 15:14:29 2021 : Debug: (0) } # authorize = ok Mon Jul 19 15:14:29 2021 : Debug: (0) Found Auth-Type = eap Mon Jul 19 15:14:29 2021 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default Mon Jul 19 15:14:29 2021 : Debug: (0) authenticate { Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authenticate]: calling eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Peer sent packet with method EAP Identity (1) Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Calling submodule eap_tls to process data Mon Jul 19 15:14:29 2021 : Debug: (0) eap_tls: Initiating new TLS session Mon Jul 19 15:14:29 2021 : Debug: (0) eap_tls: Setting verify mode to require certificate from client Mon Jul 19 15:14:29 2021 : Debug: (0) eap_tls: [eaptls start] = request Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Sending EAP Request (code 1) ID 2 length 6 Mon Jul 19 15:14:29 2021 : Debug: (0) eap: EAP session adding &reply:State = 0x704e25f0704c2894 Mon Jul 19 15:14:29 2021 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (0) [eap] = handled Mon Jul 19 15:14:29 2021 : Debug: (0) } # authenticate = handled Mon Jul 19 15:14:29 2021 : Debug: (0) Using Post-Auth-Type Challenge Mon Jul 19 15:14:29 2021 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default Mon Jul 19 15:14:29 2021 : Debug: (0) Challenge { ... } # empty sub-section is ignored Mon Jul 19 15:14:29 2021 : Debug: (0) session-state: Nothing to cache Mon Jul 19 15:14:29 2021 : Debug: (0) Sent Access-Challenge Id 0 from 192.168.0.18:1812 to 192.168.4.248:49156 length 0 Mon Jul 19 15:14:29 2021 : Debug: (0) EAP-Message = 0x010200060d20 Mon Jul 19 15:14:29 2021 : Debug: (0) Message-Authenticator = 0x00000000000000000000000000000000 Mon Jul 19 15:14:29 2021 : Debug: (0) State = 0x704e25f0704c2894350a7a76741cdfd3 Mon Jul 19 15:14:29 2021 : Debug: (0) Finished request Mon Jul 19 15:14:29 2021 : Debug: Waking up in 4.9 seconds. Mon Jul 19 15:14:29 2021 : Debug: (0) Cleaning up request packet ID 0 with timestamp +7 Mon Jul 19 15:14:29 2021 : Debug: (1) Received Access-Request Id 0 from 192.168.4.248:49156 to 192.168.0.18:1812 length 100 Mon Jul 19 15:14:29 2021 : Debug: (1) NAS-IP-Address = 192.168.4.248 Mon Jul 19 15:14:29 2021 : Debug: (1) NAS-Port-Type = Ethernet Mon Jul 19 15:14:29 2021 : Debug: (1) NAS-Port = 10 Mon Jul 19 15:14:29 2021 : Debug: (1) User-Name = "user@example.org" Mon Jul 19 15:14:29 2021 : Debug: (1) State = 0x704e25f0704c2894350a7a76741cdfd3 Mon Jul 19 15:14:29 2021 : Debug: (1) EAP-Message = 0x020200060300 Mon Jul 19 15:14:29 2021 : Debug: (1) Message-Authenticator = 0xb56b2484ee97b397f38baefb6a09ecfb Mon Jul 19 15:14:29 2021 : Debug: (1) session-state: No cached attributes Mon Jul 19 15:14:29 2021 : Debug: (1) # Executing section authorize from file /etc/raddb/sites-enabled/default Mon Jul 19 15:14:29 2021 : Debug: (1) authorize { Mon Jul 19 15:14:29 2021 : Debug: (1) policy filter_username { Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name) { Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name) -> TRUE Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name) { Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ / /) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ / /) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /\.\./ ) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /\.\./ ) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: Adding 1 matches Mon Jul 19 15:14:29 2021 : Debug: Clearing 1 old matches Mon Jul 19 15:14:29 2021 : Debug: Adding 3 matches Mon Jul 19 15:14:29 2021 : Debug: (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /\.$/) { Mon Jul 19 15:14:29 2021 : Debug: Clearing 3 old matches Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /\.$/) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /@\./) { Mon Jul 19 15:14:29 2021 : Debug: No old matches Mon Jul 19 15:14:29 2021 : Debug: (1) if (&User-Name =~ /@\./) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) } # if (&User-Name) = notfound Mon Jul 19 15:14:29 2021 : Debug: (1) } # policy filter_username = notfound Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) Mon Jul 19 15:14:29 2021 : Debug: (1) [preprocess] = ok Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling auth_log (rlm_detail) Mon Jul 19 15:14:29 2021 : Debug: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree: Mon Jul 19 15:14:29 2021 : Debug: literal --> /var/log/radius/radacct/ Mon Jul 19 15:14:29 2021 : Debug: XLAT-IF { Mon Jul 19 15:14:29 2021 : Debug: attribute --> Packet-Src-IP-Address Mon Jul 19 15:14:29 2021 : Debug: } Mon Jul 19 15:14:29 2021 : Debug: XLAT-ELSE { Mon Jul 19 15:14:29 2021 : Debug: attribute --> Packet-Src-IPv6-Address Mon Jul 19 15:14:29 2021 : Debug: } Mon Jul 19 15:14:29 2021 : Debug: literal --> /auth-detail- Mon Jul 19 15:14:29 2021 : Debug: percent --> Y Mon Jul 19 15:14:29 2021 : Debug: percent --> m Mon Jul 19 15:14:29 2021 : Debug: percent --> d Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: --> /var/log/radius/radacct/192.168.4.248/auth-detail-20210719 Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.4.248/auth-detail-20210719 Mon Jul 19 15:14:29 2021 : Debug: %t Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree: Mon Jul 19 15:14:29 2021 : Debug: percent --> t Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: EXPAND %t Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: --> Mon Jul 19 15:14:29 2021 Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from auth_log (rlm_detail) Mon Jul 19 15:14:29 2021 : Debug: (1) [auth_log] = ok Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling chap (rlm_chap) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from chap (rlm_chap) Mon Jul 19 15:14:29 2021 : Debug: (1) [chap] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling mschap (rlm_mschap) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from mschap (rlm_mschap) Mon Jul 19 15:14:29 2021 : Debug: (1) [mschap] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling digest (rlm_digest) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from digest (rlm_digest) Mon Jul 19 15:14:29 2021 : Debug: (1) [digest] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling suffix (rlm_realm) Mon Jul 19 15:14:29 2021 : Debug: (1) suffix: Checking for suffix after "@" Mon Jul 19 15:14:29 2021 : Debug: (1) suffix: Looking up realm "example.org" for User-Name = "user@example.org" Mon Jul 19 15:14:29 2021 : Debug: (1) suffix: No such realm "example.org" Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) Mon Jul 19 15:14:29 2021 : Debug: (1) [suffix] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 Mon Jul 19 15:14:29 2021 : Debug: (1) eap: No EAP Start, assuming it's an on-going EAP conversation Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (1) [eap] = updated Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling files (rlm_files) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) Mon Jul 19 15:14:29 2021 : Debug: (1) [files] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) Mon Jul 19 15:14:29 2021 : Debug: (1) [expiration] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) Mon Jul 19 15:14:29 2021 : Debug: (1) [logintime] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) Mon Jul 19 15:14:29 2021 : Debug: Not doing PAP as Auth-Type is already set. Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) Mon Jul 19 15:14:29 2021 : Debug: (1) [pap] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) } # authorize = updated Mon Jul 19 15:14:29 2021 : Debug: (1) Found Auth-Type = eap Mon Jul 19 15:14:29 2021 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default Mon Jul 19 15:14:29 2021 : Debug: (1) authenticate { Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authenticate]: calling eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Expiring EAP session with state 0x704e25f0704c2894 Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Finished EAP session with state 0x704e25f0704c2894 Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Previous EAP request found for state 0x704e25f0704c2894, released from the list Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer sent packet with method EAP NAK (3) Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer NAK'd indicating it is not willing to continue Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Sending EAP Failure (code 4) ID 2 length 4 Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Failed in EAP select Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[authenticate]: returned from eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (1) [eap] = invalid Mon Jul 19 15:14:29 2021 : Debug: (1) } # authenticate = invalid Mon Jul 19 15:14:29 2021 : Debug: (1) Failed to authenticate the user Mon Jul 19 15:14:29 2021 : Debug: (1) Using Post-Auth-Type Reject Mon Jul 19 15:14:29 2021 : Debug: (1) # Executing group from file /etc/raddb/sites-enabled/default Mon Jul 19 15:14:29 2021 : Debug: (1) Post-Auth-Type REJECT { Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) Mon Jul 19 15:14:29 2021 : Debug: %{User-Name} Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree: Mon Jul 19 15:14:29 2021 : Debug: attribute --> User-Name Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: EXPAND %{User-Name} Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: --> user@example.org Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: EAP-Message = 0x04020004 allowed by EAP-Message =* 0x Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: Message-Authenticator = 0x00000000000000000000000000000000 allowed by Message-Authenticator =* 0x Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) Mon Jul 19 15:14:29 2021 : Debug: (1) [attr_filter.access_reject] = updated Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: calling eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Reply already contained an EAP-Message, not inserting EAP-Failure Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: returned from eap (rlm_eap) Mon Jul 19 15:14:29 2021 : Debug: (1) [eap] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) policy remove_reply_message_if_eap { Mon Jul 19 15:14:29 2021 : Debug: (1) if (&reply:EAP-Message && &reply:Reply-Message) { Mon Jul 19 15:14:29 2021 : Debug: (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Mon Jul 19 15:14:29 2021 : Debug: (1) else { Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: calling noop (rlm_always) Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: returned from noop (rlm_always) Mon Jul 19 15:14:29 2021 : Debug: (1) [noop] = noop Mon Jul 19 15:14:29 2021 : Debug: (1) } # else = noop Mon Jul 19 15:14:29 2021 : Debug: (1) } # policy remove_reply_message_if_eap = noop Mon Jul 19 15:14:29 2021 : Debug: (1) } # Post-Auth-Type REJECT = updated Mon Jul 19 15:14:29 2021 : Auth: (1) Login incorrect: [user@example.org] (from client axis_switch port 10) Mon Jul 19 15:14:29 2021 : Debug: (1) Delaying response for 1.000000 seconds Mon Jul 19 15:14:29 2021 : Debug: Waking up in 0.3 seconds. Mon Jul 19 15:14:29 2021 : Debug: Waking up in 0.6 seconds. Mon Jul 19 15:14:30 2021 : Debug: (1) Sending delayed response Mon Jul 19 15:14:30 2021 : Debug: (1) Sent Access-Reject Id 0 from 192.168.0.18:1812 to 192.168.4.248:49156 length 44 Mon Jul 19 15:14:30 2021 : Debug: (1) EAP-Message = 0x04020004 Mon Jul 19 15:14:30 2021 : Debug: (1) Message-Authenticator = 0x00000000000000000000000000000000 Mon Jul 19 15:14:30 2021 : Debug: Waking up in 3.9 seconds. Mon Jul 19 15:14:34 2021 : Debug: (1) Cleaning up request packet ID 0 with timestamp +7 Mon Jul 19 15:14:34 2021 : Info: Ready to process requests Il 19/07/21 14:02, Alan DeKok ha scritto:
On Jul 19, 2021, at 3:42 AM, Giovanni Venturi <gventuri@nexera.it> wrote:
And I'm a bit confused how to configure it to make it work with an AXIS P8221 I/O Audio Module. The screen shot you posted shows EAP-TLS. Which doesn't use passwords like YEAP.
In the section 802.1X I uploaded the certificate I geneated with freeradius Makefile from the directory /etc/raddb/certs/
I uploaded the CA certificate and the clients one and client ons plus the key. Then it should work.
But when I have to set the EAPOL version, EAP identity and password I don't know what specify and how to configure freeradius to match that parametes. The EAP identity should be the "common name" from the certificate.
The password is the password for the client certificate private key. See the client.cnf file for examples.
Can someone help me?
I tryed to configure a simply user with a password into /etc/raddb/mods-config/files/authorize :
testing Cleartext-Password := "password" That won't work for EAP-TLS.
And using a freeradius client from an ArchLinux client it works doing command line call. Which isn't using EAP-TLS. Read the debug output to see.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Giovanni Venturi Nexera S.p.A. Centro Direzionale, IS/A3 80143 - Napoli Tel. +39.081.5625868 Fax. +39.081.5625135 e-mail: gventuri@nexera.it web: http://www.nexera.it
On Jul 19, 2021, at 9:23 AM, Giovanni Venturi <gventuri@nexera.it> wrote:
Sorry if you received personally the reply. Thunderbird doesn't reply to the list by deafult. Sorry. It will never happen again. Sorry.
No worries.
So it is the camera doesn't send the correct data, I suppose, because I verifyed each certificate and the id and password. Freeradius replies in this way:
Please use "radiusd -X" as documented everywhere. We don't need to see dates in the debug output. FreeRADIUS seems to do EAP-TLS, and then the device does:
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer sent packet with method EAP NAK (3) Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer NAK'd indicating it is not willing to continue
Well, that's bad. Make sure that mods-available/eap has default_eap_type = tls If that still doesn't work, then the camera is garbage. Alan DeKok.
Il 19/07/21 15:29, Alan DeKok ha scritto:
On Jul 19, 2021, at 9:23 AM, Giovanni Venturi <gventuri@nexera.it> wrote:
Sorry if you received personally the reply. Thunderbird doesn't reply to the list by deafult. Sorry. It will never happen again. Sorry. No worries.
So it is the camera doesn't send the correct data, I suppose, because I verifyed each certificate and the id and password. Freeradius replies in this way: Please use "radiusd -X" as documented everywhere. We don't need to see dates in the debug output.
FreeRADIUS seems to do EAP-TLS, and then the device does:
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer sent packet with method EAP NAK (3) Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer NAK'd indicating it is not willing to continue Well, that's bad.
Make sure that mods-available/eap has
default_eap_type = tls Yes, it is.
If that still doesn't work, then the camera is garbage.
Alan DeKok. I will open a ticker request to AXIS. Thank you for your support.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Giovanni Venturi Nexera S.p.A. Centro Direzionale, IS/A3 80143 - Napoli Tel. +39.081.5625868 Fax. +39.081.5625135 e-mail: gventuri@nexera.it web: http://www.nexera.it
participants (2)
-
Alan DeKok -
Giovanni Venturi