Wired Ethernet EAP-TLS
I'm having problems connecting a wired Ethernet machine authenticating
with EAP-TLS, I'm connecting via a Lindy switch with 802.1x port
authentication forced on the port that the machine is connecting to,
that port is also on the same VLAN as the RADIUS server. This
FreeRADIUS setup is working for wireless clients over 802.1x using EAP-TLS.
My wpa_supplicant config is:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
identity="hostname"
eapol_flags=0
eap=TLS
ca_cert="/etc/certs/cacert.pem"
client_cert="/etc/certs/clientcert.pem"
private_key="/etc/certs/clientkey.pem"
private_key_passwd="password"
}
(Identity and Password changed for privacy)
I'm initiating this with the following command:
wpa_supplicant -Dwired -ieth1 -c/etc/wpa_supplicant.conf -d
The RADIUS server is not receiving the request, here is an output from
wpa_supplicant:
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: idleWhile --> 0
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
CTRL-EVENT-TERMINATING - signal 2 received
Removing interface eth1
State: ASSOCIATED -> DISCONNECTED
No keys have been configured - skip key clearing
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
No keys have been configured - skip key clearing
Cancelling scan request
Is there anything special I need to do in my FreeRADIUS config?
Supporting Windows wired clients is not necessary but when trying with a
Windows client, it didn't work either.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
Darren Maden wrote: > The RADIUS server is not receiving the request, Find out why the NAS isn't sending the RADIUS request. Poking wpa_supplicant or FreeRADIUS won't help. > Is there anything special I need to do in my FreeRADIUS config? > Supporting Windows wired clients is not necessary but when trying with a > Windows client, it didn't work either. It's a NAS problem. In general, if the RADIUS server doesn't receive a request, don't blame *it*. It's not supposed to do anything if it doesn't receive a request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
>The RADIUS server is not receiving the request So, where is the switch sending the request? Check switch configuration. Freeradius is most likely OK if it works with wireless clients. Only thing you would need to do there is to add the switch into clients.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
On 6/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > thing you would need to do there is to add the switch into clients.conf. and set a secret, and set that secret in the switch too. Then he might post a tcpdump capture of the conversation, with the options -vv -s 65535 -X to say one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
The switch is added into the nas table in mysql and that secret is set in the switch as well. Doing a TCP dump on the machine trying to authenticate tells me that packets have been dropped by the kernel and filters. I haven't got any firewall or iptables setup, anything you can suggest about that? (OS is openSUSE 10.2 32bit - console installation) Plugging a laptop into the sniffing port of the switch and running ethereal shows packets going from the machine trying to authenticate with destination of "Spanning_Tree_Protocol" but there is a "Success" packet in there. ~Darren inverse wrote: > On 6/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> thing you would need to do there is to add the switch into clients.conf. > > and set a secret, and set that secret in the switch too. > > > Then he might post a tcpdump capture of the conversation, with the > options -vv -s 65535 -X to say one > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
Darren Maden wrote: > The switch is added into the nas table in mysql and that secret is set > in the switch as well. Does the switch have the IP address of the server? > Plugging a laptop into the sniffing port of the switch and running > ethereal shows packets going from the machine trying to authenticate > with destination of "Spanning_Tree_Protocol" but there is a > "Success" packet in there. As was said before, the problem is likely between the switch and the RADIUS server. Looking at the traffic between the switch and supplicant probably won't help you debug issues between the switch and the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
> > Does the switch have the IP address of the server? > Yes, the switch is setup in the same way as my wireless routers (which work) and no errors are detected when I start radiusd in debug mode...although if the switch isn't seeing the server then there probably wouldn't be any errors, I'm quite confident that these settings are right though, there isn't really a lot involved. > As was said before, the problem is likely between the switch and the > RADIUS server. Looking at the traffic between the switch and > supplicant probably won't help you debug issues between the switch and > the RADIUS server. Nothing is going out to the RADIUS server from the switch, it's on the same VLAN and other traffic can get through. Other than some timing and amount of retry options the only options on the switch are RADIUS Server IP, ports, secret and name for the switch as well as the per-port options. But why is the supplicant receiving "success" packets? Could the switch be trying to authenticate it itself in some way? ~Darren Maden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
Can you debug radius on the switch? It should have some kind of a log. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, "Darren Maden" <[EMAIL PROTECTED]> piše: > > > > Does the switch have the IP address of the server? > > > >Yes, the switch is setup in the same way as my wireless routers (which >work) and no errors are detected when I start radiusd in debug >mode...although if the switch isn't seeing the server then there >probably wouldn't be any errors, I'm quite confident that these settings >are right though, there isn't really a lot involved. > > > > As was said before, the problem is likely between the switch and the > > RADIUS server. Looking at the traffic between the switch and > > supplicant probably won't help you debug issues between the switch and > > the RADIUS server. > >Nothing is going out to the RADIUS server from the switch, it's on the >same VLAN and other traffic can get through. Other than some timing and >amount of retry options the only options on the switch are RADIUS Server >IP, ports, secret and name for the switch as well as the per-port options. > >But why is the supplicant receiving "success" packets? Could the switch >be trying to authenticate it itself in some way? > > > >~Darren Maden >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
PS. If the suppicant gets authenticated and switch hasn't contacted RADIUS server, then the authentication is set up to be local. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, "Darren Maden" <[EMAIL PROTECTED]> piše: > > > > Does the switch have the IP address of the server? > > > >Yes, the switch is setup in the same way as my wireless routers (which >work) and no errors are detected when I start radiusd in debug >mode...although if the switch isn't seeing the server then there >probably wouldn't be any errors, I'm quite confident that these settings >are right though, there isn't really a lot involved. > > > > As was said before, the problem is likely between the switch and the > > RADIUS server. Looking at the traffic between the switch and > > supplicant probably won't help you debug issues between the switch and > > the RADIUS server. > >Nothing is going out to the RADIUS server from the switch, it's on the >same VLAN and other traffic can get through. Other than some timing and >amount of retry options the only options on the switch are RADIUS Server >IP, ports, secret and name for the switch as well as the per-port options. > >But why is the supplicant receiving "success" packets? Could the switch >be trying to authenticate it itself in some way? > > > >~Darren Maden >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
> > Can you debug radius on the switch? It should have some kind of a log. > No, after a quick look around the configs and a search of the manual for words like "log", "logging" and "debug", I couldn't find anything, the only thing I have is a sniffing port, which I used. > > PS. If the suppicant gets authenticated and switch hasn't contacted > RADIUS server, then the authentication is set up to be local. > It just doesn't make sense that there's no options which look anything like that..and the fact that one of the few options is the IP of the RADIUS server, just suggests to me that it's automatically going to use a RADIUS server rather than doing it locally. It looks like it's down to the switch, the manual doesn't exactly help, just the usual stuff. So I should probably just check with the manufacturer and ask them for more info. ~Darren Maden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
Darren Maden wrote: > But why is the supplicant receiving "success" packets? Could the switch > be trying to authenticate it itself in some way? Perhaps. But the "success" packets you talked about weren't EAPOL packets. (Unless I really misunderstood your email) If the client machine thinks that it logged in OK, then something odd is going on. 1) If the RADIUS server isn't receiving packets, blame the NAS 2) If the NAS isn't sending packets, it's because no one is logging in 3) If someone is trying to log in, and nothing happens, blame the NAS Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wired Ethernet EAP-TLS
> > 1) If the RADIUS server isn't receiving packets, blame the NAS > 2) If the NAS isn't sending packets, it's because no one is logging in > 3) If someone is trying to log in, and nothing happens, blame the NAS > I decided to blame the NAS...so I reset it to factory, ie no VLANs or anything like that and I've now got a step further towards it working. I suppose it was a bit adventurous to try this first time with VLANs and everything, although I could actually connect with authentication disabled and ping through to the server from the client but still, seems something in there was messing it up, I'll worry about all those fancy extras on the switch later and concentrate on getting it authenticating first. So now, the client's request is reaching the RADIUS server but it doesn't seem to be working, I'm quite new to RADIUS but...this setup is working properly with EAP-TLS over wireless. Any ideas what is going wrong here?... What the server sees.. rad_recv: Access-Request packet from host 10.1.0.7:7160, id=42, length=170 User-Name = "es6.evosys.co.uk" NAS-IP-Address = 10.1.0.7 NAS-Port = 22 NAS-Identifier = "ES7_SWITCH" Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "00-0:-17-00-18-B4" Framed-MTU = 1400 NAS-Port-Type = Ethernet Connect-Info = "CONNECT Ethernet 802.3" EAP-Message = 0x028a0015016573362e65766f7379732e636f2e756b Message-Authenticator = 0x9c4dd90736ab44c24180b404675396f3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module "preprocess" returns ok for request 23 modcall[authorize]: module "mschap" returns noop for request 23 rlm_realm: No '@' in User-Name = "es6.evosys.co.uk", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 23 rlm_eap: EAP packet type response id 138 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 23 radius_xlat: 'es6.evosys.co.uk' rlm_sql (sql): sql_set_user escaped user --> 'es6.evosys.co.uk' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'es6.evosys.co.uk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): User es6.evosys.co.uk not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'es6.evosys.co.uk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'es6.evosys.co.uk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User es6.evosys.co.uk not found in radgroupcheck rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 23 modcall: leaving group authorize (returns updated) for request 23 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 23 modcall: leaving group authenticate (returns handled) for request 23 Sending Access-Challenge of id 42 to 10.1.0.7 port 7160 EAP-Message = 0x018b00060d20 Message-Authenticator = 0x State = 0x7edcdc092933bf1c0eaeb691bfaf641d Finished request 23 Going to the next request What the client sees. es6:~ # wpa_supplicant -Dwired -ieth1 -c/etc/wpa_supplicant.conf -d Initializing interface 'eth1' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group=10 (from group name 'wheel') ap_scan=0 Priority group 0 id=0 ssid='' Initializing interface (2) 'eth1' EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 wpa_driver_wired_init: Added multicast membership with packet socket Own MAC address: 00:50:ba:eb:a3:19 Setting scan request: 0 sec 10 usec Added interface eth1 EA
