Re: [RADIATOR] 802.1x authentication questions
Am 2011-06-02 09:54, schrieb Heikki Vatiainen: > On 06/01/2011 07:17 PM, Alexander Hartmaier wrote: > >> Everything is working good so far but for the case that a non-company >> client has dot1x enabled on the interface I'd like to switch the port to >> our guest lan. > What happens when you detect a non-company client? Have you configured > Radiator to return Access-Accept with appropriate attributes for guest VLAN? Yes, the switch configures the guest-vlan on the port, but the client gets an EAP auth failure through the EAP tunnel. >> This is working fine on the switch, but a Windows 7 client receives the >> EAP auth failure from Radiator and doesn't try to send a dhcp request >> although the switch port has already been set to the guest lan. > If the Windows 7 client is using PEAP/EAP-MSCHAP-V2 and Radiator returns > Access-Accept without really having access to the user's password or > NThash of the password, the client will notice that Radiator did not > return a correct MS-CHAP-V2 response. > > The response needs to prove the server (Radiator) really has access to > the user's credentials. In other words, the server must be able to > authenticate itself too. That is the V2 part in the protocol. We're using PEAP/EAP-TLS with machine certs. >> Is there a solution for this problem? >> >> For the wireless part we're getting the following error on the WLC: >> %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state >> transition to state 0 failed; port status 0, key available 1, key tx >> enabled 1 >> >> If someone encountered this error and knows a solution while we wait for >> the Cisco TAC please respond! > If this is not a MS-CHAP-V2 problem I described above, and there is a > way to do this, it would be very interesting to hear more. Also same PEAP/EAP-TLS here. > Thanks! > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TLS/SSL securing connection Radiator <=> LDAP2 Server
On 06/02/2011 11:30 PM, w.sieb...@t-systems.com wrote: > a simple question: TLS/SSL securing connection Radiator <=> LDAP2 > Server. There is a little StepByStep Guide? Realy minimal, without SSL > Verify … > > I think so, a minimal prerecvisite is a certificate. How can I install > it and bind on Radiator connection to LDAP-Server? You can check goodies/ldap.cfg and goodies/edirectory.cfg for examples. The reference manual ref.pdf also contains information about TLS/SSL in section "5.37 " The minimum would be to configure UseTLS or UseSSL and then specify the trusted CA certificate with EAPTLS_CAFile. Radiator will require a valid certificate from the LDAP server but does not specify a certificate itself. UseTLS # Radiator trusts certs signed by this CA EAPTLS_CAFile %D/certs/cacert.pem If the client (Radius server) needs to authenticate SSL/TLS connection to the LDAP server, the following should work: UseTLS # Radiator trusts certs signed by this CA EAPTLS_CAFile %D/certs/cacert.pem # These are needed if Radiator has to send a certificate EAPTLS_CertificateFile %D/certs/radius-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certs/radius-key.pem EAPTLS_PrivateKeyPassword keypw For TLS/SSL support, you need to install Perl modules and openssl. IO::Socket::SSL, Net::SSLeay and openssl are required. Best regards, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x authentication questions
On 06/03/2011 11:35 AM, Alexander Hartmaier wrote: >> What happens when you detect a non-company client? Have you configured >> Radiator to return Access-Accept with appropriate attributes for guest VLAN? > Yes, the switch configures the guest-vlan on the port, but the client > gets an EAP auth failure through the EAP tunnel. Ok. The client would probably have to get an Access-Accept to continue. Just to check: is your plan to have the the non-company users to use a WPA-Enteriprise secured network too? > We're using PEAP/EAP-TLS with machine certs. This sounds to me like a setup that might be easier to get working with two different WLANs. One SSID (wlan name) would be for company clients and another SSID (with different parameters) would be for non-company clients. Enterprise WLAN access points and controllers support multiple SSIDs and differently configured WLANs/VLANs so that should be possible to do. And then you would not need to modify company users' authentication settings to allow redirecting visitors to their VLAN. With EAP-TLS too the client wants to see server authentication. Also, the server does want to see a certificate from the client that it trusts. If you can assign certificates to non-company clients, you could use that information to do VLAN selection. What kind of non-company clients do you plan supporting? Visitors or possibly employees' own devices which could be considered more long term than just those who occasionally come to meetings etc. >>> If someone encountered this error and knows a solution while we wait for >>> the Cisco TAC please respond! >> If this is not a MS-CHAP-V2 problem I described above, and there is a >> way to do this, it would be very interesting to hear more. > Also same PEAP/EAP-TLS here. Please also let us know if you get something from TAC too. Thanks! -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator shutdown on reload
On 06/02/2011 11:56 PM, Michael wrote: > I just had an issue with radiator shutting down. I added another > Handler to my config. I keep them in separate files, and use an > include to include that given file. I typo'd the file location, and > when I reloaded the config, the service shut down. I have an HA > environment where I sync the config to 4 redundant radiator systems > and they all reload upon new config. So, all 4 services shut down. > Boy was I sweating. > > Does radiator not use the current running configuration if a reload > fails to process the config files? It does not. Fortunately this problem is also logged during startup. In other words, what you experienced is how Radiator works. You also need to be careful to close each , and other clauses. Not closing these with a matching etc. can cause the parser to incorrectly interpret the configuration file without noticing any errors. Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator shutdown on reload
On Fri, 3 Jun 2011, Heikki Vatiainen wrote: > On 06/02/2011 11:56 PM, Michael wrote: > >> I just had an issue with radiator shutting down. I added another >> Handler to my config. I keep them in separate files, and use an >> include to include that given file. I typo'd the file location, and >> when I reloaded the config, the service shut down. I have an HA >> environment where I sync the config to 4 redundant radiator systems >> and they all reload upon new config. So, all 4 services shut down. >> Boy was I sweating. >> >> Does radiator not use the current running configuration if a reload >> fails to process the config files? > > It does not. Fortunately this problem is also logged during startup. In > other words, what you experienced is how Radiator works. > > You also need to be careful to close each , and other > clauses. Not closing these with a matching etc. can cause the > parser to incorrectly interpret the configuration file without noticing > any errors. The error i created was only a typo in an include statement filename. so, the only error is really a 'file not found' type error. i wouldn't think this would be reason enough to shut down. Also, there is nothing in my log about the error. The only time i seen the error was on the cli when trying to start radiator back up again. It would be nice if radiator didn't shut down on error, but if it must, i would think the last line in the log would be why it shut down. I guess since it can't parse the config during the startup, it doesn't know where/how to log, so the best time to log such an error is before it shuts down, while it still has config of where the log file is. > > Heikki > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator shutdown on reload
Just my 2p worth :-) > > The error i created was only a typo in an include statement filename. so, > the only error is really a 'file not found' type error. i wouldn't think > this would be reason enough to shut down. > Unless someone is willing to go through every possible failure scenario and identify whether such a failure should warrant a shutdown or not then there's no way that Radiator can decide. The safest thing is to shutdown on *any* error, otherwise you could end up with a configuration that doesn't work the way you expect it to. I know it's possible to end up with the same result even with a "correct" config, but shutting down if Radiator can actually detect an error seems by far the safest option to me. If your environment is mission-critical then the answer is to always pre-stage your configuration changes in a test environment that matches your live environment. At least that way you can be sure that a simple typo isn't going to screw you over. With the plethora of virtualisation solutions that are available these days there isn't really an excuse for not building a replica and testing stuff before you try it out. I'm sure that Mike and Hugh etc wouldn't begrudge you using an extra copy of radiator beyond your license agreement for this kind of purpose? (we're lucky in that we haven't used up our licensed instance allocation) > Also, there is nothing in my log about the error. The only time i seen > the error was on the cli when trying to start radiator back up again. It > would be nice if radiator didn't shut down on error, but if it must, i > would think the last line in the log would be why it shut down. > > I guess since it can't parse the config during the startup, it doesn't > know where/how to log, so the best time to log such an error is before it > shuts down, while it still has config of where the log file is. > I've generally found that Radiator is exceptional at telling me exactly where I've stuffed up a configuration. Having said that however, I generally tend to bump up the log level to max and SIGHUP the server before I make any further changes. Perhaps doing the same might help for you? Cheers, Martin -- Martin Burton Senior Systems Administrator \\\|||/// Special Projects Team \\ ^ ^ // Wellcome Trust Sanger Institute( 6 6 ) -oOOo-(_)-oOOo--- http://www.sanger.ac.uk signature.asc Description: OpenPGP digital signature ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator shutdown on reload
I setup an identical radiator instance. i'll do what you suggest. thanks. On 11-06-03 03:04 PM, Martin Burton wrote: > Just my 2p worth :-) > >> >> The error i created was only a typo in an include statement filename. so, >> the only error is really a 'file not found' type error. i wouldn't think >> this would be reason enough to shut down. >> > > Unless someone is willing to go through every possible failure scenario > and identify whether such a failure should warrant a shutdown or not > then there's no way that Radiator can decide. The safest thing is to > shutdown on *any* error, otherwise you could end up with a configuration > that doesn't work the way you expect it to. I know it's possible to end > up with the same result even with a "correct" config, but shutting down > if Radiator can actually detect an error seems by far the safest option > to me. > > If your environment is mission-critical then the answer is to always > pre-stage your configuration changes in a test environment that matches > your live environment. At least that way you can be sure that a simple > typo isn't going to screw you over. With the plethora of virtualisation > solutions that are available these days there isn't really an excuse for > not building a replica and testing stuff before you try it out. I'm > sure that Mike and Hugh etc wouldn't begrudge you using an extra copy of > radiator beyond your license agreement for this kind of purpose? (we're > lucky in that we haven't used up our licensed instance allocation) > > >> Also, there is nothing in my log about the error. The only time i seen >> the error was on the cli when trying to start radiator back up again. It >> would be nice if radiator didn't shut down on error, but if it must, i >> would think the last line in the log would be why it shut down. >> >> I guess since it can't parse the config during the startup, it doesn't >> know where/how to log, so the best time to log such an error is before it >> shuts down, while it still has config of where the log file is. >> > > I've generally found that Radiator is exceptional at telling me exactly > where I've stuffed up a configuration. Having said that however, I > generally tend to bump up the log level to max and SIGHUP the server > before I make any further changes. Perhaps doing the same might help > for you? > > Cheers, > > Martin > > > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
