LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-20-2015, 04:28 AM   #1
julie7
LQ Newbie
 
Registered: Aug 2015
Posts: 2

Rep: Reputation: Disabled
wpa_supplicant don't reach freeradius in wired 802.1x EAP-TLS


Hi everybody !


I want to make setup a 802.1x EAP-TLS connexion

My network :
Client/supplicant eth0-----f1/1 SWITCH f1/0-----eth1 Freeradius

the Switch is an emulated Switch with GNS3 (IOS Cisco c3700/3725)
freeradius is on a vm (virtualbox, ubuntu-server 14.04)
the supplicant is my computer (ubuntu desktop 14.04)

So I run "freeradius -X" on the vm
and "wpa_supplicant -Dwired -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -ddd"

Here the problem with wpa_supplicant :

Code:
...
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
EAPOL: idleWhile --> 0
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: Supplicant port status: Unauthorized
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed unsuccessfully
...
I don't know if something in this output means that the switch is responding or not... what measn : idleWhile --> 0, is it normal??
I see nothing on the freeradius side, it's waiting ("Ready to process requests." and no more output)

My wpa_supplicant configuration :
Code:
	ctrl_interface=/var/run/wpa_supplicant
	eapol_version=2
	ap_scan=0
	fast_reauth=1
	network={
		ssid=""
		key_mgmt=IEEE8021X
		eap=TLS

		ca_cert="/xxx/cacert.pem"
		client_cert="/xxx/client_cert.pem"
		private_key="/xxx/client_key.pem"
		private_key_passwd=""
	}
My Freeradius configuration :
Code:
/eap.conf :
	default_eap_type = tls
	tls {
		private_key_password = (rien)
		private_key_file = ${certdir}/server_key.pem	
		certificate_file = ${certdir}/server_cert.pem
		CA_file = ${certdir}/cacert.pem
		dh_file = ${certdir}/dh
		random_file = ${certdir}/random
	}	
/client.conf :
	client 192.168.2.1/24 {
		secret = pass
		shortname = R2
		nastype = cisco
	}
/users :
	admin	Cleartext-Password := "pass"
			Service-Type = NAS-Prompt-User,
			Cisco-AVPair = "shell:priv-lvl=15"
I create a vlan for this part : SWITCH f1/0-----eth1 Freeradius
and from the switch I can ping the VM and from the VM ping the vlan IP

My Cisco configuration :
Code:
Current configuration : 1778 bytes
	!
	version 12.4
	service timestamps debug datetime msec
	service timestamps log datetime msec
	no service password-encryption
	!
	hostname R2
	!
	boot-start-marker
	boot-end-marker
	!
	logging console notifications
	!
	aaa new-model
	!
	!
	aaa authentication login default group radius
	aaa authentication dot1x default group radius
	aaa authorization network default group radius 
	!
	aaa session-id common
	memory-size iomem 5
	no ip icmp rate-limit unreachable
	ip cef    
	!         
	!         
	!         
	!         
	no ip domain lookup
	ip auth-proxy max-nodata-conns 3
	ip admission max-nodata-conns 3
	!         
	...       
	dot1x system-auth-control
	username admin privilege 15 password 0 cisco123!
	!         
	!         
	ip tcp synwait-time 5
	!         
	...   
	interface FastEthernet1/0
	 switchport access vlan 2
	!         
	interface FastEthernet1/1
	 dot1x port-control auto
	!  
	...       
	interface Vlan1
	 no ip address
	!         
	interface Vlan2
	 ip address 192.168.2.1 255.255.255.0
	!         
	ip forward-protocol nd
	!         
	!         
	no ip http server
	no ip http secure-server
	!         
	!         
	!         
	radius-server host 192.168.2.5 auth-port 1812 acct-port 1813 key pass
	!         
	control-plane
	!         
	...       
	!         
	line con 0
	 exec-timeout 0 0
	 privilege level 15
	 logging synchronous
	line aux 0
	 exec-timeout 0 0
	 privilege level 15
	 logging synchronous
	line vty 0 4
	!         
	!         
	end

Thank's a lot for your help!

J.
 
Old 08-20-2015, 06:40 AM   #2
translator1111
Member
 
Registered: Jun 2010
Location: Slovakia
Distribution: Debian 8, Ubuntu 10.04 and 12.04; SLAX 6.0; ConnochaetOS 0.9.; LFS; Natty chip: VT1708S
Posts: 108
Blog Entries: 2

Rep: Reputation: 7
Dear Julie7,
It seems that your supplicant is unathorized,
Quote:
EAPOL: Supplicant port status: Unauthorized
is the driver wired correctly installed?
have you tried with another dirver?
can you show in your wpa_supplicant configuration where is the password?
should it work wpa without password?

Yours Faithfully
M.
 
Old 08-20-2015, 09:07 AM   #3
julie7
LQ Newbie
 
Registered: Aug 2015
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thank's for your reply

Quote:
is the driver wired correctly installed?
have you tried with another dirver?
I have no idea... I'm in intership and just work on a computer whitout internet connexion (yihaa)
A lspci command give this device :
Code:
Ethernet controller : Broadcom Corporation ... BCM5755 Gigabit Ethernet PCI Express
Quote:
can you show in your wpa_supplicant configuration where is the password?
should it work wpa without password?
I only use my host computer for the wpa_supplicant and GNS3 software, I didn't include the real device inside some config...
My network didn't have "AP", the only links are those wrote : my machine----the virtual Swicth----the VM with Freeradius.

I wanted to create a vlan for the supplicant and switch port (the EAPOL) but I didn't have more place, so I can't create another vlan

Thank's

Last edited by julie7; 08-20-2015 at 09:13 AM.
 
Old 08-21-2015, 03:40 AM   #4
translator1111
Member
 
Registered: Jun 2010
Location: Slovakia
Distribution: Debian 8, Ubuntu 10.04 and 12.04; SLAX 6.0; ConnochaetOS 0.9.; LFS; Natty chip: VT1708S
Posts: 108
Blog Entries: 2

Rep: Reputation: 7
Dear Julie7,
If you are working with VLAN you probably have more experience than me, However from the very beginning something is not clear to me.
It is basic concept
WPA (Wifi Protected Access) why are you using WPA if you are not coding your password?
Why not connect to your freeradius or your switch without passwords using an open connection?
See an example
(http://pc-freak.net/blog/how-to-conn...-on-gnu-linux/)
Are you able to use iwconfig for instance?
example:
iwconfig wlan0 essid
or in your case maybe
iwconfit eth0 "essid"
Maybe it would help if you can give a name to your essid
Your essid is the name of your net (maybe Cisco or the name that your GNS3 gives by default to the switch)

P.S.:
I apologize in advance if I am out of the topic, my experience with WPA is connecting laptop to router in Home LAN.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Freeradius and EAP=TLS muhamed.ahmovic Linux - Newbie 3 02-20-2016 02:54 PM
freeradius test with eap saavik Linux - Server 0 10-15-2013 06:44 PM
Freeradius and EAP/TLS Help Needed! ? Yow Linux - Networking 0 05-29-2010 11:11 AM
FreeRadius and PEAP with EAP-MD5 Queenie245 Linux - Wireless Networking 0 11-18-2008 06:32 AM
freeRADIUS eap-tls authentification fails at winxp pro sp2 tobi Linux - Networking 1 03-10-2006 03:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration