Ethernet Switching
Reply
Contributor
syednasirraza
Posts: 114
Registered: ‎02-27-2012
0

802.1x mac-radius authentication of non-responsive-dumb machine(sun thinclient) from radius server

I have installed free radius server 1.x on rhel 4.. i m able to get my juniper device authenticated sucesfully on
radius server by fol configuration:

configuration on juniper switch:

set system authentication-order radius
set system radius-server a.b.c.d secret "xxxxxxxxxxxxxxx"
set system login user test uid 2001
set system login user test class super-user

on radius server:

in users file : (/etc/raddb/users)
test Auth-type:=Local, User-Password == "root12345"

in clients.conf file : (rad/etc/raddb/clients.conf
)
client 0/0 {
client 0/0 {
secret = juniper
shortname = device
}


however when i try to get my sunray thin client authenticated with fol:

configuration on juniper switch:

set access radius-server a.b.c.d port 1812
set access radius-server a.b.c.d secret "xxxxxxxxxxxxx"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server a.b.c.d


set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/5.0 mac-radius

on radius server:

in users file : (/etc/raddb/users)
<mac-address> Auth-type:=Local, User-Password == "<mac-address>"

in clients.conf file : (rad/etc/raddb/clients.conf
)

client 0/0 {
secret = juniper
shortname = device
}


However, i am unable to get any response of authentication for my sunray thinclient...
evn i have seen logs of radius, which does not show any attempt for this sunray client

is there something wrong with my configuration or do i need something else for specifically sunray thinclient to work with it...

NASIR RAZA
JNCIA-JUNOS, JNCIS-ENT.
Juniper Employee
Volkgti
Posts: 5
Registered: ‎10-15-2009
0

Re: 802.1x mac-radius authentication of non-responsive-dumb machine(sun thinclient) from radius serv

Maybe my experience is related to what you are seeing...I noticed issues when testing MAC auth at customer site.  If you take a packet capture from a non Juniper switch, you will see that they do not send a EAP-MD5 challenge to the RADIUS server (when using MAC auth).  Basically, we send the EAP-MD5 challenge and the RADIUS server doesn’t know what to do with it, so it sends a reject.  Because of this, we fail the password part of the credential check.  A workaround is to create a new group for Juniper switches in the RADIUS server and tell it to ignore the password check (MAC auth sends the MAC address for both the username and password anyway) and it should start working. 

Adam Balnicki
Systems Engineer
Juniper Networks
Contributor
syednasirraza
Posts: 114
Registered: ‎02-27-2012
0

Re: 802.1x mac-radius authentication of non-responsive-dumb machine(sun thinclient) from radius serv

i m really grateful for ur reply dear...

1... i will give it a try by ignoring pasword(if u can help me little about how to tell radius server to ignore pasword, since i know that as per standard, we have to tell user name and pasword in /users file on radius server)

2....about EAP-MD5, u r definitly right that EAP-MD5 mesags are exchanged between switch and radius server,,as i tried a laptop on same port to check what happens,, it was not authenticated even because i had not configured EAP cradentials on it, however the radius server log file was showing some EAP-MD5 mesages...server used to send challenge to laptop,,in return it was not geting anything so it was showing authentication failure....BUT when i conect my sunray client,,i dont see any message in log giving any indication of authentication atempt or failure result,, thts why i thought may b i need to do something more for sunray client(i m not sure if i really need to??)

so thts how i m stuck up badly.....

NASIR RAZA
JNCIA-JUNOS, JNCIS-ENT.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.