Switching

I am still confused configuring my radius server and ex.

Sample Topology

on my debian server,  i got this messages

Listening on authentication address 172.10.11.104 port 1812
Listening on proxy address 172.10.11.104 port 1814
Ready to process requests...

and then i'm trying to monitor start dot1x and get the entire output message
...

...

...

May 25 01:45:05.151429 SessId: 8O2.1x81f3006900023c7f strlen: 22
May 25 01:45:05.151716 Queuing message to auth client to validate mac address 1c:75:8:32:7:2c, user 1c750832072c on interface fe-0/0/3.0
May 25 01:45:05.152256  ASIF: Radius REQUEST_ID: 8c
May 25 01:45:05.152397  ASIF: Tx of Server-data to Auth Server succeeded

....

...

..

but, when im trying to start show dot1x interface 

Interface     Role                State           MAC address            User
fe-0/0/3.0    Authenticator  Initialize
fe-0/0/4.0    Authenticator  Held            1C:75:08:32:07:2C    1c750832072c

Please See the Attachment Below 

log monitor dot1x interface

and users.conf on /etc/freeradius/users

Somebody can help me please ? I need some assistance for this case.

thank you .

Attachment(s)

radius3.txt   17 KB 1 version

EXconf.txt   6 KB 1 version

users.txt   191 B 1 version

output_messages_radius.txt   8 KB 1 version

Hi Marlon,

The first thing I see that doesn't look right is that your SRX is pointing to RADIUS server 10.10.11.2, but the RADIUS server in your output is listening only on IP address 172.10.11.104.

Try fixing one side or the other and try again.

Hiii Ben,

Well how are you today ? , thank you for your quick response , yes i can see and miss about my configuration on srx

access {
    radius-server {
        10.10.11.2 {
            port 1812;
            secret "$9$Le6xdsUjqfQns2aUiHTQ/CtpIc"; ## SECRET-DATA
            retry 5;
        }
    }
    profile auth {
        authentication-order radius;
        radius {
            authentication-server 10.10.11.2;
        }
    }
}

================================
CHANGE TO --->

access {
    radius-server {
        172.10.11.104 {
            port 1812;
            secret "$9$Le6xdsUjqfQns2aUiHTQ/CtpIc"; ## SECRET-DATA
            retry 5;
        }
    }
  
    profile auth {
        authentication-order radius;
        radius {
            authentication-server  172.10.11.104;
        }
    }
};

trying to fix it, but still got the output messages looks like this...

fe-0/0/4.0    Authenticator  Held            1C:75:08:32:07:2C    1c750832072c

So the next problem is that in your RADIUS server, you have defined the host as:

 client switch {
	ipaddr = 10.10.11.1
	require_message_authenticator = no
	secret = "mysecret"
	nastype = "other"
 }

 In your topology, the SRX/EX will connect using the source address of the interface facing the RADIUS server, not the interface facing the client, so change the above to 172.10.11.2

Hiii Ben,

sorrry, Work hard, play hard

this is my sample topology, by the way I would like to know whether it is possible or not ???

and client (host A and B or other) can't find the authentication server,.. im trying to fix it side by side, but is still not working.

MY SRX CONF :

----------------------
[edit access]
marlon@rica-rica# show
radius-server {
    172.10.11.104 {
        port 1812;
        secret "$9$P5F/1RSeMX/Cu1EhvM7-Vb4Z"; ## SECRET-DATA
        retry 5;
    }
}
profile auth {
    authentication-order radius;
    radius {
        authentication-server 172.10.11.104;
    }
}

----------------------

MY radiusd.conf :

----------------------

....
....
....

listen {
        type = auth
        ipaddr = 172.10.11.104
        port = 0
}

....
....
....

client switch {
        ipaddr          = 10.10.11.1
        secret          = mysecret
        require_message_authenticator = no
        nastype     = other
}
...

Attachment(s)

monitor_log_radius(ubuntu-server).txt   1 KB 1 version

sample_output_dot1x(03).txt   79 KB 1 version

Latest_conf_28052014(not_solved).txt   6 KB 1 version

As I mentioned in the previous post - the FreeRADIUS configuration is still wrong.  The IP address of the SRX (the source of the RADIUS request) will be 172.10.11.2 NOT 10.10.11.1.

Change radiusd.conf to reflect this:

client switch {
        ipaddr          = 172.10.11.2
        secret          = mysecret
        require_message_authenticator = no
        nastype     = other
}

Hiii bro, 

Im trying to fix it side by side, and follow your Instruction, but Still getting error for configuring
 and this is my radius server output :

--->  Failed binding to authentication address 172.10.11.104 port 1812: Address already in use
/etc/raddb/radiusd.conf[240]: Error binding to port for 172.10.11.2 port 1812,

back to my srx conf, try to delete all [edit access] Hierarchy Level and [edit protocols dot1x] Hierarchy Level

Change srx conf looks like this ,

=====================================================

edit access - level

access {
    radius-server {
        172.10.11.104 {
            port 5151;
            secret "$9$zMGM3nCuORyrvM8JGji.mBIR"; ## SECRET-DATA
            retry 5;
        }
    }
    profile AUTH {
        authentication-order radius;
        radius {
            authentication-server 172.10.11.104;
        }
    }
}
=======================================================================

edit protocols dot1x - level

protocols {
    dot1x {
        traceoptions {
            file dot1x;
            flag state;
            flag dot1x-debug;
            flag eapol;
        }
        authenticator {
            authentication-profile-name AUTH;
            interface {
                fe-0/0/2.0 {
                    supplicant multiple;
                    mac-radius {
                        restrict;
                    }
                    no-reauthentication;
                }
            }
        }
    }
}
=======================================================================

and then  I am trying to remove freeradius server, restart the server and install again.

this is my radiusd.conf

.

..

...

listen {
        type = auth
        ipaddr = 172.10.11.104
        port = 5151
}

...

..

.

client switch {
        ipaddr          = 172.10.11.2
        secret          = asd@123
        require_message_authenticator = no
        nastype     = other
}

=======================================================================

OK SKIP ----->

i am trying to troubleshoot with monitor start dot1x

May 28 00:51:40.743761  ASIF: Transferring Server-data to Auth Server for the user, 080027dffe56.
May 28 00:51:40.743930 SessId: 8O2.1x810e011b000b174a strlen: 22
May 28 00:51:40.744193 Queuing message to auth client to validate mac address 8:0:27:df:fe:56, user 080027dffe56 on interface fe-0/0/2.0
May 28 00:51:40.745271  ASIF: Radius REQUEST_ID: ff
May 28 00:51:40.745514  ASIF: Tx of Server-data to Auth Server succeeded

  Number of connected supplicants: 1
    Supplicant: 080027dffe56, 08:00:27:DF:FE:56
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Mac Radius
      Authenticated VLAN: SEGMENT-11
      Session Reauth interval: 3600 seconds
      Reauthentication due in 0 seconds

=======================================================================

and show monitor dot1x

802.1X Information:
Interface     Role                 State                   MAC address                              User
fe-0/0/2.0    Authenticator  Authenticated      08:00:27:DF:FE:56                      080027dffe56  <------ MAC AUTH SUCCESS
fe-0/0/2.0                            Held                    1C:75:08:32:07:2C                      1c750832072c <----   Still Held waiting for AUTH

trying to fix again with linux output ---> /usr/sbin/freeradius -sX

# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry 080027dffe56 at line 205
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok

Hiii, Ben Thank you so much for investing time in fixing the issue, so  "PROBLEM SOLVED" 

see you next time bro...