Ethernet Switching
Ethernet Switching

Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

[ Edited ]
‎05-24-2014 01:05 PM

I am still confused configuring my radius server and ex.

 

 

Sample Topology

Radius.PNG

on my debian server,  i got this messages

Listening on authentication address 172.10.11.104 port 1812
Listening on proxy address 172.10.11.104 port 1814
Ready to process requests...

and then i'm trying to monitor start dot1x and get the entire output message
...

...

...

May 25 01:45:05.151429 SessId: 8O2.1x81f3006900023c7f strlen: 22
May 25 01:45:05.151716 Queuing message to auth client to validate mac address 1c:75:8:32:7:2c, user 1c750832072c on interface fe-0/0/3.0
May 25 01:45:05.152256  ASIF: Radius REQUEST_ID: 8c
May 25 01:45:05.152397  ASIF: Tx of Server-data to Auth Server succeeded

 

....

...

..

 

but, when im trying to start show dot1x interface 

Interface     Role                State           MAC address            User
fe-0/0/3.0    Authenticator  Initialize
fe-0/0/4.0    Authenticator  Held            1C:75:08:32:07:2C    1c750832072c

 


Please See the Attachment Below 

log monitor dot1x interface

and users.conf on /etc/freeradius/users

 

Somebody can help me please ? I need some assistance for this case.

thank you .

 

 

Attachments

6 REPLIES 6
Ethernet Switching

Re: Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

‎05-25-2014 08:14 PM

Hi Marlon,

 

The first thing I see that doesn't look right is that your SRX is pointing to RADIUS server 10.10.11.2, but the RADIUS server in your output is listening only on IP address 172.10.11.104.

 

Try fixing one side or the other and try again.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Ethernet Switching

Re: Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

[ Edited ]
‎05-25-2014 08:33 PM

Hiii Ben,

 

Well how are you today ? , thank you for your quick response , yes i can see and miss about my configuration on srx

 

access {
    radius-server {
        10.10.11.2 {
            port 1812;
            secret "$9$Le6xdsUjqfQns2aUiHTQ/CtpIc"; ## SECRET-DATA
            retry 5;
        }
    }
    profile auth {
        authentication-order radius;
        radius {
            authentication-server 10.10.11.2;
        }
    }
}

 

================================
CHANGE TO --->

 

access {
    radius-server {
        172.10.11.104 {
            port 1812;
            secret "$9$Le6xdsUjqfQns2aUiHTQ/CtpIc"; ## SECRET-DATA
            retry 5;
        }
    }
  
    profile auth {
        authentication-order radius;
        radius {
            authentication-server  172.10.11.104;
        }
    }
};

trying to fix it, but still got the output messages looks like this...Smiley Sad

 

 

fe-0/0/4.0    Authenticator  Held            1C:75:08:32:07:2C    1c750832072c

Ethernet Switching

Re: Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

‎05-25-2014 09:20 PM

So the next problem is that in your RADIUS server, you have defined the host as:

 

 client switch {
	ipaddr = 10.10.11.1
	require_message_authenticator = no
	secret = "mysecret"
	nastype = "other"
 }

 In your topology, the SRX/EX will connect using the source address of the interface facing the RADIUS server, not the interface facing the client, so change the above to 172.10.11.2

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Ethernet Switching

Re: Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

[ Edited ]
‎05-27-2014 11:16 AM

Hiii Ben,

 

sorrry, Work hard, play hard Smiley LOL

this is my sample topology, by the way I would like to know whether it is possible or not ???


and client (host A and B or other) can't find the authentication server,.. im trying to fix it side by side, but is still not working.

 

MY SRX CONF :

----------------------
[edit access]
marlon@rica-rica# show
radius-server {
    172.10.11.104 {
        port 1812;
        secret "$9$P5F/1RSeMX/Cu1EhvM7-Vb4Z"; ## SECRET-DATA
        retry 5;
    }
}
profile auth {
    authentication-order radius;
    radius {
        authentication-server 172.10.11.104;
    }
}

----------------------

MY radiusd.conf :

----------------------

....
....
....

listen {
        type = auth
        ipaddr = 172.10.11.104
        port = 0
}

....
....
....

client switch {
        ipaddr          = 10.10.11.1
        secret          = mysecret
        require_message_authenticator = no
        nastype     = other
}
...

 

RADIUS_SERVER_V2.PNG

Attachments

Ethernet Switching
Solution
Accepted by topic author marlon_altino
‎08-26-2015 01:27 AM

Re: Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

‎05-27-2014 03:59 PM

As I mentioned in the previous post - the FreeRADIUS configuration is still wrong.  The IP address of the SRX (the source of the RADIUS request) will be 172.10.11.2 NOT 10.10.11.1.

 

Change radiusd.conf to reflect this:

 

client switch {
        ipaddr          = 172.10.11.2
        secret          = mysecret
        require_message_authenticator = no
        nastype     = other
}

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Ethernet Switching

Re: Need Help about VLAN assignment with FreeRADIUS (SUPPLICANT)

‎05-28-2014 01:21 AM

Hiii bro, 

 

Im trying to fix it side by side, and follow your Instruction, but Still getting error for configuring
 and this is my radius server output :

 

--->  Failed binding to authentication address 172.10.11.104 port 1812: Address already in use
/etc/raddb/radiusd.conf[240]: Error binding to port for 172.10.11.2 port 1812,

 

back to my srx conf, try to delete all [edit access] Hierarchy Level and [edit protocols dot1x] Hierarchy Level

 

Change srx conf looks like this ,

=====================================================

edit access - level

access {
    radius-server {
        172.10.11.104 {
            port 5151;
            secret "$9$zMGM3nCuORyrvM8JGji.mBIR"; ## SECRET-DATA
            retry 5;
        }
    }
    profile AUTH {
        authentication-order radius;
        radius {
            authentication-server 172.10.11.104;
        }
    }
}
=======================================================================

edit protocols dot1x - level


protocols {
    dot1x {
        traceoptions {
            file dot1x;
            flag state;
            flag dot1x-debug;
            flag eapol;
        }
        authenticator {
            authentication-profile-name AUTH;
            interface {
                fe-0/0/2.0 {
                    supplicant multiple;
                    mac-radius {
                        restrict;
                    }
                    no-reauthentication;
                }
            }
        }
    }
}
=======================================================================

and then  I am trying to remove freeradius server, restart the server and install again.

this is my radiusd.conf

.

..

...

listen {
        type = auth
        ipaddr = 172.10.11.104
        port = 5151
}

...

..

.

client switch {
        ipaddr          = 172.10.11.2
        secret          = asd@123
        require_message_authenticator = no
        nastype     = other
}


=======================================================================

 

OK SKIP ----->

i am trying to troubleshoot with monitor start dot1x

 

May 28 00:51:40.743761  ASIF: Transferring Server-data to Auth Server for the user, 080027dffe56.
May 28 00:51:40.743930 SessId: 8O2.1x810e011b000b174a strlen: 22
May 28 00:51:40.744193 Queuing message to auth client to validate mac address 8:0:27:df:fe:56, user 080027dffe56 on interface fe-0/0/2.0
May 28 00:51:40.745271  ASIF: Radius REQUEST_ID: ff
May 28 00:51:40.745514  ASIF: Tx of Server-data to Auth Server succeeded

 

  Number of connected supplicants: 1
    Supplicant: 080027dffe56, 08:00:27Smiley Very HappyF:FE:56
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Mac Radius
      Authenticated VLAN: SEGMENT-11
      Session Reauth interval: 3600 seconds
      Reauthentication due in 0 seconds


=======================================================================


and show monitor dot1x

 

802.1X Information:
Interface     Role                 State                   MAC address                              User
fe-0/0/2.0    Authenticator  Authenticated      08:00:27Smiley Very HappyF:FE:56                      080027dffe56  <------ MAC AUTH SUCCESS
fe-0/0/2.0                            Held                    1C:75:08:32:07:2C                      1c750832072c <----   Still Held waiting for AUTH

 

trying to fix again with linux output ---> /usr/sbin/freeradius -sX

# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry 080027dffe56 at line 205
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok

 

Hiii, Ben Thank you so much for investing time in fixing the issue, so  "PROBLEM SOLVED"  Smiley Happy

see you next time bro...