EWC Extreme C35 WIFI Controller and Freeradius server for authentication

sbureca — Fri, 21 Feb 2020 03:29:00 GMT

We have C35 Extreme EWC WIFI Controller.

I need to authenticate wifi users with an external Freeradius server running on a VMWare host.

I do not find guidelines for implementing/configure this solution on both C35 and Freeradius server side.

Any help is very appreciated.

Currently and temporarily I am testing the authentication with a Radiusdesk server.

The error I got from the Freeradius (now Radiusdesk) debugoutput is the following:

(6) Received Access-Request Id 24 from 10.91.1.10:56363 to 10.91.1.191:1812 length 193

(6) User-Name = "sandro@meshdesk"

(6) NAS-IP-Address = 10.91.231.10

(6) NAS-Port = 102

(6) Framed-MTU = 1400

(6) Called-Station-Id = "D88466D899D8"

(6) Acct-Session-Id = "M19cfa54e0001"

(6) Calling-Station-Id = "34028601D209"

(6) NAS-Port-Type = Wireless-802.11

(6) NAS-Identifier = "GT-VNS.2"

(6) EAP-Message = 0x0236002919800000001f150303001a0000000000000001f110cf2add66881a53241d5ba2c51cd60dd2

(6) State = 0x981aa3849d2cba321a51838d77a5a723

(6) Message-Authenticator = 0xe02c8ba40bda1404439d2b360d253306

(6) session-state: No cached attributes

(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default

(6) authorize {

(6) policy RADIUSdesk_filter_username {

(6) if (&User-Name) {

(6) if (&User-Name) -> TRUE

(6) if (&User-Name) {

(6) if (&User-Name =~ / /) {

(6) if (&User-Name =~ / /) -> FALSE

(6) } # if (&User-Name) = notfound

(6) } # policy RADIUSdesk_filter_username = notfound

(6) policy RADIUSdesk_rewrite_calling_station_id {

(6) if (&request:Calling-Station-Id){

(6) if (&request:Calling-Station-Id) -> TRUE

(6) if (&request:Calling-Station-Id) {

(6) if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){

(6) if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE

(6) if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {

(6) update request {

(6) EXPAND %{1}-%{2}-%{3}-%{4}-%{5}-%{6}

(6) --> 34-02-86-01-D2-09

(6) Calling-Station-Id := 34-02-86-01-D2-09

(6) } # update request = noop

(6) } # if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) = noop

(6) ... skipping else: Preceding "if" was taken

(6) } # if (&request:Calling-Station-Id) = noop

(6) ... skipping else: Preceding "if" was taken

(6) } # policy RADIUSdesk_rewrite_calling_station_id = noop

(6) [preprocess] = ok

(6) [chap] = noop

(6) [mschap] = noop

(6) [digest] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: Looking up realm "meshdesk" for User-Name = "sandro@meshdesk"

(6) suffix: No such realm "meshdesk"

(6) [suffix] = noop

(6) eap: Peer sent EAP Response (code 2) ID 54 length 41

(6) eap: Continuing tunnel setup

(6) [eap] = ok

(6) } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/sites-enabled/default

(6) authenticate {

(6) eap: Expiring EAP session with state 0x981aa3849d2cba32

(6) eap: Finished EAP session with state 0x981aa3849d2cba32

(6) eap: Previous EAP request found for state 0x981aa3849d2cba32, released from the list

(6) eap: Peer sent packet with method EAP PEAP (25)

(6) eap: Calling submodule eap_peap to process data

(6) eap_peap: Continuing EAP-TLS

(6) eap_peap: Peer indicated complete TLS record size will be 31 bytes

(6) eap_peap: Got complete TLS record (31 bytes)

(6) eap_peap: [eaptls verify] = length included

(6) eap_peap: <<< recv TLS 1.2 [length 0002]

(6) eap_peap: ERROR: TLS Alert read:fatal:access denied

(6) eap_peap: WARNING: No data inside of the tunnel

(6) eap_peap: [eaptls process] = ok

(6) eap_peap: Session established. Decoding tunneled attributes

(6) eap_peap: PEAP state ?

(6) eap_peap: ERROR: Tunneled data is invalid

(6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed

(6) eap: Sending EAP Failure (code 4) ID 54 length 4

(6) eap: Failed in EAP select

(6) [eap] = invalid

(6) } # authenticate = invalid

(6) Failed to authenticate the user

(6) Using Post-Auth-Type Reject

(6) # Executing group from file /etc/freeradius/sites-enabled/default

(6) Post-Auth-Type REJECT {

(6) attr_filter.access_reject: EXPAND %{User-Name}

(6) attr_filter.access_reject: --> sandro@meshdesk

(6) attr_filter.access_reject: Matched entry DEFAULT at line 11

(6) [attr_filter.access_reject] = updated

(6) [eap] = noop

(6) policy remove_reply_message_if_eap {

(6) if (&reply:EAP-Message && &reply:Reply-Message) {

(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE

(6) else {

(6) [noop] = noop

(6) } # else = noop

(6) } # policy remove_reply_message_if_eap = noop

(6) if (reply:Reply-Message =~ /You are already logged in/i){

(6) ERROR: Failed retrieving values required to evaluate condition

(6) policy RADIUSdesk_last_reject {

(6) if (EAP-Message){

(6) if (EAP-Message) -> TRUE

(6) if (EAP-Message) {

(6) if (!&reply:Reply-Message){

(6) if (!&reply:Reply-Message) -> TRUE

(6) if (!&reply:Reply-Message) {

(6) update reply {

(6) Reply-Message := "Most likely PEAP failure. Run in debug"

(6) } # update reply = noop

(6) } # if (!&reply:Reply-Message) = noop

(6) } # if (EAP-Message) = noop

(6) EXPAND %{User-Name}

(6) --> sandro@meshdesk

(6) SQL-User-Name set to 'sandro@meshdesk'

rlm_sql (sql): Reserved connection (1)

(6) Executing query: UPDATE `permanent_users` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where username='sandro@meshdesk'

rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0

rlm_sql (sql): Released connection (1)

Need 4 more connections to reach 10 spares

rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used

rlm_sql_mysql: Starting connect to MySQL server

rlm_sql_mysql: Connected to database 'rd' on Localhost via UNIX socket, server version 5.7.18-0ubuntu0.16.04.1, protocol version 10

(6) EXPAND %{sql:UPDATE `permanent_users` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where username='%{User-Name}'}

(6) --> 1

(6) EXPAND %{User-Name}

(6) --> sandro@meshdesk

(6) SQL-User-Name set to 'sandro@meshdesk'

rlm_sql (sql): Reserved connection (2)

(6) Executing query: UPDATE `devices` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where name='34-02-86-01-D2-09'

rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0

(6) SQL query affected no rows

rlm_sql (sql): Released connection (2)

(6) EXPAND %{sql:UPDATE `devices` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where name='%{Calling-Station-Id}'}

(6) -->

(6) EXPAND %{User-Name}

(6) --> sandro@meshdesk

(6) SQL-User-Name set to 'sandro@meshdesk'

rlm_sql (sql): Reserved connection (3)

(6) Executing query: UPDATE `vouchers` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where name='sandro@meshdesk'

rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0

(6) SQL query affected no rows

rlm_sql (sql): Released connection (3)

(6) EXPAND %{sql:UPDATE `vouchers` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where name='%{User-Name}'}

(6) -->

(6) } # policy RADIUSdesk_last_reject = noop

(6) } # Post-Auth-Type REJECT = updated

(6) Delaying response for 1.000000 seconds

Waking up in 0.2 seconds.

Waking up in 0.7 seconds.

(6) Sending delayed response

(6) Sent Access-Reject Id 24 from 10.91.1.191:1812 to 10.91.1.10:56363 length 84

(6) EAP-Message = 0x04360004

(6) Message-Authenticator = 0x00000000000000000000000000000000

(6) Reply-Message := "Most likely PEAP failure. Run in debug"

Waking up in 3.7 seconds.

(0) Cleaning up request packet ID 204 with timestamp +17

(1) Cleaning up request packet ID 187 with timestamp +17

(2) Cleaning up request packet ID 168 with timestamp +17

(3) Cleaning up request packet ID 247 with timestamp +17

(4) Cleaning up request packet ID 164 with timestamp +17

(5) Cleaning up request packet ID 194 with timestamp +17

(6) Cleaning up request packet ID 24 with timestamp +17

Ready to process requests

Re: EWC Extreme C35 WIFI Controller and Freeradius server for authentication

Matthew_Hum — Sat, 21 Mar 2020 13:46:58 GMT

It looks like you have EAP/Innter tunnel problems. please verify EAP settings on both the client and the freeradius server. What certificate are you using?

topic EWC Extreme C35 WIFI Controller and Freeradius server for authentication in ExtremeWireless (Identifi)

EWC Extreme C35 WIFI Controller and Freeradius server for authentication

Re: EWC Extreme C35 WIFI Controller and Freeradius server for authentication