This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EWC Extreme C35 WIFI Controller and Freeradius server for authentication

EWC Extreme C35 WIFI Controller and Freeradius server for authentication

sbureca
New Contributor

‎02-20-2020 07:29 PM

We have C35 Extreme EWC WIFI Controller.

I need to authenticate wifi users with an external Freeradius server running on a VMWare host.

I do not find guidelines for implementing/configure this solution on both C35 and Freeradius server side.

Any help is very appreciated.

Currently and temporarily I am testing the authentication with a Radiusdesk server.

The error I got from the Freeradius (now Radiusdesk) debugoutput is the following:

 

(6) Received Access-Request Id 24 from 10.91.1.10:56363 to 10.91.1.191:1812 length 193

(6)   User-Name = "sandro@meshdesk"

(6)   NAS-IP-Address = 10.91.231.10

(6)   NAS-Port = 102

(6)   Framed-MTU = 1400

(6)   Called-Station-Id = "D88466D899D8"

(6)   Acct-Session-Id = "M19cfa54e0001"

(6)   Calling-Station-Id = "34028601D209"

(6)   NAS-Port-Type = Wireless-802.11

(6)   NAS-Identifier = "GT-VNS.2"

(6)   EAP-Message = 0x0236002919800000001f150303001a0000000000000001f110cf2add66881a53241d5ba2c51cd60dd2

(6)   State = 0x981aa3849d2cba321a51838d77a5a723

(6)   Message-Authenticator = 0xe02c8ba40bda1404439d2b360d253306

(6) session-state: No cached attributes

(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default

(6)   authorize {

(6)     policy RADIUSdesk_filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy RADIUSdesk_filter_username = notfound

(6)     policy RADIUSdesk_rewrite_calling_station_id {

(6)       if (&request:Calling-Station-Id){

(6)       if (&request:Calling-Station-Id) -> TRUE

(6)       if (&request:Calling-Station-Id) {

(6)         if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){

(6)         if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE

(6)         if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {

(6)           update request {

(6)             EXPAND %{1}-%{2}-%{3}-%{4}-%{5}-%{6}

(6)                --> 34-02-86-01-D2-09

(6)             Calling-Station-Id := 34-02-86-01-D2-09

(6)           } # update request = noop

(6)         } # if (&request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) = noop

(6)         ... skipping else: Preceding "if" was taken

(6)       } # if (&request:Calling-Station-Id) = noop

(6)       ... skipping else: Preceding "if" was taken

(6)     } # policy RADIUSdesk_rewrite_calling_station_id = noop

(6)     [preprocess] = ok

(6)     [chap] = noop

(6)     [mschap] = noop

(6)     [digest] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: Looking up realm "meshdesk" for User-Name = "sandro@meshdesk"

(6) suffix: No such realm "meshdesk"

(6)     [suffix] = noop

(6) eap: Peer sent EAP Response (code 2) ID 54 length 41

(6) eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0x981aa3849d2cba32

(6) eap: Finished EAP session with state 0x981aa3849d2cba32

(6) eap: Previous EAP request found for state 0x981aa3849d2cba32, released from the list

(6) eap: Peer sent packet with method EAP PEAP (25)

(6) eap: Calling submodule eap_peap to process data

(6) eap_peap: Continuing EAP-TLS

(6) eap_peap: Peer indicated complete TLS record size will be 31 bytes

(6) eap_peap: Got complete TLS record (31 bytes)

(6) eap_peap: [eaptls verify] = length included

(6) eap_peap: <<< recv TLS 1.2  [length 0002]

(6) eap_peap: ERROR: TLS Alert read:fatal:access denied

(6) eap_peap: WARNING: No data inside of the tunnel

(6) eap_peap: [eaptls process] = ok

(6) eap_peap: Session established.  Decoding tunneled attributes

(6) eap_peap: PEAP state ?

(6) eap_peap: ERROR: Tunneled data is invalid

(6) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

(6) eap: Sending EAP Failure (code 4) ID 54 length 4

(6) eap: Failed in EAP select

(6)     [eap] = invalid

(6)   } # authenticate = invalid

(6) Failed to authenticate the user

(6) Using Post-Auth-Type Reject

(6) # Executing group from file /etc/freeradius/sites-enabled/default

(6)   Post-Auth-Type REJECT {

(6) attr_filter.access_reject: EXPAND %{User-Name}

(6) attr_filter.access_reject:    --> sandro@meshdesk

(6) attr_filter.access_reject: Matched entry DEFAULT at line 11

(6)     [attr_filter.access_reject] = updated

(6)     [eap] = noop

(6)     policy remove_reply_message_if_eap {

(6)       if (&reply:EAP-Message && &reply:Reply-Message) {

(6)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(6)       else {

(6)         [noop] = noop

(6)       } # else = noop

(6)     } # policy remove_reply_message_if_eap = noop

(6)     if (reply:Reply-Message =~ /You are already logged in/i){

(6)     ERROR: Failed retrieving values required to evaluate condition

(6)     policy RADIUSdesk_last_reject {

(6)       if (EAP-Message){

(6)       if (EAP-Message) -> TRUE

(6)       if (EAP-Message) {

(6)         if (!&reply:Reply-Message){

(6)         if (!&reply:Reply-Message) -> TRUE

(6)         if (!&reply:Reply-Message) {

(6)           update reply {

(6)             Reply-Message := "Most likely PEAP failure. Run in debug"

(6)           } # update reply = noop

(6)         } # if (!&reply:Reply-Message) = noop

(6)       } # if (EAP-Message) = noop

(6)       EXPAND %{User-Name}

(6)          --> sandro@meshdesk

(6)       SQL-User-Name set to 'sandro@meshdesk'

rlm_sql (sql): Reserved connection (1)

(6)       Executing query: UPDATE `permanent_users` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where username='sandro@meshdesk'

rlm_sql_mysql: Rows matched: 1  Changed: 1  Warnings: 0

rlm_sql (sql): Released connection (1)

Need 4 more connections to reach 10 spares

rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used

rlm_sql_mysql: Starting connect to MySQL server

rlm_sql_mysql: Connected to database 'rd' on Localhost via UNIX socket, server version 5.7.18-0ubuntu0.16.04.1, protocol version 10

(6)       EXPAND %{sql:UPDATE `permanent_users` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where username='%{User-Name}'}

(6)          --> 1

(6)       EXPAND %{User-Name}

(6)          --> sandro@meshdesk

(6)       SQL-User-Name set to 'sandro@meshdesk'

rlm_sql (sql): Reserved connection (2)

(6)       Executing query: UPDATE `devices` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where name='34-02-86-01-D2-09'

rlm_sql_mysql: Rows matched: 0  Changed: 0  Warnings: 0

(6)       SQL query affected no rows

rlm_sql (sql): Released connection (2)

(6)       EXPAND %{sql:UPDATE `devices` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where name='%{Calling-Station-Id}'}

(6)          -->

(6)       EXPAND %{User-Name}

(6)          --> sandro@meshdesk

(6)       SQL-User-Name set to 'sandro@meshdesk'

rlm_sql (sql): Reserved connection (3)

(6)       Executing query: UPDATE `vouchers` SET last_reject_time=now(),last_reject_nas='10.91.231.10',last_reject_message='Most likely PEAP failure. Run in debug' where name='sandro@meshdesk'

rlm_sql_mysql: Rows matched: 0  Changed: 0  Warnings: 0

(6)       SQL query affected no rows

rlm_sql (sql): Released connection (3)

(6)       EXPAND %{sql:UPDATE `vouchers` SET last_reject_time=now(),last_reject_nas='%{NAS-IP-Address}',last_reject_message='%{%{reply:Reply-Message}:-N/A}' where name='%{User-Name}'}

(6)          -->

(6)     } # policy RADIUSdesk_last_reject = noop

(6)   } # Post-Auth-Type REJECT = updated

(6) Delaying response for 1.000000 seconds

Waking up in 0.2 seconds.

Waking up in 0.7 seconds.

(6) Sending delayed response

(6) Sent Access-Reject Id 24 from 10.91.1.191:1812 to 10.91.1.10:56363 length 84

(6)   EAP-Message = 0x04360004

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   Reply-Message := "Most likely PEAP failure. Run in debug"

Waking up in 3.7 seconds.

(0) Cleaning up request packet ID 204 with timestamp +17

(1) Cleaning up request packet ID 187 with timestamp +17

(2) Cleaning up request packet ID 168 with timestamp +17

(3) Cleaning up request packet ID 247 with timestamp +17

(4) Cleaning up request packet ID 164 with timestamp +17

(5) Cleaning up request packet ID 194 with timestamp +17

(6) Cleaning up request packet ID 24 with timestamp +17

Ready to process requests

 

0 Kudos
1 REPLY 1

Matthew_Hum
Contributor

‎03-21-2020 06:46 AM

It looks like you have EAP/Innter tunnel problems. please verify EAP settings on both the client and the freeradius server. What certificate are you using?

0 Kudos
GTM-P2G8KFN