1

I have a problem with a Cisco Aironet AP1260 standalone access point and a FreeRADIUS server. I'm trying to set up a 802.11x access point with authentication on a FreeRADIUS server. I have set up both AP and server, created a temporal user in /etc/raddb/users and tested RADIUS server with radtest utility. But when I try to connect to my AP, I'm getting denied, and there are no logs in FreeRADIUS at all. I sure that my log configuration is ok (extremely verbose logs are enabled). I tried to run radiusd -X to view activity in real time, but it gave me no result: radtest activity is shown good, but no activity from the AP.

I surely checked UDP traffic with tcpdump, and AP's requests reach the server, but ignored by FreeRADIUS daemon. Ports are set correctly too (defaults to 1812 for auth).

So, how to make FreeRADIUS accept Cisco's auth requests?

UPDATE: radtest command works only at localhost. Even if I connect two machines with Linux on them directly and run radiusd -X on the first, and try to radtest on the second, there will be no reaction from FreeRADIUS server. I think there is some misconfiguration in FreeRADIUS, but where it is?

There are my configs:

sasaika#sh run
Building configuration...

Current configuration : 2030 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sasaika
!
logging rate-limit console 9
enable secret 5 *omitted*
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.16.10.13 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
ip domain name ex.example.com
!
!
dot11 syslog
!
dot11 ssid Edhelwen
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode
!
!
!
username *omitted* privilege 15 secret 5 *omitted*
!
!
ip ssh time-out 60
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
 description Test-WiFi
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid Edhelwen
 !
 antenna gain 0
 station-role root access-point
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 172.16.10.12 255.255.255.128
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 172.16.10.13 auth-port 1812 acct-port 1813 key 7 *omitted*
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
end

/etc/raddb/radiusd.conf:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 1812
}

listen {
        ipaddr = *
        port = 1813
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
    destination = files
    file = ${logdir}/radius.log
    requests = ${logdir}/radiusd-%Y%m%d.log
    syslog_facility = daemon
    stripped_names = yes
    auth = yes
    auth_badpass = yes
    auth_goodpass = yes
    msg_goodpass = "Good: "
    msg_badpass = "Bad: "
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = off
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled/

/etc/raddb/clients.conf:

client cisco-ap {
        ipaddr = 172.16.10.12
        nastype = cisco # i tried to disable it, no effect
        secret = *omitted*
        require_message_authenticator = no
}

client localhost {
        ipaddr = 127.0.0.1
        secret = *omitted*
        require_message_authenticator = no
}
namikiri
  • 11
  • 5
  • Is the local firewall on your server allowing port 1812? If you're seeing the packet on the wire, but not in the FreeRadius logs, something is blocking it or another process is listening on that port. – cpt_fink Nov 24 '14 at 00:21
  • If something would listening on 1812 port, radiusd will fail to start. By the way, `radtest` command works only at localhost. Even if I connect two machines with Linux on them directly and try to `radtest`, there will be no reaction from FreeRADIUS server. I think there is some misconfiguration in FreeRADIUS, but where it is? – namikiri Nov 25 '14 at 06:04

2 Answers2

0

Problem solved. I am new to CentOS and I didn't know that it applies -A INPUT -j REJECT rule in the firewall by default. After editing (commenting out as it's test server) this line RADIUS detected auth packets.

namikiri
  • 11
  • 5
-1

Actually for 802.1x you need aaa authentication ppp <...> line, not login.

drookie
  • 8,051
  • 1
  • 17
  • 27