top of page

Using Lisa Server as the Authentication Server

Date: 12/12/2016
Topology

  • Management = Cloud associated to my computer, using a real network card with Internet access.

  • Host = Qemu host with Linux Microcore and 802.1x compliant.

  • NO_DOT1x (host not 802.1x compliant) = Router emulating a computer.

  • LISA (Authentication Server) = CentOS LiSa Qemu image with Free Radius Server installed.

  • Authenticator = Etherswitch with c3725-adventerprisek9-mz.124-15.T5.bin

Task 1. Configuring the Authentication Server (FreeRadius installed on linux)
Step 1. Download the LISA Server image and configure it on GNS3.

Link: http://brezular.com/2010/12/18/ccnp-switch-and-gns3-part-2-2-freeradius-and-wpa-supplicant-installation-and-configuration/

NOTE Say thanks to Brezular for his excellent work.

Step 2. Start LISA Server on GNS3 and login to CentOS.

username/password  = root/password

 

Start the switch, but don’t configure it yet. We need Internet access to configure LISA.

Assign an static IP on LISA Server and add the default gateway:

   ifconfig eth0 192.168.1.5 netmask 255.255.255.0 up

   route add default gw 192.168.1.1 dev eth0  

 

NOTE 192.168.1.1 is the IP address of my DSL router. You need Internet connection to install Free Radius. Test the Internet connection by using ping 8.8.8.8

FreeRadius is installed on LISA Server (CentOS LiSa Qemu image), but if not, run the following command in root mode:

   yum install freeradius.i386

Step 3. Client configuration (subnet, radius key).

Modify the following file:

    vi /etc/raddb/clients.conf

Add these lines (use the Insert key of the keyboard; remove # if necessary):

#For local testing purposes

client 127.0.0.1 {

    secret = juanma

    shortname = all_subnets

    nastype = other

    }

#For local testing purposes

client 192.168.1.5 {

    secret = juanma

    shortname = all_subnets

    nastype = other

    }

#In the following configuration we choose radius server key (juanma) and access from authenticator (switch) to Radius from all #subnets (0.0.0.0/0).

client 0.0.0.0/0 {

    secret = juanma

    shortname = all_subnets

    nastype = other

    }

 

Save this file with: ESC + :wq + INTRO

NOTE juanma = NAS-secret (configured on Authenticator)

In this configuration we choose radius server key (juanma) and access from authenticator (switch) to Radius from all subnets (0.0.0.0/0).

 

A network access server (NAS) is a single point of access to a remote resource.  The client (supplicant) connects to the NAS (Authenticator). The NAS then connects to another resource (Radius Server) asking whether the client's supplied credentials are valid. Based on that answer the NAS then allows or disallows access to the protected resource.

Step 4. Users configuration.

There are 3 blocks of commands configured here for supporting different levels  of authentication.

  • Privilege level 1 – user exec mode.  Username is admin and password is cisco. You get to this mode after you are successfully authenticated by Radius server during your telnet or console session.

  • Privilege level 15 – this is privileged  exec mode (enable mode).  Password is cisco

  • Privilege level 15 for Telnet;  mainly used by  lazy administrators who want to jump directly to level 15 . Username is admin15 and password cisco15.

Note: You need to configure aaa authorization exec default group radius in Cisco switch IOS to get level 15 for vty users.

 

a) To add users:

    vi /etc/raddb/users

    #Privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt

    “admin” Auth-Type == Local , User-Password == “cisco

    Service-Type = “NAS-Prompt-User”

    #Privilege level 15 — Includes all enable-level commands at the router# prompt.

    $enab15$ Auth-Type == Local , User-Password == “cisco”

    #Privilege level 15 for Telnet; vty users get the router# prompt

    #The Command bellow is needed in IOS to get level 15 privilege working for vty users:

    #aaa authorization exec default group radius

    “admin15″  Auth-Type == Local , User-Password == “cisco15

    Service-Type = “NAS-Prompt-User”,

    cisco-avpair = “shell:priv-lvl=15″

    #Dot1x users configuration

    “CiscoClient” User-Password == “cisco

 

b) Configure /etc/raddb/radius.conf

    vi /etc/raddb/radius.conf

In oder to configure freeradius for EAP-MD5 , in the /etc/raddb/radiusd.conf file the authorized section must have eap :

    authorize {

    preprocess

    files

    eap

    }

    #In the authenticate section must have eap uncommented:

    authenticate {

    eap

    }

c) Configure the  EAP module under /etc/raddb/eap.conf  to support eap-md5 (only see, you do not have to change anything).

     vi /etc/raddb/eap.conf

       eap {

       md5 {

       }

       }

Step 5. Start Radius deamon (restart deamon after each change in Free Radius configuration).

    /etc/init.d/radiusd restart

NOTE: maybe this deamon is up and the authentication process fails (two Radius Servers running at the same time), so run the following command:

   killall radiusd

Enter debug mode:

   radiusd –X

If everything is right, at the end of the output we will see: “Ready to process requests

Step 6. Testing the users.

NOTE You can test the users configured on /etc/raddb/users: but, you won’t be able to test the dot1x user (CiscoClient/cisco).

For example:

   radtest admin cisco 192.168.1.5:1812 0 juanma

       username: admin

       password: cisco

       Radius Server IP address: 192.168.1.5

       NAS_port: 0

       NAS-secret: juanma

If everything is OK, you’ll see in the output an “Access-Accept packet from host …” :

Task 2. Linux Microcore Configuration
Step 1. Start Microcore Linux on GNS3.
Step 2. Configure the interface.

Really, this step should be the last one, but we need Internet connection on HOST to run 802.1x-compliant system software, the first time. So I will use the Internet connection before configuring the switch.

Administrator mode (root): sudo su

DHCP activation: udhcpc

To know what IP is assigned to eth0 interface: ifconfig eth0

We can test the Internet connection with: ping 8.8.8.8

Step 3. Install wpa_supplicant extension to Microcore.

    tce-load -iw wpa_supplicant.tcz

We need Internet connection do download the wpa_supplicant.tcz file from the Internet (distro.ibiblio.org).

Note: Don’t run this as root (su -).

Step 4. Dot1x Client configuration.

Wpa_supplicant.conf doesn’t exist so we must create it. Enter root mode: sudo su

      vi /etc/wpa_supplicant.conf

NOTE Use vi editor to add the following commands (press Insert buttom):

    ctrl_interface=/var/run/wpa_supplicant

    ap_scan=0

    network={

    key_mgmt=IEEE8021X

    eap=MD5

    identity=”CiscoClient

    password=”cisco

    eapol_flags=0

    }

Save this file with: ESC + :wq + INTRO

This configuration works for EAP-MD5 authentication.   Before the switch allows dot1x client (Microcore) access to the network client needs to be authenticated with username CiscoClient and password cisco on Radius (remember the aaa authentication dot1x default group radius local command).

Task 3. Configuring the Authenticator (NAS client).

hostname AUTHENTICATOR

!

enable secret dot1x

!

aaa new-model

aaa authentication dot1x default group radius local

aaa authentication login default group radius local

#Here, we’ve told Authenticator to use RADIUS for authentication and to fall back to the local user database if the RADIUS server is not available. We #don’t want to DoS ourselves!

#To use the enable password created on Free Radius (cisco):

aaa authentication enable default group radius enable

#The following command will allow the user to run an “exec, #” shell when logging into the router:

aaa authorization exec default group radius

#For accounting:

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp pool JUANTRON

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.10

!

dot1x system-auth-control

!

username juantron privilege 15 secret juantron

!

interface FastEthernet1/0

 switchport mode access

 dot1x port-control force-authorized

 spanning-tree portfast

!

interface FastEthernet1/1

  switchport mode access

  dot1x port-control force-authorized

  spanning-tree portfast

!

interface FastEthernet1/2

 switchport mode access

 dot1x port-control force-authorized

 spanning-tree portfast

!

interface FastEthernet1/3

 switchport mode access

 dot1x port-control auto

 spanning-tree portfast

!

interface Vlan1

 ip address 192.168.1.10 255.255.255.0

!

radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key juanma

!

end

Task 4. Start wpa_supplicant for wired ethernet eth0.

 

Free the eth0 interface on supplicant. For example:

   sudo ifconfig eth0 0.0.0.0 up

 

Start wpa_supplicant for eth0 on Linux Microcore:

   wpa_supplicant -ieth0 -Dwired –c /etc/wpa_supplicant.conf

 

NOTE Maybe you have to delete /var/run/wpa_supplicant/eth0 if the previous command fails.

The authentication process shoud be successful.

On AUTHENTICATOR:

If you enable debug dot1x all on the authenticator:

AUTHENTICATOR# debug dot1x all

*Mar  1 08:45:45.561: dot1x-registry:** dot1x_switch_vp_statechange:

*Mar  1 08:45:45.561: dot1x-ev:vlan 1 vp is added on the interface FastEthernet1/3

*Mar  1 08:45:45.593: dot1x-ev:dot1x_switch_addr_add: Added MAC 00aa.0054.c600 to vlan 1 on interface FastEthernet1/3

*Mar  1 08:45:45.597: dot1x-ev:Received successful Authz complete for 00aa.0054.c600

*Mar  1 08:45:45.597: dot1x-sm:Posting AUTHZ_SUCCESS on Client=66894188

*Mar  1 08:45:45.601:     dot1x_auth Fa1/3: during state auth_authz_success, got event 25(authzSuccess)

*Mar  1 08:45:45.601: @@@ dot1x_auth Fa1/3: auth_authz_success -> auth_authenticated

*Mar  1 08:45:45.601: dot1x-sm:Fa1/3:00aa.0054.c600:auth_authenticated_enter called

*Mar  1 08:45:45.601: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x3  id: 0x3  length: 0x0004 type: 0x0  data:

*Mar  1 08:45:45.601: dot1x-ev:FastEthernet1/3:Sending EAPOL packet to group PAE address

*Mar  1 08:45:45.601: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet1/3.

*Mar  1 08:45:45.605: dot1x-registry:registry:dot1x_ether_macaddr called

*Mar  1 08:45:45.605: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet1/3

*Mar  1 08:45:45.605: EAPOL pak dump Tx

*Mar  1 08:45:45.605: EAPOL Version: 0x2  type: 0x0  length: 0x0004

*Mar  1 08:45:45.605: EAP code: 0x3  id: 0x3  length: 0x0004

*Mar  1 08:45:45.605: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (00aa.0054.c600)

*Mar  1 08:45:48.149: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/3, changed state to up

 

If Free Radius debug mode is running on Qemu LISA (radiusd –X), we will see:

Finally, on supplicant:

Task 5. Testing users on supplicant.

root@box:~# telnet 192.168.1.10

User Access Verification

Username: admin

Password: <cisco>

AUTHENTICATOR> en

Password: <cisco>

AUTHENTICATOR# exit

 

root@box:~# telnet 192.168.1.10

User Access Verification

Username: admin15

Password: <cisco15>

AUTHENTICATOR>#

Other links:

NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.

Thank you for your co-operation in helping me to improve.

bottom of page