802.1x authentication in a wired network environment




These are work in progress notes for 802.1x based authentication tests

These tests are based in a wired environment using a Cisco edge switch, in particular a Cisco Catalyst 3750 switch, which supports 802.1x port-based authentication.
When the switch is properly configured 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.



Network Layout for 802.1x authentication


With 802.1x port-based authentication, the devices in the network have specific roles as shown in the figure.


Table of Contents

  1. Cisco Catalyst 3750 configuration
  2. Freeradius configuration
    1. EAP-MD5 using local users file on the freeradius server
    2. EAP-TLS using certificates and users file
    3. EAP-TLS using certificates only

Cisco Catalyst 3750 configuration

These are the switch configuration tips required to enable 802.1x port-based authenticatioxan:
  1. enable AAA (Authentication, authorization, and accounting):
    aaa new-model
  2. define login authentication policies (optional). Defining the AAA scope:
    aaa authentication login default local
  3. Create an 802.1X authentication method list using the radius servers list:
    aaa authentication dot1x default group radius
  4. If you want authorization + dynamic VLAN Assignment to work with RADIUS (optional):
    aaa authorization network default group radius
  5. Enable 802.1X authentication on the interface. Supplicant is behind the interface.
    The 802.1X protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on dynamic access ports, trunk port, dynamic ports, secure port, SPAN destination port, EtherChannel port:
    
    interface GigabitEthernet1/0/3
     switchport mode access
     no ip address
     no mdix auto
     dot1x port-control auto
     spanning-tree portfast
    
  6. Configure a switch L3 interface for accessing the external RADIUS server, for example the default VLAN interface:
    
    interface Vlan1
     ip address 192.84.x.y 255.255.255.0
     no ip route-cache
     no ip mroute-cache
    
  7. Configure the radius server parameters:
    
    radius-server host 192.84.x.y auth-port 1812 acct-port 1813 timeout 3
    radius-server retransmit 3
    radius-server key shared-key
    
  8. Enable 802.1x:
    
    dot1x system-auth-control
    

The switch is now configured to support 802.1x authentication on GigabitEthernet 1/0/3 interface.



Freeradius configuration



The very first thing to configure is the clients.conf file. An entry for each authenticator (aka NAS) should be present:

192.84.x.q {
	secret	= sharedkey
	shortname = authenticator-short-name
	nastype	= cisco
}	
192.84.x.q is the IP Address of the Authenticator, in this case is a Cisco Catalyst 3750 Switch.


EAP-MD5 using local users file on the freeradius server

relevant configuration for radiusd.conf file:


modules {
        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                radwtmp = ${logdir}/radwtmp
        }
        eap {
                default_eap_type = md5
                timer_expire     = 60

                md5 {
                }
                leap {
                }
	}
        mschap {
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }

authorize {
        preprocess
	chap
	mschap
    	eap
        files
} 

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
	unix
        eap
} 


Configuration for the users file:


#=========================================================
# Test's User for 802.1x EAP/MD5
#=========================================================
veraldi     User-Password == "password" 
# Reject all
#---------------------------------------------------------
DEFAULT Auth-Type := Reject 
radius Authentication thru 802.1x:


Supplicant is Windows XP SP1



Loggin from radius server side (Freeradius - radiusd):

rad_recv: Access-Request packet from host 192.84.145.6:1812, id=7, length=107
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        EAP-Message = 0x0200000c01766572616c6469
        Message-Authenticator = 0xaf9772b774a390ae362b64eb71420b5a
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040209'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040209
  modcall[authorize]: module "auth_log" returns ok for request 0
  rlm_eap: EAP packet type notification id 0 length 12
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched veraldi at 128
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
  rlm_eap: EAP packet type notification id 0 length 12
  rlm_eap: EAP Start not found
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 7 to 192.84.145.6:1812
        EAP-Message = 0x0101001604100443c528467b6e9a637b4fab8593ebca
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa8ed86bdb579745bc93796d5d187ec6049b32740a9fc185b2ac6421a7ea5a74d246f9ba4
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=8, length=162
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0xa8ed86bdb579745bc93796d5d187ec6049b32740a9fc185b2ac6421a7ea5a74d246f9ba4
        EAP-Message = 0x0201001d04101d5b95bd06b41fd251260d0e7cb4e008766572616c6469
        Message-Authenticator = 0x70819ab201fbbb5a9fba11c3229a01c0
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040209'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040209
  modcall[authorize]: module "auth_log" returns ok for request 1
  rlm_eap: EAP packet type notification id 1 length 29
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched veraldi at 128
  modcall[authorize]: module "files" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1
  rlm_eap: EAP packet type notification id 1 length 29
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - md5
  rlm_eap: processing type md5
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 1
modcall: group authenticate returns ok for request 1
Login OK: [veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Accept of id 8 to 192.84.145.6:1812
        EAP-Message = 0x03010004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1
Going to the next request


Authentication is succesfull using EAP-MD5 with local users radius file and access to the network is granted. The switch port

GigabitEthernet 1/0/3
is enabled after succesfull authentication.


EAP-TLS using certificates and users file

The configuration of radiusd.conf file changes in the tls stanza. We need to add a tls entry in the file in the modules configuration:

modules {
        eap {
                default_eap_type = tls
                timer_expire     = 60
                tls {
                        private_key_password =
                        private_key_file = /etc/ssl/ercole.key
                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        certificate_file = /etc/ssl/ercole.pem

                        #  Trusted Root CA list
                        CA_file = /etc/ssl/CA.pem

                        dh_file = /dev/urandom
                        random_file = /dev/urandom

                        fragment_size = 1024

                        include_length = yes
                }
	}


Though we are using certificates we need a user entry in hte radius server users file which matches the certificate subject. Configuration for the users file:


#=========================================================
# Test's User for 802.1x EAP/TLS
#=========================================================
"Riccardo Veraldi"              Service-Type == Framed-User
# Reject all
#---------------------------------------------------------
DEFAULT Auth-Type := Reject


Loggin from radius server side (Freeradius - radiusd):

rad_recv: Access-Request packet from host 192.84.145.6:1812, id=87, length=163
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0x5685402dfcab9c5489885ff252c719eab1e829400c7549be1af7093943a5b9a30126f206
        EAP-Message = 0x0200001501526963636172646f20566572616c6469
        Message-Authenticator = 0xba77a2ccbd242aaae926e9ae64e88b42
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 2
  rlm_eap: EAP packet type notification id 0 length 21
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 2
  rlm_eap:  list_clean deleted one item
  rlm_eap: EAP packet type notification id 0 length 21
  rlm_eap: EAP Start not found
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns ok for request 2
modcall: group authenticate returns ok for request 2
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 87 to 192.84.145.6:1812
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa8ed86bdb579745bc93796d5d187ec6009e9294091c8afe459211e01d8f357cdcb98b63f
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=88, length=222
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0xa8ed86bdb579745bc93796d5d187ec6009e9294091c8afe459211e01d8f357cdcb98b63f
        EAP-Message = 0x020100500d800000004616030100410100003d03014029e90a691875a9270e81e293aeb39dfe88f0823c36b2b852beda42518410ac00001600040005000a000900640062000300060013001200630100
        Message-Authenticator = 0x6602f8236e4ba2a6c1e69c0e11de8052
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 3
  rlm_eap: EAP packet type notification id 1 length 80
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 3
  rlm_eap: EAP packet type notification id 1 length 80
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
rlm_eap_tls:  Length Included
undefined: before/accept initialization 
TLS_accept: before/accept initialization 
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello  
TLS_accept: SSLv3 read client hello A 
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
TLS_accept: SSLv3 write server hello A 
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ab8], Certificate  
TLS_accept: SSLv3 write certificate A 
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0054], CertificateRequest  
TLS_accept: SSLv3 write certificate request A 
TLS_accept: SSLv3 flush data 
TLS_accept:error in SSLv3 read client certificate A 
rlm_eap_tls: SSL_read Error
 Error code is ..... 2 
 SSL Error ..... 2 
  modcall[authenticate]: module "eap" returns ok for request 3
modcall: group authenticate returns ok for request 3
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 88 to 192.84.145.6:1812
        EAP-Message = 0x0102040a0dc000000b65160301004a0200004603014029e909b284c3446f8f9d5fc75e68d2592189d2cffc457f26a52757edad1025208214c94aff071aa7f7cf5618b857598a150eaafd8cdef21b5d55bcd354a67dc60004001603010ab80b000ab4000ab10005603082055c30820444a00302010202020736300d06092a864886f70d01010405003043310b3009060355040613024954310d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f72697479301e170d3034303231303135333535315a170d3035303230393135333535315a308185310b3009060355040613024954
        EAP-Message = 0x310d300b060355040a1304494e464e310d300b060355040b1304486f73743110300e06035504071307466972656e7a65311a3018060355040313116572636f6c652e66692e696e666e2e6974312a302806092a864886f70d010901161b526963636172646f2e566572616c64694066692e696e666e2e697430819f300d06092a864886f70d010101050003818d0030818902818100c9efe4ad0d0c8bb27adf10a91c446d765aae2c4ce1576b8113f9e4b39e39bc5ffbf874c1fadaaf2397a716796d5b826bcf900839a13f4751a28f2e06a48db29fa236ac7f6cdd4a3f0a0e2810f1bc1d98d04d4c365ff0b503b515c47069695c7e979cf1e6c7fbfb17
        EAP-Message = 0x68dc7d6d6dd66af46af7d73611edce491bbdc0251a75c7990203010001a382029930820295300c0603551d130101ff04023000300e0603551d0f0101ff0404030204f030360603551d1f042f302d302ba029a0278625687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f63726c2e63726c30170603551d200410300e300c060a2b06010401d1230a0103301d0603551d0e041604149566a42f173e9b4680fd48b091ba27ee3ddb6ccf306b0603551d23046430628014ca11ef5d1d070498a9a5b5581a664e0a162be049a147a4453043310b3009060355040613024954310d300b060355040a1304494e464e31253023060355
        EAP-Message = 0x0403131c494e464e2043657274696669636174696f6e20417574686f7269747982010030390603551d110432303082116572636f6c652e66692e696e666e2e6974811b526963636172646f2e566572616c64694066692e696e666e2e6974303d0603551d12043630348112696e666e2d63614066692e696e666e2e6974861e687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f301106096086480186f8420101040403020640305706096086480186f842010d044a164849737375656420756e64657220494e464e20434120435020616e64204350532076322e302c20687474703a2f2f73656375726974792e66692e696e66
        EAP-Message = 0x6e2e69742f43412f4350532f302a06096086480186f8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc13c8ddd9a1f259c84db555141b5205b09e929400474bdfc27e0b8a335027f7e332beb11
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=89, length=148
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0xc13c8ddd9a1f259c84db555141b5205b09e929400474bdfc27e0b8a335027f7e332beb11
        EAP-Message = 0x020200060d00
        Message-Authenticator = 0x0057e66ce125fe98c5f3b9a4129064df
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 4
  rlm_eap: EAP packet type notification id 2 length 6
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4
  rlm_eap: EAP packet type notification id 2 length 6
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
  modcall[authenticate]: module "eap" returns ok for request 4
modcall: group authenticate returns ok for request 4
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 89 to 192.84.145.6:1812
        EAP-Message = 0x0103040a0dc000000b65420102041d161b687474703a2f2f73656375726974792e66692e696e666e2e69742f302406096086480186f8420103041716156367692d62696e2f636865636b2d7265762e706c3f302606096086480186f8420107041916176367692d62696e2f636865636b2d72656e65772e706c3f303806096086480186f8420108042b1629687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f706f6c6963792e68746d6c300d06092a864886f70d0101040500038201010092855d0a89d70ca20cb4628118a2221f0d1fab44188a8ea9f80d038045c945a3215304d9ac9e144e83e2e2887d3c04320a1162fa60
        EAP-Message = 0x3ea94f81627ed2b631d67c09a922565c18eb66701093c875d7d55ccaeb9546bfaf36d070b690ef68681f5b108bad90008c10d2b6f9cdbfde451506423bfb82a49f89757ed7898d2ff922bd42dc23008521911dc9fb26767e8fbb852e5ea6ec6ef4f82e477a0a210da6a6d7de0acde99c7de28dccef5b9f7702270a1f6051af98070938fcb9e8623239e7869633c3cb0787014aa8233b4865921482c8fb3bb50e0ab983a2c0f3dd06d5a510dfd393dba300017bee519f6338d31b20df26c102de69d2e7a984a905239e917200054b308205473082042fa003020102020100300d06092a864886f70d01010505003043310b300906035504061302495431
        EAP-Message = 0x0d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f72697479301e170d3032303931383136303632395a170d3037303931383136303632395a3043310b3009060355040613024954310d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aebc939abab170c04f82d8fa8370b9dccf862929c2ab3d705d0f410bfc221a73a3ad36632bc601100298264ff41e9fe04f04e195a071d52285780d531083da2c1778
        EAP-Message = 0x7a4cdb3aa10f804aa9c35454657e0b8712e0757ffcee19138fea92b271a1cccd19a13484dcef128eca29eb9d0628f5643f9460221808a27e5cc2c2b2f60e2291140c60f432696b1a1dd77a46bb6be0a6723b1b0eaabee17dadbff246850a863a1496e62c9a0922aedcda2e19cb45d30dff91bd319f79188f647d29b01ecaac6cc54bb836aedd3458a27146fae20744b0dd7048ff89219a6ee5bcd5d8f62d89fd91e7da1803266c4a5520ed8a8b3284a7065683352c74657a4df5a373959d0203010001a382024430820240300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414ca11ef5d1d07
        EAP-Message = 0x0498a9a5b5581a664e0a162be049306b0603551d2304
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1315670ca3472361d7fcc9dea793b6de09e92940643db37abcd643f771a3545e813b22b2
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=90, length=148
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0x1315670ca3472361d7fcc9dea793b6de09e92940643db37abcd643f771a3545e813b22b2
        EAP-Message = 0x020300060d00
        Message-Authenticator = 0x12e116f7550fb4bcc134dc58ce1914b4
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 5
  rlm_eap: EAP packet type notification id 3 length 6
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 5
  rlm_eap: EAP packet type notification id 3 length 6
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
  modcall[authenticate]: module "eap" returns ok for request 5
modcall: group authenticate returns ok for request 5
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 90 to 192.84.145.6:1812
        EAP-Message = 0x0104036f0d8000000b656430628014ca11ef5d1d070498a9a5b5581a664e0a162be049a147a4453043310b3009060355040613024954310d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f72697479820100301d0603551d12041630148112696e666e2d63614066692e696e666e2e6974301d0603551d11041630148112696e666e2d63614066692e696e666e2e697430360603551d1f042f302d302ba029a0278625687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f63726c2e63726c301106096086480186f84201010404030200073031060960
        EAP-Message = 0x86480186f842010804241622687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f4350532f302a06096086480186f8420102041d161b687474703a2f2f73656375726974792e66692e696e666e2e69742f302406096086480186f8420103041716156367692d62696e2f636865636b2d7265762e706c3f302606096086480186f8420107041916176367692d62696e2f636865636b2d72656e65772e706c3f305b06096086480186f842010d044e164c494e464e2043657274696669636174696f6e20417574686f726974792c20435020262043505320617420687474703a2f2f73656375726974792e66692e696e666e2e6974
        EAP-Message = 0x2f43412f4350532f300d06092a864886f70d0101050500038201010078690f8acb7ecfa1b1484b75ee8bbba5e3f900209de8ef4bac3eab2b27cc29a5b63354f36685e92976ac150c8db1a2771f2c2b85bbf574ec39cbb0da31139d569692ffa96dfb8dfcaa7cb738214942f02a9a73ad2312f4f43f241c69bc268c897f46e7bebd4f1ecbcfa7d50429d6b9c99e55b6d7f6b0d181f6886700a6913378aed424e0786d6a294c8007fa5dba4c11123e8b2ac3ba421fbdc73779927d21959c1dee591d9fd4b672a54f89242dab321472db86100aeb88bfbe66a12c19539b38ad08ad82032f86e1175735fed17ec8c6e7e0abe0c2a1ae05102182d8c51a02c2
        EAP-Message = 0xef4844993bcd4312eda3268b48657ba59462f56fd42380e77c2575f34a9dc316030100540d00004c020102004700453043310b3009060355040613024954310d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f726974790e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2b1dc70ad047cb70175b7c851ed55de509e929408ea0a868bbbc1d50e4e1bd971fc4dc6d
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=91, length=1642
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0x2b1dc70ad047cb70175b7c851ed55de509e929408ea0a868bbbc1d50e4e1bd971fc4dc6d
        EAP-Message = 0x020405d20dc0000007a616030107760b0005e60005e30005e0308205dc308204c4a0030201020202052d300d06092a864886f70d01010405003043310b3009060355040613024954310d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f72697479301e170d3033303530363135313233335a170d3034303530353135313233335a308194310b3009060355040613024954310d300b060355040a1304494e464e311d301b060355040b1314506572736f6e616c2043657274696669636174653110300e06035504071307466972656e7a65311930170603550403131052696363
        EAP-Message = 0x6172646f20566572616c6469312a302806092a864886f70d010901161b526963636172646f2e566572616c64694066692e696e666e2e697430820122300d06092a864886f70d01010105000382010f003082010a0282010100d9666fd5cd5f57489b472c745271f237e71d7e3fa32c470b2e3bff83cc8147a827b35aac798b12486183b3a9aa22269d37209062f4395d9590270c1e1aa8ed0c1cfccf685bbfb0482fdfabbf7bbf2d2874151d263e29b311b1573c47d407f4f8546d45ed97d1fa7d8e1d4ac7ab6daaf131af700d14c92a9439c47ead8fa82193651ba7eb4619bb81861fda0c82e86701658a5a9514f0178ec81ae2a39f874f685d15d4ed
        EAP-Message = 0x2e3efbd7e7d46561703798f7bd691656a6f5bea5169d4688a5b23c37478cffc784006ca376e73057cfd730501918f60388bb37206735ecbef9c649837cefaee3bc6fc29f1f19df8032b54bda1d52b9a2522cd22ac2e6b556bd8bbd1f0203010001a382028630820282300c0603551d130101ff04023000300e0603551d0f0101ff0404030204f030360603551d1f042f302d302ba029a0278625687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f63726c2e63726c30170603551d200410300e300c060a2b0601040188130a0101301d0603551d0e041604145660c93b9dcbe011bce3049ebd3c0684d3ad11c2306b0603551d
        EAP-Message = 0x23046430628014ca11ef5d1d070498a9a5b5581a664e0a162be049a147a4453043310b3009060355040613024954310d300b060355040a1304494e464e312530230603550403131c494e464e2043657274696669636174696f6e20417574686f7269747982010030260603551d11041f301d811b526963636172646f2e566572616c64694066692e696e666e2e6974303d0603551d12043630348112696e666e2d63614066692e696e666e2e6974861e687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f301106096086480186f84201010404030205a0305706096086480186f842010d044a164849737375656420756e6465
        EAP-Message = 0x7220494e464e20434120435020616e64204350532076302e332c20687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f4350532f302a06096086480186f8420102041d161b687474703a2f2f73656375726974792e66692e696e666e2e69742f302406096086480186f8420103041716156367692d62696e2f636865636b2d7265762e706c3f302606096086480186f8420107041916176367692d62696e2f636865636b2d72656e65772e706c3f303806096086480186f8420108042b1629687474703a2f2f73656375726974792e66692e696e666e2e69742f43412f706f6c6963792e68746d6c300d06092a864886f70d0101
        EAP-Message = 0x040500038201010067dcc7b4680a64ee90889e126092b389b1a7996a452158941be8ad989aff024ece7226c3ac4b9176997d308e1efaae1e3209601a867eb79c74146566df26bcb5f5a067867fea594d78b3083abf47f91093ea52ae03a1405b1f1eb5c3fcbdfc86979a4653ae21382d2ddcaedc835e192d9999a7dc4f2a009e26f756fd2902e1ba7ccada8d006193138df4a957ef653651a158a340f17eafdc773d25a7f0e58ab38c35b2606209d697a8dcf566bea81704e41716fa2bd778b7f5c3fd345f02b515a51ca040ee5f08d58f29dfc368087cf72593687738d7760ab0
        Message-Authenticator = 0xa9a18519cbd3931538d743bdf2324e8b
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 6
  rlm_eap: EAP packet type notification id 4 length 1490
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 6
  rlm_eap: EAP packet type notification id 4 length 1490
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
rlm_eap_tls:  Received EAP-TLS First Fragment of the message
Total Length Included
  modcall[authenticate]: module "eap" returns ok for request 6
modcall: group authenticate returns ok for request 6
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 91 to 192.84.145.6:1812
        EAP-Message = 0x010500060d00
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xdd366542affcd1d312b550572b3696a209e92940f76ccba71995e45c06eaf477e4824e75
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=92, length=628
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0xdd366542affcd1d312b550572b3696a209e92940f76ccba71995e45c06eaf477e4824e75
        EAP-Message = 0x020501e40d00700e174e1951a140bf82f3b6fb5d195c7d9233d6c04b4da5eb7cae5229480a253e3bdcc8ffbc0a100000820080ad8db105377b8dc6f5c5b0fc659449cabaea1e91fb624dc774666ca47d6c30bdc716e91246b512f31f7866f8a95c6045d72a0f2aaf137007b5a5c7a7f7191b718972d1ee8f74ca313d519b8fd12db1d50a9fa7467e29528c654601efe764134eb1c843b90fff189b8c16081ce40ddbce799a6c7f7951c4598c9fbf9504b708fe0f0001020100b1019689d39ef708b192828fe7e33a74744fe78e75d810cbd8cb6898848a98593f80bec216c4ceccad34782ffaa5d1b9e8dfe8dd0db63d92ddb5badd5424953c9e9fdf12
        EAP-Message = 0x2fa2d01e97051a4572f5a906383e7c1c65b5f91a3e9ab3d85a001a8520757af894712f1c2bc84698f51748913ac3e827625933ac4ec4ae9563711af16dcde2695c9248a7167948c3534a6d40906c19a9372d29db25efb7953f0ad4f6b2f50ac383dfb7a59782785313755833c5324b171849c96bf609de29de27d785005d2e0a2735fda595b0a2c053b5f3f7ed701091811cec35923eccbdc523610c66165710de163e867e0c84183ba5378e9837df39a084c137b832e16699e9750f140301000101160301002042dfcaf4dc9c6350ebd10fe69215bcfd944defad790fa9d46dd9951b3bdb7577
        Message-Authenticator = 0xbb1dd06cea258308a713408a86c29f8d
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 7
  rlm_eap: EAP packet type notification id 5 length 484
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 7
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 7
  rlm_eap: EAP packet type notification id 5 length 484
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
rlm_eap_tls: <<< TLS 1.0 Handshake [length 05ea], Certificate  
chain-depth=1, 
error=0
--> User-Name = Riccardo Veraldi
--> BUF-Name = INFN Certification Authority
--> subject = /C=IT/O=INFN/CN=INFN Certification Authority
--> issuer  = /C=IT/O=INFN/CN=INFN Certification Authority
--> verify return:1
chain-depth=0, 
error=0
--> User-Name = Riccardo Veraldi
--> BUF-Name = Riccardo Veraldi
--> subject = /C=IT/O=INFN/OU=Personal Certificate/L=Firenze/CN=Riccardo Veraldi/emailAddress=Riccardo.Veraldi@fi.infn.it
--> issuer  = /C=IT/O=INFN/CN=INFN Certification Authority
--> verify return:1
TLS_accept: SSLv3 read client certificate A 
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
TLS_accept: SSLv3 read client key exchange A 
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify  
TLS_accept: SSLv3 read certificate verify A 
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
TLS_accept: SSLv3 read finished A 
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]  
TLS_accept: SSLv3 write change cipher spec A 
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished  
TLS_accept: SSLv3 write finished A 
TLS_accept: SSLv3 flush data 
undefined: SSL negotiation finished successfully 
rlm_eap_tls: SSL_read Error
 Error code is ..... 2 
 SSL Error ..... 2 
  modcall[authenticate]: module "eap" returns ok for request 7
modcall: group authenticate returns ok for request 7
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Challenge of id 92 to 192.84.145.6:1812
        EAP-Message = 0x010600350d800000002b140301000101160301002084ac50089947d22cbc3a9de821a3355a45dbf6f2cb95616a39db2380dc396660
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb23b1231bd3dba62b1b5367cdc450b8b0ae92940c7087e0a33241eaec053925a015e538b
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.84.145.6:1812, id=93, length=148
        NAS-IP-Address = 192.84.145.6
        NAS-Port-Type = Async
        User-Name = "Riccardo Veraldi"
        Calling-Station-Id = "\010"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "08-00-46-69-d7-19"
        State = 0xb23b1231bd3dba62b1b5367cdc450b8b0ae92940c7087e0a33241eaec053925a015e538b
        EAP-Message = 0x020600060d00
        Message-Authenticator = 0x74a6135e29e32d29e7eb1b0cf9e30c26
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:  '/var/log/radacct/192.84.145.6/auth-detail-20040211'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.84.145.6/auth-detail-20040211
  modcall[authorize]: module "auth_log" returns ok for request 8
  rlm_eap: EAP packet type notification id 6 length 6
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 8
    users: Matched Riccardo Veraldi at 129
  modcall[authorize]: module "files" returns ok for request 8
  modcall[authorize]: module "mschap" returns noop for request 8
modcall: group authorize returns updated for request 8
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 8
  rlm_eap: EAP packet type notification id 6 length 6
  rlm_eap: EAP Start not found
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [Riccardo Veraldi/] (from client sw-v port 0 cli ?)
Sending Access-Accept of id 93 to 192.84.145.6:1812
        MS-MPPE-Recv-Key = 0x962d52c1b019198affca5f8322115510f7a90f828a9865a5d2ab9d54a22bb9da
        MS-MPPE-Send-Key = 0x82e5b9c23e1b18009834cba733c7e1a21d850af3cccf97cce88987d6563e6920
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 8
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 87 with timestamp 4029e909
Cleaning up request 3 ID 88 with timestamp 4029e909
Cleaning up request 4 ID 89 with timestamp 4029e909
Cleaning up request 5 ID 90 with timestamp 4029e909
Cleaning up request 6 ID 91 with timestamp 4029e909
Cleaning up request 7 ID 92 with timestamp 4029e909
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 93 with timestamp 4029e90a
Nothing to do.  Sleeping until we see a request.


Authentication is succesfull using EAP-TLS and certificates. Access to the network is granted. The switch port

GigabitEthernet 1/0/3
is enabled after succesfull authentication.



EAP-TLS using certificates only


With this configuration we don't want to check for an username supplied through a Subject certificate, we just want to trust the certificate issued by a trusted root CA. To gain this we need to modify the radiusd.conf file. It's enough to remove the file entry in the authorize section and the users file won't be checked anymore upon radius server startup.



Riccardo Veraldi