Prototyping Radius Server Policies

The intention of this blog series is to help Radius Server administrators test their configurations - mostly for purposes of learning and rapid prototyping configurations.

In part 2 we will cover the use of EAP-PEAP authentication and in part 3 we covering testing of authentication.

Prototyping RADIUS Server Policies (Part 1)

There is a wealth of information on the internet about configuring Radius Servers (Cisco ISE or Aruba Clearpass) to perform a multitude of operations.

This blog series aims to help the network administrator in configuring their RADIUS Server policies.

ASSOCIATED BLOGS:

Prototyping RADIUS Server Policies: Part 1 (this blog)
Prototyping RADIUS Server Policies: Part 2
Prototyping RADIUS Server Policies: Part 3

Introduction

I will assume that you already have either a Cisco ISE or Aruba Clearpass deployment (or any other AAA server for that matter) and that you may find yourself in a situation where you have no networking gear to test your system.

This blog series will take care of that because the most common use cases can be tested entirely in software.

Having a Windows Server running in a VM is also very handy because you can perform authentications against an Active Directory, which is typical in most Enterprises. Server 2012 is available with evaluation licenses.

RADIUS Server Policies

ASSOCIATED BLOGS:

RADIUS

PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate authentication)

I will caveat this by saying that what I am proposing is NOT a replacement of a real lab. But the prototyping gets you a long way to your goal. Real devices usually have side effects that you never thought of and it may throw you for a loop.

And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab.

Let's start with the basics...

PAP and CHAP Authentications

This is the simplest form of authentication I know of and it is surprising how often it is used (e.g. MAB and simple web services).

You may think that PAP should be avoided because its passwords can be decrypted easily but in the case of Cisco ISE, the type of External Identity Source determines whether or not you can use CHAP, MS-CHAPv1/2 – e.g. if you are authenticating against an LDAP directory then ISE won’t allow you to use CHAP or MS-CHAP.

This is probably due to the way passwords need to be stored in the LDAP directory. Microsoft Servers don’t natively support CHAP and prefer MS-CHAP flavours instead.

To perform the tests mentioned in the entire blog series you will need a Linux server. I am assuming you are somewhat comfortable with Linux and installing packages. To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.

There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package. You can install it from your Linux distribution of choice – in CentOS/Redhat/Fedora distributions use the command:

yum install freeradius-utils

Here are some common constants that I will use in my examples
Username: bob
User-Password: AbCd123
Radius shared secret: RadiusS3cret
Radius Server IP address: 192.168.21.101

ASSOCIATED BLOGS:

PAP and CHAP Authentications: Testing

The Radius UDP Source IP address is 192.168.21.211 (NB: this does NOT have to be the NAD IP address - it's the address that the AAA uses to identify the NAD) - in my case 192.168.21.211 is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)

Send one PAP request using radtest – this format is quick, but it lacks the ability to send additional attributes that you may need.

radtest bob AbCd123 192.168.21.101:1812 0 RadiusS3cret 1

The more flexible command ‘radclient’ is used to create more powerful authentication examples. Radclient does not support MS-CHAPv2. There is no switch to specify the password mechanism, PAP/CHAP/MS-CHAPv1 – the difference lies in the Password attribute chosen. The examples below consist of a single command where the parameters extend over multiple lines.

ASSOCIATED BLOGS:

RADIUS Testing: PAP

echo "User-Name = 'bob',User-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

RADIUS Testing: CHAP

echo "User-Name = 'bob',CHAP-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201, Packet-Src-IP-Address = 192.168.21.211,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

RADIUS Testing: MS-CHAPv1

echo "User-Name = 'bob',MS-CHAP-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret

Testing MS-CHAP is interesting because you can provoke situations where the AAA Server returns error codes that indicate the reason why a request was rejected (https://tools.ietf.org/html/rfc2759#section-6) – eg:

646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD

You can add more attributes (comma separated) to your requests. More information about these commands can be found in the help (man) pages.

man radtest
man radclient

Click here to continue onto the following instalment of the Rapid Prototyping Radius Server Policies blog series which will show us how to perform EAP-PEAP authentications.

ASSOCIATED BLOGS: