The intention of this blog series is to help Radius Server administrators test their configurations - mostly for purposes of learning and rapid prototyping configurations.
In part 2 we will cover the use of EAP-PEAP authentication and in part 3 we covering testing of authentication.
There is a wealth of information on the internet about configuring Radius Servers (Cisco ISE or Aruba Clearpass) to perform a multitude of operations.
This blog series aims to help the network administrator in configuring their RADIUS Server policies.
ASSOCIATED BLOGS:
- Prototyping RADIUS Server Policies: Part 1 (this blog)
- Prototyping RADIUS Server Policies: Part 2
- Prototyping RADIUS Server Policies: Part 3
Introduction
I will assume that you already have either a Cisco ISE or Aruba Clearpass deployment (or any other AAA server for that matter) and that you may find yourself in a situation where you have no networking gear to test your system.
This blog series will take care of that because the most common use cases can be tested entirely in software.
Having a Windows Server running in a VM is also very handy because you can perform authentications against an Active Directory, which is typical in most Enterprises. Server 2012 is available with evaluation licenses.
ASSOCIATED BLOGS:
RADIUS
- PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
- EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
- EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate authentication)
I will caveat this by saying that what I am proposing is NOT a replacement of a real lab. But the prototyping gets you a long way to your goal. Real devices usually have side effects that you never thought of and it may throw you for a loop.
And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab.
Let's start with the basics...
PAP and CHAP Authentications
This is the simplest form of authentication I know of and it is surprising how often it is used (e.g. MAB and simple web services).
You may think that PAP should be avoided because its passwords can be decrypted easily but in the case of Cisco ISE, the type of External Identity Source determines whether or not you can use CHAP, MS-CHAPv1/2 – e.g. if you are authenticating against an LDAP directory then ISE won’t allow you to use CHAP or MS-CHAP.
This is probably due to the way passwords need to be stored in the LDAP directory. Microsoft Servers don’t natively support CHAP and prefer MS-CHAP flavours instead.
To perform the tests mentioned in the entire blog series you will need a Linux server. I am assuming you are somewhat comfortable with Linux and installing packages. To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.
There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package. You can install it from your Linux distribution of choice – in CentOS/Redhat/Fedora distributions use the command:
yum install freeradius-utils
Here are some common constants that I will use in my examples
Username: bob
User-Password: AbCd123
Radius shared secret: RadiusS3cret
Radius Server IP address: 192.168.21.101
ASSOCIATED BLOGS:
- Zero Trust Architecture (ZTA) Introduction
- Cisco DNA Center Beginners Guide
- 5 Ways DNA Center Solves your Challenges
PAP and CHAP Authentications: Testing
The Radius UDP Source IP address is 192.168.21.211 (NB: this does NOT have to be the NAD IP address - it's the address that the AAA uses to identify the NAD) - in my case 192.168.21.211 is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)
Send one PAP request using radtest – this format is quick, but it lacks the ability to send additional attributes that you may need.
radtest bob AbCd123 192.168.21.101:1812 0 RadiusS3cret 1
The more flexible command ‘radclient’ is used to create more powerful authentication examples. Radclient does not support MS-CHAPv2. There is no switch to specify the password mechanism, PAP/CHAP/MS-CHAPv1 – the difference lies in the Password attribute chosen. The examples below consist of a single command where the parameters extend over multiple lines.
ASSOCIATED BLOGS:
- DNA Center Enablement
- 5 ways DNA Center solves your challenges
- Cisco DNA Spaces Introduction
- Zero Trust Architecture
- Deploying Zero Trust Architecture
RADIUS Testing: PAP
echo "User-Name = 'bob',User-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret
RADIUS Testing: CHAP
echo "User-Name = 'bob',CHAP-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201, Packet-Src-IP-Address = 192.168.21.211,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret
RADIUS Testing: MS-CHAPv1
echo "User-Name = 'bob',MS-CHAP-Password = 'AbCd123',NAS-IP-Address = 192.168.21.201,Packet-Src-IP-Address = 192.168.21.211,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x 192.168.21.101:1812 auth RadiusS3cret
Testing MS-CHAP is interesting because you can provoke situations where the AAA Server returns error codes that indicate the reason why a request was rejected (https://tools.ietf.org/html/rfc2759#section-6) – eg:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD
You can add more attributes (comma separated) to your requests. More information about these commands can be found in the help (man) pages.
man radtest
man radclient
Click here to continue onto the following instalment of the Rapid Prototyping Radius Server Policies blog series which will show us how to perform EAP-PEAP authentications.
ASSOCIATED BLOGS:
- Zero Trust Architecture (ZTA) Introduction
- Cisco DNA Center Beginners Guide
- 5 Ways DNA Center Solves your Challenges
Prototyping RADIUS Server Policies: Summary
This concludes this second part, of the three part RADIUS prototyping series.
We've taken a look at the testing process and how you can apply this to your network.
We work mainly with Cisco ISE and Aruba Clearpass, but with RADIUS being a universal standard, the guidelines should assist across other manufacturers.
ASSOCIATED BLOGS:
As with all work you undertake on your RADIUS installation, take great care to have a backup and backout plan: this tends to be critical infrastructure, so take care when making any changes to a live network.