[RADIATOR] Cisco IP Phones & 802.1x TLS with MIC authentication?

Hugh Irvine hugh at open.com.au
Mon Jul 26 18:44:34 CDT 2010


Hello Greg -

Here is a copy of an existing configuration that I have tested:


# RADIUS EAP-MD5 for Cisco IP Phones-----------------------------------------------------------

<Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
	<AuthBy LDAP2>
		RewriteUsername s/(.+)SEP([0-9a-fA-F]{12})$/$2/
		NoDefault
		Host localhost
		Port 3268
		AuthDN          xxxxxxx
		AuthPassword    xxxxxxx
		BaseDN OU=Phones, OU=Devices, DC=xxxxx, DC=xxxxx, DC=xxxxx
		UsernameAttr sAMaccountName
		PasswordAttr xxxxx
		SearchFilter (%0=%1)
		AuthAttrDef memberof, Class, reply
		EAPType MD5
		EAPTLS_CAFile %D\Radiator\certificates\demoCA\cacert.pem
		EAPTLS_CertificateFile %D\Radiator\certificates\cert-srv.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile %D\Radiator\certificates\cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
		EAPAnonymous %0
		EAPTLS_PEAPVersion 0
		Debug 255
		AddToReply cisco-avpair="device-traffic-class=voice"
	</AuthBy>
</Handler>


This runs against Active Directory with additional OU's for Devices and Phones (and Printers).

Note that this configuration uses the standard EAP-MD5 authentication. 

hope that helps

regards

Hugh


On 26 Jul 2010, at 23:58, Gregory Fuller wrote:

> Anyone have any experience authenticating Cisco IP Phones (7942& 7962)
> via an 802.1x switchport using TLS with the Cisco installed MIC
> (manufacturers installed certificate)?  What I'm trying to do is to
> authenticate the phone to our network via the built-in MIC and
> validate against the CommonName of the phone's certificate (which
> should be CP7960-SEP{mac-address}.
> 
> I do not want to apply any LSC's to the phones (locally signed
> certificate), I only want to use the MIC to validate against.
> 
> According to Cisco's docs it should be possible, but they don't give
> any examples of how to use the built-in cert on the phone to validate
> with.  They only show how to apply an LSC to the phone.  And of course
> all the docs are how to configure it using the own ACS radius product.
> :(  I've had a heck of a time with Cisco TAC trying to get the right
> information out of them on what is needed for the MIC side and not the
> LSC side.
> 
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000414
> 
> ACS configuration and setup from the document above (for LSCs):
> 
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000600
> 
> I have radiator configured like this to use TLS off the phone:
> 
> 
> <Handler Client-Identifier=LANIGAN-SWITCHES,
> NAS-Port-Type=Ethernet,EAP-Message = /.+/, User-Name =
> /(.+)SEP([0-9a-fA-F]{12})$/>
>       PacketTrace
>       <AuthBy FILE>
>               Filename %D/voip-phones-tls
>               EAPType TLS
> #               EAPTLS_CAPath %D/certs/cisco-root/ca/
> #               EAPTLS_CAFile %D/certs/cisco-root/ca/crca2048.pem
>               EAPTLS_CAFile %D/certs/cisco-root/ca/cmca.pem
>               EAPTLS_CertificateFile %D/certs/cisco-phone/CAP-RTP-001.pem
> #              EAPTLS_CertificateFile %D/certs/cisco-phone/CAP-RTP-002.pem
> #               EAPTLS_CertificateFile %D/certs/cisco-root/ca/cmca.pem
> #               EAPTLS_CertificateFile %D/certs/cisco/manufacturer/cmca.pem
>               EAPTLS_CertificateType PEM
> #               EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> #               EAPTLS_PrivateKeyPassword
>               EAPTLS_MaxFragmentSize 1000
>               AutoMPPEKeys
>       </AuthBy>
> #        <AuthBy FILE>
> 
> #                Filename %D/voip-phones
> #                EAPType MD5
> #        </AuthBy>
> 
> 
>       # Log accounting to a detail file
> 
>       AuthLog VOIP-AuthLogger
>       AcctLogFileName /var/log/radius/VOIP-detail
> </Handler>
> 
> 
> My "voip-phones-tls" auth file looks like this:
> 
> CP-7942G-SEP2893FE127C54
> SEP2893FE127C54
> 
> crca2048.pem is the Cisco Systems Root CA from:
> http://www.cisco.com/security/pki/certs/crca2048.cer
> cmca.cer.pem is the Cisco Manufacturer CA from:
> http://www.cisco.com/security/pki/certs/cmca.cer
> 
> CAP-RTP-001.pem and CAP-RTP-002.pem are Cisco Systems CA signed certs
> from my Cisco Call Manager.  I have no idea if these 2 should be used
> as the "server" cert for radius.  I thought that I needed to have a
> server certificate signed by the Cisco Manufacturer CA in order to do
> this, but I don't think I can create one of them, they need to be
> provided by Cisco.
> 
> Anyway, using the above config when my 7942 phone authenticates back
> to radiator I'm seeing the info below in the logfile, I see a TLS
> challenge from the phone but nothing else.
> 
> I assume that the reason why the authentication is failing is because
> of this error:
> 
> Thu Jul 22 13:19:25 2010: ERR: EAP TLS error: -1, 1, 8466, 0,  3687:
> 1- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> 
> Any ideas would be appreciated.  Thanks!
> 
> 
> --greg
> 
> 
> Gregory A. Fuller - CCNA
> Network Manager
> State University of New York at Oswego
> Phone: (315) 312-5750
> http://www.oswego.edu/~gfuller
> 
> [root at radius-02 radiator]# Thu Jul 22 13:18:51 2010: DEBUG: Handling
> request with Handler 'Client-Identifier=LANIGAN-SWITCHES,
> NAS-Port-Type=Ethernet, EAP-Message = /.+/, User-Name =
> /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:18:51 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:18:51 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:18:51 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
> Thu Jul 22 13:18:51 2010: DEBUG: Response type 1
> Thu Jul 22 13:18:51 2010: DEBUG: EAP result: 3, EAP TLS Challenge
> Thu Jul 22 13:18:51 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TLS Challenge
> Thu Jul 22 13:18:51 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP TLS Challenge
> Thu Jul 22 13:18:51 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 46
> 0b 72 00 2e 3a 52 d0 d0 d6 9e 50 06 65 d1 c0 8e
> a7 a9 09 12 4f 08 01 02 00 06 0d 20 50 12 8d d8
> ff 08 4d 4c 5d 69 e8 a0 c8 3f fd 80 93 87
> Code:       Access-Challenge
> Identifier: 114
> Authentic:  :R<208><208><214><158>P<6>e<209><192><142><167><169><9><18>
> Attributes:
>       EAP-Message = <1><2><0><6><13>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> Thu Jul 22 13:19:24 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
> EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:19:24 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:19:24 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:19:24 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
> Thu Jul 22 13:19:24 2010: DEBUG: Response type 1
> Thu Jul 22 13:19:24 2010: DEBUG: EAP result: 3, EAP TLS Challenge
> Thu Jul 22 13:19:24 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TLS Challenge
> Thu Jul 22 13:19:24 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP TLS Challenge
> Thu Jul 22 13:19:24 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 46
> 0b 73 00 2e be f3 88 01 83 4b df f5 ef 57 d1 7e
> ae 91 2f fa 4f 08 01 02 00 06 0d 20 50 12 f5 48
> c8 98 68 f0 8f 5e a7 91 55 8b 37 f1 7b e8
> Code:       Access-Challenge
> Identifier: 115
> Authentic:  <190><243><136><1><131>K<223><245><239>W<209>~<174><145>/<250>
> Attributes:
>       EAP-Message = <1><2><0><6><13>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
> EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:19:25 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 2, 29, 1
> Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
> Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 46
> 0b 74 00 2e 5e d9 8f eb 68 10 bb d2 d1 7a b3 9a
> a7 ea 73 2a 4f 08 01 03 00 06 0d 20 50 12 30 68
> 33 33 ba a2 73 79 28 8c 4c e1 18 d8 b3 0b
> Code:       Access-Challenge
> Identifier: 116
> Authentic:  ^<217><143><235>h<16><187><210><209>z<179><154><167><234>s*
> Attributes:
>       EAP-Message = <1><3><0><6><13>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
> EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:19:25 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
> Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
> Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 46
> 0b 75 00 2e d4 dc cd a6 c2 d1 00 58 e5 61 6f 2c
> 23 6a 4a 15 4f 08 01 02 00 06 0d 20 50 12 a9 23
> 14 f1 b1 f1 65 dc 82 66 3a 3e e3 55 0d 1f
> Code:       Access-Challenge
> Identifier: 117
> Authentic:  <212><220><205><166><194><209><0>X<229>ao,#jJ<21>
> Attributes:
>       EAP-Message = <1><2><0><6><13>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
> EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:19:25 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 2, 29, 1
> Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
> Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 46
> 0b 76 00 2e 63 91 4f f2 7b 1b 9f b4 53 44 97 92
> bd df 83 0f 4f 08 01 03 00 06 0d 20 50 12 96 27
> 67 af fb 4d 79 5d 76 f2 a5 c9 87 39 d3 ec
> Code:       Access-Challenge
> Identifier: 118
> Authentic:  c<145>O<242>{<27><159><180>SD<151><146><189><223><131><15>
> Attributes:
>       EAP-Message = <1><3><0><6><13>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
> EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:19:25 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
> Thu Jul 22 13:19:25 2010: DEBUG: Response type 1
> Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 3, EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Access challenged for
> CP-7942G-SEP2893FE127C54: EAP TLS Challenge
> Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 46
> 0b 77 00 2e d2 2c f1 19 8d 9b 2c a5 70 06 63 25
> 40 c2 5b a0 4f 08 01 02 00 06 0d 20 50 12 22 b9
> bb 59 0b a1 bb ba 84 e7 ca 04 22 75 90 67
> Code:       Access-Challenge
> Identifier: 119
> Authentic:  <210>,<241><25><141><155>,<165>p<6>c%@<194>[<160>
> Attributes:
>       EAP-Message = <1><2><0><6><13>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> Thu Jul 22 13:19:25 2010: DEBUG: Handling request with Handler
> 'Client-Identifier=LANIGAN-SWITCHES, NAS-Port-Type=Ethernet,
> EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/'
> Thu Jul 22 13:19:25 2010: DEBUG:  Deleting session for
> CP-7942G-SEP2893FE127C54, 10.128.61.5, 50107
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with Radius::AuthFILE:
> Thu Jul 22 13:19:25 2010: DEBUG: Handling with EAP: code 2, 2, 62, 13
> Thu Jul 22 13:19:25 2010: DEBUG: Response type 13
> Thu Jul 22 13:19:25 2010: ERR: EAP TLS error: -1, 1, 8466, 0,  3687: 1
> - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> 
> Thu Jul 22 13:19:25 2010: DEBUG: EAP result: 1, EAP TLS error
> Thu Jul 22 13:19:25 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
> Thu Jul 22 13:19:25 2010: INFO: Access rejected for
> CP-7942G-SEP2893FE127C54: EAP TLS error
> Thu Jul 22 13:19:25 2010: DEBUG: Packet dump:
> *** Sending to 10.128.61.5 port 1645 ....
> 
> Packet length = 60
> 03 78 00 3c 95 88 8a 57 33 f5 fc 64 de 6a 46 3c
> df cb fb 59 4f 06 04 02 00 04 50 12 b9 b2 a5 a6
> 0e b8 f9 14 42 e7 ea 91 07 74 97 65 12 10 52 65
> 71 75 65 73 74 20 44 65 6e 69 65 64
> Code:       Access-Reject
> Identifier: 120
> Authentic:  <149><136><138>W3<245><252>d<222>jF<<223><203><251>Y
> Attributes:
>       EAP-Message = <4><2><0><4>
> 
>       Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
>       Reply-Message = "Request Denied"
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list