Stuff I'm Up To

Technical Ramblings

Wired 802.1X on Linux — July 10, 2019

Wired 802.1X on Linux

For a while I’ve been meaning to fix my workstation. When it comes to remote accessing it from home I find I can’t because I’ve followed the green guidance and turned it off when I went home. Even if I get someone to turn it on for me I still can’t get to it.

This is because in the office we use RADIUS for network authentication, even on wired connections. What happens is that my network interfaces don’t go online until my desktop session has logged in and then authenticates with the RADIUS server using 802.1X.

Read more
RADIUS Testing — November 5, 2018

RADIUS Testing

We have a need to authenticate a couple of devices via our Wifi access points with a RADIUS server. Right now I wanted to test things out using a MAC address authentication process. But for some reason we can’t get it working on the AP’s.

How do I test the RADIUS authentication policies are correct?

I recall using a RADCHECK program in Windows many years ago and figured Linux would probably have something similar. Sure enough a quick search means I can install freeradius-utils which includes radtest and radclient.

I needed to pass a number of RADIUS attributes and values with my test call and this is how I did it:

$ cat << EOF | radclient -x [radisuserver] auth [supersecretkey]
User-Name = 6894244B56EB
User-Password = 6894244B56EB
NAS-Port-Type = 19
NAS-Port = 0
Calling-Station-Id = SSID
EOF

This spoofed an auth call to the RADIUS server using the specified MAC address as user name and password and pretended the call was from a NAS-Port-Type of Wireless - 802.1x (19). I got the table of values from here: https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-nas-port-type-overview.html

Statement Option NAS-Port-Type Value Description
value

0–65535

Number that indicates either the IANA-assigned value for the RADIUS port type or a custom number-to-port type defined by the user
adsl-cap

12

Asymmetric DSL, carrierless amplitude phase (CAP) modulation
adsl-dmt

13

Asymmetric DSL, discrete multitone (DMT)
async

0

Asynchronous
cable

17

Cable
ethernet

15

Ethernet
fddi

21

Fiber Distributed Data Interface
g3-fax

10

G.3 Fax
hdlc-clear-channel

7

HDLC Clear Channel
iapp

25

Inter-Access Point Protocol (IAPP)
idsl

14

ISDN DSL
isdn-sync

2

ISDN Synchronous
isdn-v110

4

ISDN Async V.110
isdn-v120

3

ISDN Async V.120
piafs

6

Personal Handyphone System (PHS) Internet Access Forum Standard
sdsl

11

Symmetric DSL
sync

1

Synchronous
token-ring

20

Token Ring
virtual

5

Virtual
wireless

18

Other wireless
wireless-1x-ev

24

Wireless 1xEV
wireless-cdma2000

22

Wireless code division multiple access (CDMA) 2000
wireless-ieee80211

19

Wireless 802.11
wireless-umts

23

Wireless universal mobile telecommunications system (UMTS)
x25

8

X.25
x75

9

X.75
xdsl

16

DSL of unknown type

 

Unable to Logon as admin — June 5, 2017

Unable to Logon as admin

I managed to bork one of our test switches today. I was in the process of enabling “netlogin” using RADIUS as the authentication method, when I must have inadvertently enabled RADIUS authentication for the management interface instead of just for “netlogin”.

Using the Extreme documentation as a clue to resolve this kind of issue, but for a forgotten admin password, I was able to modify the instructions slightly to achieve a logon without resorting to a factory reset.

Continue reading

Netsh Commands for NPS — April 3, 2017