I don't now where to look for this particular issue anymore. I have gone numerus time through freeradius configuration and configuration on cisco switch, but I am just unable to find the problem.
My enviroment:
Ubuntu 20.04.5 LTS
FreeRADIUS Version 3.0.20
MariaDB 10.6.11
Cisco C2960X switch
Issue:
I have dot1x configured on Cisco C2960X switch.
On Ubuntu I have freeradius v3 up and running.
Freeradius is able to connact to database, where my users are stored.
I am ussing EAP-TTLS/PAP.
Win10 laptop ethernet card (cable) is configured to use EAP-TTLS/PAP
When trying to connect Win10 laptop over the cable, I am asked to put in the user credentials, afterwards I have to accept the certificate and the authentication is in progress.
In the same time, when looking under Freeradius LOG-s, I get "Login OK" for the user, so user is accepted...great.
But on Win10 laptop authentication fails, allthough Freeradius did accept the user.
When DEBUG-ing Freeradius, everything seems OK:
"Login OK: [user#domain.com] (from client sbl-3 port 50320 cli 38-2C-4A-XX-XX-XX via TLS tunnel)"
When DEBUG-ing C2960x switch, I see an error:
"dot1x-packet:[xxxx.xxxx.xxxx, Gi1/0/19] Added username in dot1x"
"dot1x-packet:[xxxx.xxxx.xxxx, Gi1/0/19] Dot1x did not receive any key data"
"dot1x-ev:[xxxx.xxxx.xxxx, Gi1/0/19] Received Authz fail (result: 2) for the client 0x87000405 (xxxx.xxxx.xxxx)"
"dot1x-sm:[xxxx.xxxx.xxxx, Gi1/0/19] Posting_AUTHZ_FAIL on Client 0x87000405"
But the funny thing is, I have another VM set up with freeradius v2, which connects to the same MariaDB as freeradius v3. With no changes made on C2960X switch (port configuration, aaa etc.) except ofcourse to configure radius server to redirect to another VM (freeradius v2), everything works great. I can se "Login OK" under freeradius LOGs, and Win10 laptop is authenticated and ready to use wired connection.
As it looks like, when using Freeradius v3, I have a problem in the last stage (authorization). But if using Freeradius v2, I have no issue and Win10 laptop is authenticated and ready to use wired connection.
I would really appreciate some help if someone ran into same issue.
Kind Regards, Tomaz
I compared freeradius configuration on both VM, for freeradius v2 and freeradius v3
I debuged freeradius
I debbuged C2960x switch
I recorded traffic with WireShark on Win10 laptop
Related
I am new to Freeradius. I configured the freeradius server using container services,
I have installed Freeradius v3.0.21 in Alpine linux.
My container freeradius server is working fine and produce the log. But its missing only one field/attribute "Request-Authenticator = Verified"
in the detail.log. Can anyone please help me on this?
I followed the docker install on an old laptop running Linux Mint una
Last night I set up DDNS with noip.com and managed to connect to wow (on the same network) using
set realmlist MYNAME.zapto.org
Then this morning I setup my phone as a mobile hotspot and tried again using the same realmlist but no longer from the same network and when i login I get the "Unable to connect..." in the wow client
In the SQL database i changed acore-auth realmlist address to MYNAME.zapto.org (using HeidiSQL, I also changed it in the 'Data' tab)
I am trying to setup up guacamole in a Digital Ocean Droplet (Ubuntu 18.04). I followed the steps provided in https://computingforgeeks.com/install-and-use-guacamole-on-ubuntu/ to setup guacamole and used Postgresql to authenticate guacamole by following the instructions provided in https://guacamole.apache.org/doc/gug/jdbc-auth.html#idm46227496294336.
The installation got over and I am able to access the webpage at http://droplet-ip:8080/guacamole, but when I try to connect to a remote machine over RDP I get a connection error stating 'The remote desktop server is currently unavailable. If the problem persists, please notify your system administrator, or check your system logs.'
I have checked the login credentials of the remote device, it's hostip and RDP port number, everything is correct. I am able to login to the machine through Remote Desktop Connection in Windows. I can also login to the same remote machine with same credentials in a perfectly working guacamole setup in another digitalocean droplet.
I have also tried this by installing guacamole using docker by following instructions provided in https://wiki.networksecuritytoolkit.org/index.php/HowTo_Setup_Guacamole, but still face the same problem. What am I doing wrong? I would be happy if someone could help me solve this problem
I was finally able to figure out why I was not able to connect to a remote device in Guacamole.
My Digital Ocean Linux droplets had freeRDP already installed. But Guacamole Server 1.3.0 works on freeRDP2. I had to make Guacamole send requests through freeRDP2.
I have enabled SFTP in the connection settings. But somehow the OpenSSH was corrupted in the remote machine resulting in connection error. So, I disabled SFTP. I think guacamole tries to establish RDP and SFTP connection in the very beginning, so even if one of the protocols fail, connection cannot be established. I am not proficient with guacamole so not sure with this point.
After resolving these problems, guacamole was able to send connection request to the remote machine. I checked the status using netstat and the status was SYN_SENT, but there was no response from the remote server. The problem was Firewall.
I allowed the ports for RDP in windows firewall, but the remote machine was in a network which had external firewall. I added the Guacamole Server IP in allowed list for NAT forwarding in the firewall device and finally I was able to establish a connection with the remote machine.
I installed Neo4j 3.2.6 on Ubuntu 16.04 and I tried to access it remotely using putty (from my windows-based computers). Without uncommenting anything in neo4j.conf, I can access Neo4j using the source port I defined in putty. Then, after connecting with the initial password "Neo4j" in the section saying "Connect to Neo4j Database access requires an authenticated connection.", I gets the famous error "ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine ...".
So, after googling, I uncommented:
dbms.connectors.default_listen_address=0.0.0.0
dbms.connector.bolt.listen_address=:7687
BUT NOTHING WORKS.
The interesting thing is that I tried to install Neo4j on my laptop (locally) and it worked and when I used its "bolt://..." database access password on my remote access "bolt://..." database access it works.So, I'm not sure what is going on here, can someone help?
I am trying to setup Neo4j version 3.2.0 in the ubuntu server 14.04.2 LTS
Downloaded the tar and extracted the folder, edited the config file to update the port to 4444, for the time being disabled the bolt connector, listen_address to 0.0.0.0 for the http connector, authentication also disabled just to get started.
bolt connector is updated with the port 7687 even though it is disabled as i was trying earlier with it enabled.
Now when i try to connect to the http://serverip:4444/browser, it says Database access not available and shows me the login screen with host prefilled bolt://serverip:7687
Also I see this error on the console window
WebSocket connection to ws://serverip:7687/
failed: Error in connection establishment:
net::ERR_CONNECTION_TIMED_OUT
Dont understand the issues here, please help me out. I am not sure why is it trying to do a WS to the port assigned to the bolt, when it is disabled at the first place.
Regards
There's a bit of juggling going on for HTTP connector support between the browser and the driver being used, a handoff which isn't complete, and the state of things is the browser is only supporting bolt connections right now.
The javascript bolt driver is being upgraded to handle http connections, I think, so you may need to wait until the next 3.2.x release to use the http connector again.
I think this issue should be tracking it.