I've been using RADSEC for a while in conjunction with FreeRadius or RadSecProxy and thought I'd try configuring it on a Mobility controller so ...
Have uploaded all the appropriate CA chains and server cert
Generated a client cert to use on the controller
Defined te shared key as being radsec
Created a RADIUS server and enabled RADSEC ( incidentally, by default doesn't seem to let you specify a server cert from the GUI without doing some CLI stuff first)
Applied and saved the config .... and looking at the RADSEC server can;t see any RADSEC tunnel establishment requests attempts yet.
Haven't pointed any auths at the RADIUS server yet. Does the tunnel come up automagically or only after it sees an auth request for that RADIUS server ( guess it'll be the latter)
Anyway of forcing a RADSEC tunnel establishment for testing ?
o.k. might be a firewall issue between the mobility controller and the RADSEC server , didn;t want to play with clearpass RADSEC at the same time, another unknown quantity
o.k. firewall stopping things.... moved to new server
so I've got radsec.york.ac.uk on the controller defined as . a server cert using a .p12 file called RADSECYork . I've also uploaded both the root and intermediate CA certs
From the command line I've typed
and then typed
After which I get
Unknown Trusted Certificate. Please upload the certificate before configuring in the profile
but the cert is on the mobility controller
crypto-local pki ServerCert RADSECYork radsecyorkacuk.p12
Already there, both the root an intermediate in the CA chain
crypto-local pki TrustedCA UoYRoot UniversityofYorkRootCA2.cercrypto-local pki IntermediateCA UoYIntermediate UniversityofYorkIntermediateCA2.cer
Mobility controller says cert CA is UoYIntermediateCA ( see image)
radsec-trusted-cacert-name <root CA for server cert>
Running round in circles here
1). radsec.york.ac.uk installed on controller as a .p12 file without the CA chain
2). Root an intermediate certs installed on controller (PEM files)
In my RADIUS auth server I can specify the CA Root.
If I then try and install the server I get a mesage
radsec-trusted-ca-cert-name is configured. Please unconfigure with "no radsec-trusted-ca-cert-name" and then configure "radsec-trusted-server-cert-name"
Note that this is wrong, it should be no radsec-trusted-cacert-name
If I then try installing the certificate radsec-trusted-server-cert-name radsecyorkacuk
I get the message Unknown Trusted Certificate. Please upload the certificate before configuring in the profile
But the cert is installed on the controller
This is on 188.8.131.52 BTW
Arghh!!!! upgraded radecproxy to 1.7.1 on the server end and stuff just worked!
If anyone manged to follow this , I ended up with
Radsec Trusted CA Name - root CA used
Radsec Client Cert - Generated client cert uploaded onto controller
and latest version of radsecproxy "at the other end"
and stuff just worked ....
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.