Security

last person joined: 45 seconds ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Configuring Mobility Controller RADSEC

Jump to Best Answer
  • 1.  Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 07:47 AM

    Hi,

    I've been using RADSEC for a while in conjunction with FreeRadius or RadSecProxy and thought I'd try configuring it on a Mobility controller so ...

     

    Have uploaded all the appropriate CA chains and server cert

    Generated a client cert to use on the controller

    Defined te shared key as being radsec

    Created a RADIUS server and enabled RADSEC ( incidentally, by default doesn't seem to let you specify a server cert from the GUI without doing some CLI stuff first)

     

    Applied and saved the config .... and looking at the RADSEC server can;t see any RADSEC tunnel establishment requests attempts yet.

     

    Haven't pointed any auths at the RADIUS server yet. Does the tunnel come up automagically or only after it sees an auth request for that RADIUS server ( guess it'll be the latter)

     

    Anyway of forcing a RADSEC tunnel establishment for testing ?

    A



  • 2.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 08:00 AM
    If it's configured correctly, it will come up immediately.


  • 3.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 08:02 AM

    o.k. might be a firewall issue between the mobility controller and the RADSEC server , didn;t want to play with clearpass RADSEC at the same time, another unknown quantity

    A



  • 4.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 10:01 AM

    o.k. firewall stopping things.... moved to new server

     

    so I've got radsec.york.ac.uk on the controller defined as . a server cert using a .p12 file called RADSECYork . I've also uploaded both the root and intermediate CA certs 

     

    From the command line I've typed 

    no radsec-trusted-cacert-name

     

    and then typed

     

    radsec-trusted-servercert-name RADSECYork

     

    After which I get

     

    Unknown Trusted Certificate. Please upload the certificate before configuring in the profile

    but the cert is on the mobility controller

    ....

    crypto-local pki ServerCert RADSECYork radsecyorkacuk.p12

    ......



  • 5.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 10:06 AM
    Upload the root CA that issued the RadSec server certificate. Don’t do individual servers.


  • 6.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 10:13 AM
      |   view attached

    Already there, both the root an intermediate in the CA chain

     

    crypto-local pki TrustedCA UoYRoot UniversityofYorkRootCA2.cer
    crypto-local pki IntermediateCA UoYIntermediate UniversityofYorkIntermediateCA2.cer

     

    Mobility controller says cert CA is UoYIntermediateCA ( see image)



  • 7.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 10:18 AM
    radsec-trusted-cacert-name <root CA for server cert>


  • 8.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 11:00 AM

    Running round in circles here

    1). radsec.york.ac.uk installed on controller as a .p12 file without the CA chain

    2). Root an intermediate certs installed on controller (PEM files)

     

    In my RADIUS auth server I can specify the CA Root.

    radsec-trusted-cacert-name uoyroot

    If I then try and install the server I get a mesage

     

    radsec-trusted-ca-cert-name is configured. Please unconfigure with "no radsec-trusted-ca-cert-name" and then configure "radsec-trusted-server-cert-name"

     

    Note that this is wrong, it should be no radsec-trusted-cacert-name

     

    If I then try installing the certificate radsec-trusted-server-cert-name radsecyorkacuk

     

    I get the message Unknown Trusted Certificate. Please upload the certificate before configuring in the profile 

     

    But the cert is installed on the controller

    This is on 6.5.4.8 BTW

     

     

     



  • 9.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 11:04 AM
    Please work with TAC. I’m getting confused by your order of operations here.


  • 10.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 11:15 AM
    Yeah I'm running round in circles as well :-(


  • 11.  RE: Configuring Mobility Controller RADSEC
    Best Answer

    Posted Aug 20, 2018 11:18 AM

    Arghh!!!! upgraded radecproxy to 1.7.1 on the server end and stuff just worked!

     



  • 12.  RE: Configuring Mobility Controller RADSEC

    Posted Aug 20, 2018 11:26 AM

    If anyone manged to follow this , I ended up with

     

    Radsec Trusted CA Name - root CA used

    Radsec Client Cert - Generated client cert uploaded onto controller

     

    and latest version of radsecproxy "at the other end"

     

    and stuff just worked ....