Security

Hi,

I've been using RADSEC for a while in conjunction with FreeRadius or RadSecProxy and thought I'd try configuring it on a Mobility controller so ...

Have uploaded all the appropriate CA chains and server cert

Generated a client cert to use on the controller

Defined te shared key as being radsec

Created a RADIUS server and enabled RADSEC ( incidentally, by default doesn't seem to let you specify a server cert from the GUI without doing some CLI stuff first)

Applied and saved the config .... and looking at the RADSEC server can;t see any RADSEC tunnel establishment requests attempts yet.

Haven't pointed any auths at the RADIUS server yet. Does the tunnel come up automagically or only after it sees an auth request for that RADIUS server ( guess it'll be the latter)

Anyway of forcing a RADSEC tunnel establishment for testing ?

A

o.k. might be a firewall issue between the mobility controller and the RADSEC server , didn;t want to play with clearpass RADSEC at the same time, another unknown quantity

A

o.k. firewall stopping things.... moved to new server

so I've got radsec.york.ac.uk on the controller defined as . a server cert using a .p12 file called RADSECYork . I've also uploaded both the root and intermediate CA certs 

From the command line I've typed 

no radsec-trusted-cacert-name

and then typed

radsec-trusted-servercert-name RADSECYork

After which I get

Unknown Trusted Certificate. Please upload the certificate before configuring in the profile

but the cert is on the mobility controller

....

crypto-local pki ServerCert RADSECYork radsecyorkacuk.p12

......

Already there, both the root an intermediate in the CA chain

crypto-local pki TrustedCA UoYRoot UniversityofYorkRootCA2.cer
crypto-local pki IntermediateCA UoYIntermediate UniversityofYorkIntermediateCA2.cer

Mobility controller says cert CA is UoYIntermediateCA ( see image)

radsec-trusted-cacert-name <root CA for server cert>

Running round in circles here

1). radsec.york.ac.uk installed on controller as a .p12 file without the CA chain

2). Root an intermediate certs installed on controller (PEM files)

In my RADIUS auth server I can specify the CA Root.

radsec-trusted-cacert-name uoyroot

If I then try and install the server I get a mesage

radsec-trusted-ca-cert-name is configured. Please unconfigure with "no radsec-trusted-ca-cert-name" and then configure "radsec-trusted-server-cert-name"

Note that this is wrong, it should be no radsec-trusted-cacert-name

If I then try installing the certificate radsec-trusted-server-cert-name radsecyorkacuk

I get the message Unknown Trusted Certificate. Please upload the certificate before configuring in the profile 

But the cert is installed on the controller

This is on 6.5.4.8 BTW

Arghh!!!! upgraded radecproxy to 1.7.1 on the server end and stuff just worked!

If anyone manged to follow this , I ended up with

Radsec Trusted CA Name - root CA used

Radsec Client Cert - Generated client cert uploaded onto controller

and latest version of radsecproxy "at the other end"

and stuff just worked ....