Versions Compared

Old Version 10

changes.mady.by.user Ray Milkey

Saved on

compared with

New Version Current

changes.mady.by.user Ray Milkey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The ONOS RADIUS AAA app takes in RADIUS 802.1X/EAPOL authentication requests from supplicants within its managed network and forwards them on to an external RADIUS server. In this testing environment, we use Mininet hosts in an ONOS managed network as the supplicants, and use the wpa_supplicant Linux command as the client to initiate authentication. Once the host issues the request, the ONOS AAA app receives the packet, and handles communication with the RADIUS server and the supplicant.

...

The client side TLS certificates (cacert.pem, client.pem and client.key) have to be copied from the RADIUS server certificates directory (/etc/freeradius/certs) to the local node in /etc/cert.

Testing Authentication

There are three separate entities that must be used to fully test a RADIUS request: the FreeRADIUS server, the wpa_supplicant and ONOS.

First, launch the AAA application inside of ONOS:

Code Block
Rays-MacBook-Pro:onos-next ray$ onos
Welcome to Open Network Operating System (ONOS)!
     ____  _  ______  ____     
    / __ \/ |/ / __ \/ __/   
   / /_/ /    / /_/ /\ \     
   \____/_/|_/\____/___/     

Documentation: wiki.onosproject.org      
Tutorials:     tutorials.onosproject.org 
Mailing lists: lists.onosproject.org     

Come help out! Find out how at: contribute.onosproject.org 

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '<ctrl-d>' or type 'system:shutdown' or 'logout' to shutdown ONOS.

onos> app activate org.onosproject.aaa
onos>

 

Now, launch the FreeRADIUS server. It may already be running as a service, but if you want to run it manually with debugging options enabled, you can run it like this:

Code Block
root@cord-radius:/etc/freeradius# freeradius -f -X -xx

 

The last piece is the client side, or supplicant. While inside of Mininet, invoke the wpa_supplicant command to start the authentication process. If the authentication succeeds you will see a completion message from the supplicant tool:

Code Block
mininet> h1 sudo wpa_supplicant -Dwired -ih1-eth0 -c/etc/config/wpa_supplicant.conf
Successfully initialized wpa_supplicant
h1-eth0: Associated with 01:80:c2:00:00:03
h1-eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
h1-eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
h1-eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
h1-eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority'
h1-eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org'
h1-eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

 

Useful Debugging Tools

It can be useful sometimes to watch the network traffic between ONOS and the RADIUS server. Run this command on the VM that is running ONOS to see the packets being sent. This command may differ depending on your network configuration:

Code Block
titletcpdump command
sudo tcpdump -vvv -X -n -i eth1

...