Have questions? Stuck? Please check our FAQ for some common questions and answers.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

 

This page describes how to test authentication using the ONOS AAA application and a demo RADIUS server. It uses ONOS and a Mininet network to simulate the client side of the authentication process, and OpenRADIUS to implement the RADIUS server. This description is heavily dependent on the ON.Lab network.

The ONOS RADIUS AAA app takes in RADIUS requests from supplicants within its managed network and forwards them on to an external RADIUS server. In this testing environment, we use Mininet hosts in an ONOS managed network as the supplicants, and use the wpa_supplicant Linux command as the client to initiate authentication. Once the host issues the request, the ONOS AAA app receives the packet, and handles communication with the RADIUS server and the supplicant.

What You Will Need

  • An instance of ONOS to run. The AAA app is packaged as part of ONOS
  • A Mininet instance
  • A FreeRADIUS instance

OpenRadius Setup

In the ON.Lab office, we have a FreeRADIUS server running on 10.1.128.10 (login ubuntu/ubuntu). This server can be configured to use MD5 or TLS authentication for EAP. To change the EAP type, edit the file /etc/freeradius/eap.conf and modify the default_eap_type attribute. A set of self-signed test certificates are deployed on that server. If you deploy your own FreeRADIUS server you can copy the certificates or generate your own. The client side certificates must be copied to the Mininet node running the supplicants; that is covered in the Mininet section below.

Mininet Setup

Mininet is required to simulate hosts to act as supplicants. The Mininet topology must have at least one switch and one host, and be controlled by the ONOS instance that is running the AAA app.

ONOS Setup

ONOS must be configured to manage the Mininet network. The AAA application is installed as part of the default ONOS payload and must be available.

WPA Supplicant Setup

On the Mininet instance, create the following wpa_supplicant configuration file in /etc/config/wpa_supplicant.conf:

wpa_supplicant configuration
ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
fast_reauth=0
network={
        key_mgmt=WPA-EAP
        #eap=TLS
        #eap=MD5
        identity="testuser"
        password="testpassword"
        ca_cert="/etc/cert/cacert.pem"
        client_cert="/etc/cert/client.pem"
        private_key="/etc/cert/client.key"
     	private_key_passwd="whatever"
        eapol_flags=3
}

The client side TLS certificates (cacert.pem, client.pem and client.key) have to be copied from the RADIUS server certificates directory (/etc/freeradius/certs) to the local node in /etc/cert.

Testing Authentication

h1 sudo wpa_supplicant -Dwired -ih1-eth0 -c/etc/config/wpa_supplicant.conf

 

Useful Debugging Tools

tcpdump command
sudo tcpdump -vvv -X -n -i eth1

 

 

  • No labels