Radius requests not getting sent

[hardillb]

I've running Chewie version 0.21 in a CORE environment (based on a Ubuntu 18.04 base) installed from the packagecloud.io source.

I have a Open vSwitch switch being configured with faucet and it's all working OK until I try to add the 802.1x authentication. I have LDAP & Radius & faucet server all running on the same host (n1) as the switch.

I have a veth pair (tap0 & tap1) bound to the switch as the port that the dot1x will use to output the 802.1x request.

What I'm currently seeing is that it looks like radius_output_bits = self.radius_output_messages.get() here is never returning so the eapol request is never getting passed on to the radius server.

I'm running wpa_supplicant on n2

Any idea's what I've either got wrong or is this a bug?

Open vSwitch setup

#!/bin/bash
ip link add tap0 type veth peer name tap1
ip link set tap0 up
ip link set tap1 up
ovs-vsctl --if-exists del-br ovs-br0
ovs-vsctl add-br ovs-br0
ovs-vsctl set bridge ovs-br0 other-config:datapath-id=0000000000000001
ovs-vsctl set bridge ovs-br0 other-config:disable-in-band=true
ovs-vsctl add-port ovs-br0 eth0 -- set Interface eth0  ofport_request=1
ovs-vsctl add-port ovs-br0 eth1 -- set Interface eth1  ofport_request=2
ovs-vsctl add-port ovs-br0 eth2 -- set Interface eth2  ofport_request=3
ovs-vsctl add-port ovs-br0 eth3 -- set Interface eth3  ofport_request=4
ovs-vsctl add-port ovs-br0 eth4 -- set Interface eth4  ofport_request=5
ovs-vsctl add-port ovs-br0 tap1 -- set Interface tap1  ofport_request=6
ovs-vsctl set-fail-mode ovs-br0 secure
ovs-vsctl set-controller ovs-br0 tcp:127.0.0.1:6653 tcp:127.0.0.1:6654

faucet.yaml:

 pre_auth:
  - rule:
     dl_type: 0x800
     ip_proto: 1
     actions:
      allow: False
 post_auth:
  - rule:
     actions:
      allow: True
vlans:
 office:
  vid: 100
  description: "office network"
 home:
  vid: 101
  description: "home network"
dps:
 sw1:
  dp_id: 0x1
  dot1x:
   radius_ip: "127.0.0.1"
   radius_port: 1812
   radius_secret: "testing123"
   nfv_intf: "tap0"
   nfv_sw_port: 6
  hardware: "Open vSwitch"
  interfaces:
   1:
    name: "host1"
    description: "host1 network namespace"
    native_vlan: office
    dot1x: true
   2:
    name: "host2"
    description: "host2 network namespace"
    native_vlan: home
   3:
    name: "host3"
    native_vlan: office
   4:
    name: "host4"
    native_vlan: home
   5:
    name: "trunk"
    tagged_vlans: [office,home]
   6:
    name: "802.1x"
    output_only: true

[gizmoguy]

Hi @hardillb,

I just tried using your topology and faucet.yaml outside of CORE to see if I could replicate the problem.

Happy to report everything worked out okay for me, so worst case I can share my environment with you to get you up and running.

My first stab at guessing why this doesn't work, are you running faucet as root? Because of this faucet bug: faucetsdn/faucet#2854 we currently only support faucet/chewie when run as root. Something we hope to change in the future.

[hardillb]

Hi, thanks for the rapid response.

Yeah, it's all running as root, that is the default for CORE's network namespaced runtimes. Since it's all just network namespaces it should basically be the same as docker.

I can see in the trace that it's adding the new radius packet to the queue in the statemachine, it's just not taking them off the queue to send out to the radius server as far as I can tell.

It's after 23:00 here, but I'll grab some proper trace in the morning and post it.

[gizmoguy]

Okay and if you want to try my environment out to compare, here are the commands I ran in a fairly vanilla ubuntu VM to create a set of network namespaces to simulate the hosts.

Get create_ns and as_ns shell fragments from the faucet tutorial: https://docs.faucet.nz/en/latest/tutorials/acls.html#prerequisites

$ create_ns n2 10.0.0.1/24
$ create_ns n3 10.0.0.2/24
$ create_ns n4 10.0.0.3/24
$ create_ns n5 10.0.0.4/24
$ sudo ip link add tap0 type veth peer name tap1
$ sudo ip link set tap0 up
$ sudo ip link set tap1 up
$ sudo ovs-vsctl add-br br0 -- set bridge br0 other-config:datapath-id=0000000000000001 \
    -- set bridge br0 other-config:disable-in-band=true \
    -- set bridge br0 fail_mode=secure \
    -- add-port br0 veth-n2 -- set interface veth-n2 ofport_request=1 \
    -- add-port br0 veth-n3 -- set interface veth-n3 ofport_request=2 \
    -- add-port br0 veth-n4 -- set interface veth-n4 ofport_request=3 \
    -- add-port br0 veth-n5 -- set interface veth-n5 ofport_request=4 \
    -- add-port br0 tap1 -- set interface tap1 ofport_request=6 \
    -- set-controller br0 tcp:127.0.0.1:6653 tcp:127.0.0.1:6654

I then got the freeradius and wpa_supplicant test configs we ship with chewie: https://github.com/faucetsdn/chewie/tree/master/etc

I started freeradius on the host outside the network namespaces, and then started wpa_supplicant on n2:

$ as_ns n2 wpa_supplicant -dd -c/tmp/wpasupplicant/wired-md5.conf -iveth0 -Dwired

Anyway, talk more tomorrow. I'm in UTC+12.

[hardillb]

hmm, your setup does seem to work (well at least packets are making it to the radius server at least, which is currently setup for a PPPoE authentication).

Which is odd because CORE is basically just a GUI doing the same thing with the namespace stuff.

I'll keep playing