new to radius osx client 3com switch

jeffrey j donovan donovan at beth.k12.pa.us
Tue Apr 12 02:41:11 CEST 2011


hello

I have been learning about freeradius and could use some guidance. I have a freeradius server a 3com 5500 switch and mac osx client

I setup a test machine and added a client record and shared secret. Joe User is getting his credentials from ldap, and the machine he sent the request on is 10.5.1.8, freeradius running on 10.5.1.101. 

Now I need to configure a 3Com switch, and mac OSX client to send/accept EAP or EAPTLS. neither apple or 3com have good setup docs, so Im looking to the list , maybe someone has crossed this river before I build a new bridge ?

here was my auth test from remote user;

echo "User-Name = joeuser\n User-Password = hispassword" | radclient -sx 10.5.1.101 auth Secret

Sending Access-Request of id 137 to 10.5.1.101 port 1812
	User-Name = "joeuser"
	User-Password = "hispassword"
rad_recv: Access-Accept packet from host 10.5.1.101:1812, id=137, length=20

	   Total approved auths:  1
	     Total denied auths:  0
	       Total lost auths:  0


Mon Apr 11 20:17:42 2011 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.5.1.8 port 57337, id=254, length=51
	User-Name = "joeuser"
	User-Password = "hispassword"
Mon Apr 11 20:27:04 2011 : Info: +- entering group authorize {...}
Mon Apr 11 20:27:04 2011 : Info: ++[preprocess] returns ok
Mon Apr 11 20:27:04 2011 : Info: ++[chap] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[mschap] returns noop
Mon Apr 11 20:27:04 2011 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL
Mon Apr 11 20:27:04 2011 : Info: [suffix] No such realm "NULL"
Mon Apr 11 20:27:04 2011 : Info: ++[suffix] returns noop
Mon Apr 11 20:27:04 2011 : Info: [eap] No EAP-Message, not doing EAP
Mon Apr 11 20:27:04 2011 : Info: ++[eap] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[unix] returns updated
Mon Apr 11 20:27:04 2011 : Info: ++[files] returns noop
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The host 10.5.1.8 does not have an access group.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: no access control groups, all users allowed.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: Setting Auth-Type = opendirectory
Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok
Mon Apr 11 20:27:04 2011 : Info: ++[expiration] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[logintime] returns noop
Mon Apr 11 20:27:04 2011 : Info: [pap] Found existing Auth-Type, not changing it.
Mon Apr 11 20:27:04 2011 : Info: ++[pap] returns noop
Mon Apr 11 20:27:04 2011 : Info: Found Auth-Type = opendirectory
Mon Apr 11 20:27:04 2011 : Info: +- entering group opendirectory {...}
Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok
Mon Apr 11 20:27:04 2011 : Auth: Login OK: [joeuser/hispassword] (from client noc port 0)
Mon Apr 11 20:27:04 2011 : Info: +- entering group post-auth {...}
Mon Apr 11 20:27:04 2011 : Info: ++[exec] returns noop
Sending Access-Accept of id 254 to 10.5.1.8 port 57337
Mon Apr 11 20:27:04 2011 : Info: Finished request 2.
Mon Apr 11 20:27:04 2011 : Debug: Going to the next request
Mon Apr 11 20:27:04 2011 : Debug: Waking up in 4.9 seconds.


okay so thats good. now I assume that I can configure the switch , after following 3coms instructions i end up with
5500G-EI]display dot1x int g1/0/5
 Equipment 802.1X protocol is enabled
 CHAP authentication is enabled
 DHCP-launch is disabled
 Proxy trap checker is disabled
 Proxy logoff checker is disabled

 Configuration: Transmit Period     30 s,  Handshake Period       15 s
                Quiet Period        60 s,  Quiet Period Timer is disabled
                Supp Timeout        30 s,  Server Timeout         100 s
                The maximal retransmitting times          2

 Total maximum 802.1x user resource number is 1024
 Total current used 802.1x resource number is 1

 GigabitEthernet1/0/5  is link-up
   802.1X protocol is enabled
   Proxy trap checker is disabled
   Proxy logoff checker is disabled
   The port is a(n) an authenticator
   Authenticate Mode is Auto
   Port Control Type is Mac-based
   Max on-line user number is 256
                                          
   Authentication Success: 0, Failed: 2 
   EAPOL Packets: Tx 13, Rx 12 
   Sent EAP Request/Identity Packet : 5 
        EAP Request/Challenge Packets: 5 
   Received EAPOL Start Packets : 3 
            EAPOL LogOff Packets: 0 
            EAP Response/Identity Packets : 5 
            EAP Response/Challenge Packets: 0 
            Error Packets: 0 
 1. Unauthenticated user : MAC address: 0025-xxxx-xxxx 

   Controlled User(s) amount to 1
[5500G-EI]  disp domain
0  Domain = nocdomain                
   State = Active    
   RADIUS Scheme = nocsys  Access-limit = Disable 
   Domain User Template: 
   Idle-cut = Disable
   Self-service = Disable
   Messenger Time = Disable

1  Domain = system                   
   State = Active    
   Scheme = LOCAL  Access-limit = Disable 
   Domain User Template: 
   Idle-cut = Disable
   Self-service = Disable
   Messenger Time = Disable


at this point I thought I had it, but the OSX client just fails and it's like the eap never leaves the 3com switch nothing hits the logs, it's quiet. so, I need to know what each side is looking for. can someone smack me around a bit 

thanks for any insight

-j












More information about the Freeradius-Users mailing list