Help needed configuring MAB on FreeRADIUS and Cisco switch

Kaya Saman kayasaman at gmail.com
Mon Jul 16 11:54:00 CEST 2012


On Mon, Jul 16, 2012 at 9:20 AM, alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> Issuing 'radius -X' still isn't showing anything :-(
>
> radiusd -X  ?
>
> please ensure you are trying to runt he right command....

Sorry that was a typo!!


This is the output I get when command run:

radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
	type = "auth"
	ipaddr = 127.0.0.1
	port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

>
> if you dont see anything on the output when client connection attempts are made,
> then you have a problem elsewhere on the network or on the NAS.... you could
> try running
>
> tcpdump -eqntl -i ethX port 1812
>
> (replace ethX with the name of your interface on which packets should be arriving)

Unforutnately I can't run this as the server isn't connected to the
internet or any other type of network, meaning that I can't install
it!

I guess using a USB stick I might be able to install the RPM for it
and dependencies, actually I will do this......

The setup is as such:


RADIUS Server <-> switch <-> laptop


The way the system is now I doubt it would show anything anyway??

>
>
> you can also turn on debuggin on your NAS - cisco kit has quite extensive 802.1X
> debugging - you should then see it sending traffic....    I suspect you may have
> an ACL between the management level of the switches and your server.
>

i tried this, I used 'debug radius verbose' but the log doesn't come
up with anything at all; just:


The log just shows this:

No Inactive Message Discriminator.


    Console logging: level debugging, 14 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 14 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 17 message lines logged

Log Buffer (4096 bytes):

*Mar  1 00:01:13.928: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Vlan1, changed state to down
*Mar  1 00:01:15.757: %SPANTREE-5-EXTENDED_SYSID: Extended SysId
enabled for type vlan
*Mar  1 00:01:19.398: %SYS-5-CONFIG_I: Configured from memory by console
*Mar  1 00:01:20.421: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version
12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:13 by sasyamal
*Mar  1 00:01:20.438: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar  1 00:01:22.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/11, changed state to up
*Mar  1 00:01:23.433: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Vlan1, changed state to up
*Mar  1 00:01:24.506: %LINK-3-UPDOWN: Interface GigabitEthernet0/11,
changed state to up
*Mar  1 00:01:24.800: %LINK-3-UPDOWN: Interface GigabitEthernet0/1,
changed state to up
*Mar  1 00:01:25.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/1, changed state to up
*Mar  1 00:02:36.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/11, changed state to down
*Mar  1 00:02:40.591: %LINK-3-UPDOWN: Interface GigabitEthernet0/11,
changed state to down
*Mar  1 00:02:43.141: %LINK-3-UPDOWN: Interface GigabitEthernet0/11,
changed state to up
*Mar  1 00:02:44.148: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/11, changed state to up


which basically tells me that the vlan and interfaces are up and that's all??

>> Radius can't be this hard to get working can it?
>
> the bit you are doing should be easy. the hard part is authentication and policy.
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


I did change this on the switch from:

aaa authentication dot1x default group radius group test
aaa authorization network default group radius group test
aaa accounting dot1x default start-stop group radius group test
aaa accounting dot1x system start-stop group radius group test
aaa accounting network default start-stop group radius group test

to:

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting dot1x system start-stop group radius
aaa accounting network default start-stop group radius

but with no luck as per above :-(


Regards,


Kaya


More information about the Freeradius-Users mailing list