FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports

Daniel Baker info at collisiondetection.biz
Mon Sep 23 15:39:44 CEST 2013



Hi Guys, we are trying to get Free Radius to authenticate our users who 
connect through  a Cisco Small Business POE switch.


When testing authentication with a shutdown / no shutdown command  on 
port fa/17  which has an IP phone connected to it we receive  the 
following errors:

FREE RADIUS :

[ldap]  expand: %{User-Name} -> root
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)
[ldap]  expand: dc=citlao,dc=local -> dc=citlao,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
   [ldap] object not found
[ldap] search failed
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: 
Rejecting the user
Failed to authenticate the user.
Login incorrect (  [ldap] User not found): [root/trash] (from client 
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> root
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.

CISCO POE SWITCH:


SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down:  fa17

SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP 
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up:  fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or 
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down:  fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, 
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up:  fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or 
password in Radius server, aggregated (1)




However when we try the same test on a port  that has a PC connected to 
it we do not receive such an error.

The CISCO switch says that we have the wrong user name and the Free 
Radius log says access rejected.  Why would this only be the case when   
a CISCO IP phone tries to authenticate?

The Cisco switch port configurations are exactly the same and are as 
follows :

  dot1x max-req 1
  dot1x reauthentication
  dot1x timeout quiet-period 30
  dot1x mac-authentication mac-only
  dot1x port-control auto
  storm-control broadcast enable
  storm-control broadcast level 10
  storm-control include-multicast
  spanning-tree portfast
  macro description "no_ip_phone_desktop     | ip_phone_desktop"
  switchport trunk allowed vlan add 100
  macro auto smartport type ip_phone_desktop

What can I try to fix the authentication issues so that all ports are being successfully authenticated ?


Thanks for your assistance,

Dan















More information about the Freeradius-Users mailing list