Switch sends EAP-Fail after Radius Access-Accept

Stefan Winter stefan.winter at restena.lu
Thu Aug 6 20:00:48 CEST 2015


Hi,

> Setup
>
> Windows XP client 10.1.2.100 <--> (port 12) Catalyst switch 2960-S 10.1.2.12
> (port 1) <--> Radius server 10.1.2.1 (freeRadius running on Centos 6.4).

And a long-dead and unpatched client that knows nothing about current
standards to test with? How did you even find an XP host these days ;-)

Greetings,

Stefan Winter

>
> [preyask at localhost controller-ned]$ cat /etc/raddb/small.conf 
> listen {
>     type = auth
>     ipaddr = *
>     port = 1812
> }
> client 10.1.2.0/24 { # allow packets from 10.1.2.0/24    
>     secret = testing123
>     shortname = 10.1.2.12
> }
> modules { # We don't use any modules
> }
> authorize { # return Access-Accept for PAP and CHAP
>     update control {
>         Auth-Type := Accept
>     }
> }
>
> Wireshark shows Radius Access-Accept with code 2, see packet below, I have a
> feeling that the switch is looking for something else in the Radius
> Accept-Accept packet, it's not finding it so it sends EAP Fail to client.
> Packet No 17 is the Radius Access-Request, No 18 is the Radius Access-Accept
>
> No.     Time           Source                Destination           Protocol
> Length Info
>      17 5.943203000    10.1.2.12             10.1.2.1              RADIUS
> 200    Access-Request(1) (id=80, l=158)
>
> Frame 17: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) on
> interface 0
>     Interface id: 0
>     WTAP_ENCAP: 1
>     Arrival Time: Aug  5, 2015 12:18:53.509276000 EDT
>     [Time shift for this packet: 0.000000000 seconds]
>     Epoch Time: 1438791533.509276000 seconds
>     [Time delta from previous captured frame: 0.708854000 seconds]
>     [Time delta from previous displayed frame: 0.000000000 seconds]
>     [Time since reference or first frame: 5.943203000 seconds]
>     Frame Number: 17
>     Frame Length: 200 bytes (1600 bits)
>     Capture Length: 200 bytes (1600 bits)
>     [Frame is marked: True]
>     [Frame is ignored: False]
>     [Protocols in frame: eth:ip:udp:radius:eap]
>     [Coloring Rule Name: UDP]
>     [Coloring Rule String: udp]
> Ethernet II, Src: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0), Dst: HewlettP_74:43:55
> (10:60:4b:74:43:55)
>     Destination: HewlettP_74:43:55 (10:60:4b:74:43:55)
>         Address: HewlettP_74:43:55 (10:60:4b:74:43:55)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>     Source: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
>         Address: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>     Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.2.12 (10.1.2.12), Dst: 10.1.2.1
> (10.1.2.1)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>     Total Length: 186
>     Identification: 0x0884 (2180)
>     Flags: 0x00
>         0... .... = Reserved bit: Not set
>         .0.. .... = Don't fragment: Not set
>         ..0. .... = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 255
>     Protocol: UDP (17)
>     Header checksum: 0x9aa0 [correct]
>         [Good: True]
>         [Bad: False]
>     Source: 10.1.2.12 (10.1.2.12)
>     Destination: 10.1.2.1 (10.1.2.1)
> User Datagram Protocol, Src Port: sightline (1645), Dst Port: radius (1812)
>     Source port: sightline (1645)
>     Destination port: radius (1812)
>     Length: 166
>     Checksum: 0x52d4 [validation disabled]
>         [Good Checksum: False]
>         [Bad Checksum: False]
> Radius Protocol
>     Code: Access-Request (1)
>     Packet identifier: 0x50 (80)
>     Length: 158
>     Authenticator: 974ac85da269d81595fd54db7effa738
>     [The response to this request is in frame 18]
>     Attribute Value Pairs
>         AVP: l=11  t=User-Name(1): anonymous
>             User-Name: anonymous
>         AVP: l=6  t=Service-Type(6): Framed(2)
>             Service-Type: Framed (2)
>         AVP: l=6  t=Framed-MTU(12): 1500
>             Framed-MTU: 1500
>         AVP: l=19  t=Called-Station-Id(30): 24-B6-57-D3-2C-8C
>             Called-Station-Id: 24-B6-57-D3-2C-8C
>         AVP: l=19  t=Calling-Station-Id(31): 5C-B9-01-B2-4A-15
>             Calling-Station-Id: 5C-B9-01-B2-4A-15
>         AVP: l=16  t=EAP-Message(79) Last Segment[1]
>             EAP fragment
>             Extensible Authentication Protocol
>                 Code: Response (2)
>                 Id: 1
>                 Length: 14
>                 Type: Identity (1)
>                 Identity: anonymous
>         AVP: l=18  t=Message-Authenticator(80):
> 538bc16f555647f1d590468a82da13dc
>             Message-Authenticator: 538bc16f555647f1d590468a82da13dc
>         AVP: l=2  t=EAP-Key-Name(102): 
>             EAP-Key-Name: 
>         AVP: l=6  t=NAS-Port-Type(61): Ethernet(15)
>             NAS-Port-Type: Ethernet (15)
>         AVP: l=6  t=NAS-Port(5): 50112
>             NAS-Port: 50112
>         AVP: l=23  t=NAS-Port-Id(87): GigabitEthernet1/0/12
>             NAS-Port-Id: GigabitEthernet1/0/12
>         AVP: l=6  t=NAS-IP-Address(4): 10.1.2.12
>             NAS-IP-Address: 10.1.2.12 (10.1.2.12)
>
> No.     Time           Source                Destination           Protocol
> Length Info
>      18 5.943345000    10.1.2.1              10.1.2.12             RADIUS
> 62     Access-Accept(2) (id=80, l=20)
>
> Frame 18: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on
> interface 0
>     Interface id: 0
>     WTAP_ENCAP: 1
>     Arrival Time: Aug  5, 2015 12:18:53.509418000 EDT
>     [Time shift for this packet: 0.000000000 seconds]
>     Epoch Time: 1438791533.509418000 seconds
>     [Time delta from previous captured frame: 0.000142000 seconds]
>     [Time delta from previous displayed frame: 0.000142000 seconds]
>     [Time since reference or first frame: 5.943345000 seconds]
>     Frame Number: 18
>     Frame Length: 62 bytes (496 bits)
>     Capture Length: 62 bytes (496 bits)
>     [Frame is marked: True]
>     [Frame is ignored: False]
>     [Protocols in frame: eth:ip:udp:radius]
>     [Coloring Rule Name: UDP]
>     [Coloring Rule String: udp]
> Ethernet II, Src: HewlettP_74:43:55 (10:60:4b:74:43:55), Dst: Cisco_d3:2c:c0
> (24:b6:57:d3:2c:c0)
>     Destination: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
>         Address: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>     Source: HewlettP_74:43:55 (10:60:4b:74:43:55)
>         Address: HewlettP_74:43:55 (10:60:4b:74:43:55)
>         .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>     Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.2.1 (10.1.2.1), Dst: 10.1.2.12
> (10.1.2.12)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
>         0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
>     Total Length: 48
>     Identification: 0xdc2b (56363)
>     Flags: 0x00
>         0... .... = Reserved bit: Not set
>         .0.. .... = Don't fragment: Not set
>         ..0. .... = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 64
>     Protocol: UDP (17)
>     Header checksum: 0x8683 [correct]
>         [Good: True]
>         [Bad: False]
>     Source: 10.1.2.1 (10.1.2.1)
>     Destination: 10.1.2.12 (10.1.2.12)
> User Datagram Protocol, Src Port: radius (1812), Dst Port: sightline (1645)
>     Source port: radius (1812)
>     Destination port: sightline (1645)
>     Length: 28
>     Checksum: 0x183c [validation disabled]
>         [Good Checksum: False]
>         [Bad Checksum: False]
> Radius Protocol
>     Code: Access-Accept (2)
>     Packet identifier: 0x50 (80)
>     Length: 20
>     Authenticator: 17e05e8768080f89322124ad63a1eb63
>     [This is a response to a request in frame 17]
>     [Time from request: 0.000142000 seconds]
>
> No.     Time           Source                Destination           Protocol
> Length Info
>     536 229.314304000  10.1.2.12             10.1.2.1              RADIUS
> 97     Access-Request(1) (id=81, l=55)
>
>
>  
>
>  
>
>  
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150806/5f083ab1/attachment.sig>


More information about the Freeradius-Users mailing list