FreeRadius PAP authentication for Non-EAPOL clients on Avaya 5500 switch.

jan hugo prins jhp at jhprins.org
Sun Mar 1 21:53:13 CET 2015


The day after I posted this message I indeed found out that I had read
over the MAC address a hundred times without noticing the difference.
Only after pasting them below one another I noticed the difference, and
then the problem was fixed very quickly.

For the option the switch offers to accommodate devices that can't do
802.1x themselves, you say that the solution Avaya offers is stupid.
Could you tell me a solution that works where I can integrate devices
that don't do 802.1x in an environment where all ports need 802.1x?

I only have one LDAP server configured for radius to look at. There are
no other LDAP servers except this one cluster IP. Why do you think the
requests are redirected to other LDAP servers? What part of the debug
log makes you think this?

Jan Hugo Prins


On 02/28/2015 02:48 PM, Alan DeKok wrote:
> On Feb 25, 2015, at 7:39 PM, jan hugo prins <jhp at jhprins.org> wrote:
>> But I also need to accommodate telephones and printers and they don't do
>> EAP themselves. To work around this, the switches we use have an option
>> to configure the switch in such a way that it creates a radius access
>> request based on the MAC address of the client, it's own IP address and
>> the port the client is connected to.
>   That’s a stupid idea.  But I’m not surprised.  Vendors are often bad at RADIUS.
>
>> This sounds like a simple setup, just add some users with plaintext
>> passwords and start the authentication process. But the problem is that
>> this fails, and it looks like the switch is sending 2 exactly the same
>> authentication requests short after another, and the first one succeeds,
>> but the second one fails.
>   No.  The User-Names are different.  Reading the debug log carefully is important.
>
>   Also, you should fix your LDAP infrastructure.  The server is getting redirected to 3-4 different LDAP servers.  That’s slow and inefficient.
>
>> I also see this when I ping the host, I
>> receive one reply and after that the port is closed again.
>>
>> Could someone tell me if I have something wrong in my config?
>   You need to add the second User-Name to the users file.  The first one ends with “20”.  The second with “22”.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list