cisco phones

Vacheslav m_zouhairy at skno.by
Fri Feb 2 09:16:08 CET 2018 


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org] On Behalf Of Nathan Ward
Sent: Thursday, February 1, 2018 2:43 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: cisco phones


> On 1/02/2018, at 7:14 PM, Vacheslav <m_zouhairy at skno.by> wrote:
> 
> SELECT * FROM radreply;
> 
> | id | username                | attribute               | op | value    |
> +----+-------------------------+-------------------------+----+----------+
> |  7 | CP-3905-SEP2C0BA7291783| Tunnel-Type             | := | VLAN     |
> |  8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type      | := | IEEE-802 |
> |  9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23       |
> +----+-------------------------+-------------------------+----+—————+

> (2) sql: ERROR: Failed to create the pair: Invalid character ' ' in attribute


>It’s not possible to tell from what you have given, but, does one of your attributes in the radreply table have a space at the start or end? I.e. do you perhaps have "Tunnel-Medium-Type<space>”?
I finally had time to test.
I deleted the attributes one at a time and test and it turns out the Tunnel-Type:=VLAN was that menace. I first added it again, this time as check attribute, without using the auto saved entry in the browser, and the login was ok. You got happy ahead of time. Without the attribute it authenticated on  the data vlan. With the attribute, the switch reported the phone as dropped. Then I added the mentioned attribute as a reply keeping it as check also, and again the login was ok but the switch dropped the packets. Then I deleted the mentioned attribute from checking and no change. I final tried putting it 1:VLAN and 23:VLAN but that just makes freeradius spout:
Auth: (56) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [CP-3905-SEP2C0BE9042892/<via Auth-Type = eap>] (from client Skorini_Switch port 50145 cli 2C-0B-E9-04-28-92)
Fri Feb  2 11:01:35 2018 : Auth: (56) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name via Auth-Type = eap>] (from client Switch port 50145 cli mac)
Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (35): Hit idle_timeout, was idle for 61 seconds
Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (36): Hit idle_timeout, was idle for 61 seconds
Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (34): Hit idle_timeout, was idle for 61 seconds
Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Opening additional connection (37), 1 of 32 pending slots used
Fri Feb  2 11:02:36 2018 : Info: Need 2 more connections to reach min connections (3)
Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Opening additional connection (38), 1 of 31 pending slots used
Fri Feb  2 11:02:36 2018 : Auth: (58) Login OK: [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
Fri Feb  2 11:03:35 2018 : Info: Need 1 more connections to reach min connections (3)
Fri Feb  2 11:03:35 2018 : Info: rlm_sql (sql): Opening additional connection (39), 1 of 30 pending slots used
Fri Feb  2 11:03:35 2018 : Auth: (60) Invalid user (sql: Error parsing value: Unknown or invalid value "30:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
Fri Feb  2 11:03:35 2018 : Auth: (60) Login incorrect (sql: Error parsing value: Unknown or invalid value "23:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)

I can think of two options: Either the switch needs additional configuration or the attribute configuration is not for cisco. 
I am bewildered that no one here uses freeradius for cisco md5 phones, and am I the only one working for a money loving government who won't is too stingy even to  consider getting the latest acs?

--
>Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list