<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//DE"><HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><TITLE></TITLE></HEAD><BODY><div style="font-family:arial,helvetica,sans-serif;font-size:10pt;"><p style="margin:0px;padding:0px;">Hi</p>
<p style="margin:0px;padding:0px;">I want to deploy MAC based RADIUS authentication (only - non responsive hosts). To be honest, I don't want to authenticate users at all, all I want is to assign hosts dynamically to different VLANS according to their MAC address.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">The one side is done by a Juniper EX series switch, which is - I think - configured appropriately and forwards requests to my RADIUS server (freeradius 2.1.9+dfsg-1+b on Debian Squeeze/Testing).</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">My radiusd.conf is:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">prefix = /usr<br />exec_prefix = /usr<br />sysconfdir = /etc<br />localstatedir = /var<br />sbindir = ${exec_prefix}/sbin<br />logdir = /var/log/freeradius<br />raddbdir = /etc/freeradius<br />radacctdir = ${logdir}/radacct<br /><br />name = freeradius<br /><br />confdir = ${raddbdir}<br />run_dir = ${localstatedir}/run/${name}<br />db_dir = ${raddbdir}<br />libdir = /usr/lib/freeradius<br /><br />pidfile = ${run_dir}/${name}.pid<br /><br />user = freerad<br />group = freerad<br /><br />max_request_time = 30<br /><br />cleanup_delay = 5<br /><br />max_requests = 1024<br /><br />listen {<br /> type = auth<br /> ipaddr = *<br /> port = 0<br />}</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">hostname_lookups = no<br />allow_core_dumps = no<br /><br />regular_expressions = yes<br />extended_expressions = yes<br /><br />log {<br /> destination = files<br /> file = ${logdir}/radius.log<br /> syslog_facility = daemon<br /> stripped_names = no<br /> auth = no<br /> auth_badpass = no<br /> auth_goodpass = no<br />}<br /><br />checkrad = ${sbindir}/checkrad<br /><br />security {<br /> max_attributes = 200<br /> reject_delay = 1<br /> status_server = yes<br />}<br /><br />proxy_requests = yes<br /><br /><br />client switch {<br /> ipaddr = 10.10.10.254</p>
<p style="margin:0px;padding:0px;"> secret = juniper<br /> require_message_authenticator = no<br /> nastype = other<br />}<br /><br /><br />thread pool {<br /> start_servers = 5<br /> max_servers = 32<br /> min_spare_servers = 3<br /> max_spare_servers = 10<br /> max_requests_per_server = 0<br />}<br /><br />modules {<br /> $INCLUDE ${confdir}/modules/<br /> $INCLUDE eap.conf<br />}<br /><br />instantiate {<br /> exec<br /> expr<br /> expiration<br /> logintime<br /><br />}<br /><br />authorize {<br /> preprocess<br /> files<br />}<br /><br />authenticate {<br />}</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">You can see, I disabled any authentication method beside of files. The users file is this:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">aa00007f9c90 Auth-Type := "EAP", Cleartext-Password == aa00007f9c90<br /> Tunnel-Type = VLAN,<br /> Tunnel-Medium-Type = IEEE-802,<br /> Tunnel-Private-Group-Id = "110"</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">Now I start auth:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">root@EX4200-VC> restart dot1x-protocol <br />Port based Network Access Control started, pid 25579<br /><br />{master:0}<br />root@EX4200-VC> show dot1x interface <br />802.1X Information:<br />Interface Role State MAC address User<br />ge-1/0/4.0 Authenticator Connecting <br />ge-1/0/5.0 Authenticator Connecting</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">and on the radius server:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">root@data:~# freeradius -X <br />FreeRADIUS Version 2.1.9, for host x86_64-pc-linux-gnu, built on Jun 18 2010 at 03:16:00<br />Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br />There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br />PARTICULAR PURPOSE. <br />You may redistribute copies of FreeRADIUS under the terms of the <br />GNU General Public License v2. <br />Starting - reading configuration files ...<br />including configuration file /etc/freeradius/radiusd.conf<br />including files in directory /etc/freeradius/modules/<br />including configuration file /etc/freeradius/modules/always<br />including configuration file /etc/freeradius/modules/chap<br />including configuration file /etc/freeradius/modules/otp<br />including configuration file /etc/freeradius/modules/realm<br />including configuration file /etc/freeradius/modules/linelog<br />including configuration file /etc/freeradius/modules/ldap<br />including configuration file /etc/freeradius/modules/passwd<br />including configuration file /etc/freeradius/modules/mac2ip<br />including configuration file /etc/freeradius/modules/acct_unique<br />including configuration file /etc/freeradius/modules/counter<br />including configuration file /etc/freeradius/modules/inner-eap<br />including configuration file /etc/freeradius/modules/krb5<br />including configuration file /etc/freeradius/modules/wimax<br />including configuration file /etc/freeradius/modules/files<br />including configuration file /etc/freeradius/modules/expr<br />including configuration file /etc/freeradius/modules/pap<br />including configuration file /etc/freeradius/modules/detail.log<br />including configuration file /etc/freeradius/modules/expiration<br />including configuration file /etc/freeradius/modules/attr_rewrite<br />including configuration file /etc/freeradius/modules/ippool<br />including configuration file /etc/freeradius/modules/unix<br />including configuration file /etc/freeradius/modules/detail.example.com<br />including configuration file /etc/freeradius/modules/mschap<br />including configuration file /etc/freeradius/modules/echo<br />including configuration file /etc/freeradius/modules/mac2vlan<br />including configuration file /etc/freeradius/modules/checkval<br />including configuration file /etc/freeradius/modules/pam<br />including configuration file /etc/freeradius/modules/etc_group<br />including configuration file /etc/freeradius/modules/perl<br />including configuration file /etc/freeradius/modules/ntlm_auth<br />including configuration file /etc/freeradius/modules/attr_filter<br />including configuration file /etc/freeradius/modules/preprocess<br />including configuration file /etc/freeradius/modules/sradutmp<br />including configuration file /etc/freeradius/modules/smbpasswd<br />including configuration file /etc/freeradius/modules/cui<br />including configuration file /etc/freeradius/modules/smsotp<br />including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login<br />including configuration file /etc/freeradius/modules/detail<br />including configuration file /etc/freeradius/modules/logintime<br />including configuration file /etc/freeradius/modules/exec<br />including configuration file /etc/freeradius/modules/digest<br />including configuration file /etc/freeradius/modules/sql_log<br />including configuration file /etc/freeradius/modules/policy<br />including configuration file /etc/freeradius/modules/radutmp<br />including configuration file /etc/freeradius/eap.conf<br />main {<br /> user = "freerad"<br /> group = "freerad"<br /> allow_core_dumps = no<br />}<br />including dictionary file /etc/freeradius/dictionary<br />main {<br /> prefix = "/usr"<br /> localstatedir = "/var"<br /> logdir = "/var/log/freeradius"<br /> libdir = "/usr/lib/freeradius"<br /> radacctdir = "/var/log/freeradius/radacct"<br /> hostname_lookups = no<br /> max_request_time = 30<br /> cleanup_delay = 5<br /> max_requests = 1024<br /> pidfile = "/var/run/freeradius/freeradius.pid"<br /> checkrad = "/usr/sbin/checkrad"<br /> debug_level = 0<br /> proxy_requests = yes<br /> log {<br /> stripped_names = no<br /> auth = no<br /> auth_badpass = no<br /> auth_goodpass = no<br /> }<br /> security {<br /> max_attributes = 200<br /> reject_delay = 1<br /> status_server = yes<br /> }<br />}<br />radiusd: #### Loading Realms and Home Servers ####<br />...</p>
<p style="margin:0px;padding:0px;">radiusd: #### Instantiating modules ####<br /> instantiate {<br /> Module: Linked to module rlm_exec<br /> Module: Instantiating exec<br /> exec {<br /> wait = no<br /> input_pairs = "request"<br /> shell_escape = yes<br /> }<br /> Module: Linked to module rlm_expr<br /> Module: Instantiating expr<br /> Module: Linked to module rlm_expiration<br /> Module: Instantiating expiration<br /> expiration {<br /> reply-message = "Password Has Expired "<br /> }<br /> Module: Linked to module rlm_logintime<br /> Module: Instantiating logintime<br /> logintime {<br /> reply-message = "You are calling outside your allowed timespan "<br /> minimum-timeout = 60<br /> }<br /> }<br />radiusd: #### Loading Virtual Servers ####<br />server {<br /> modules {<br /> Module: Checking authorize {...} for more modules to load<br /> Module: Linked to module rlm_preprocess<br /> Module: Instantiating preprocess<br /> preprocess {<br /> huntgroups = "/etc/freeradius/huntgroups"<br /> hints = "/etc/freeradius/hints"<br /> with_ascend_hack = no<br /> ascend_channels_per_line = 23<br /> with_ntdomain_hack = no<br /> with_specialix_jetstream_hack = no<br /> with_cisco_vsa_hack = no<br /> with_alvarion_vsa_hack = no<br /> }<br /> Module: Linked to module rlm_files<br /> Module: Instantiating files<br /> files {<br /> usersfile = "/etc/freeradius/users"<br /> acctusersfile = "/etc/freeradius/acct_users"<br /> preproxy_usersfile = "/etc/freeradius/preproxy_users"<br /> compat = "no"<br /> }<br /> } # modules<br />} # server<br />radiusd: #### Opening IP addresses and Ports ####<br />listen {<br /> type = "auth"<br /> ipaddr = *<br /> port = 0<br />}<br />Listening on authentication address * port 1812<br />Listening on proxy address * port 1814<br />Ready to process requests.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">If I now try to communicate through the interface to be authenticated I get:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">Hi</p>
<p style="margin:0px;padding:0px;">I want to deploy MAC based RADIUS authentication (only - non responsive hosts). To be honest, I don't want to authenticate users at all, all I want is to assign hosts dynamically to different VLANS according to their MAC address.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">The one side is done by a Juniper EX series switch, which is - I think - configured appropriately and forwards requests to my RADIUS server (freeradius 2.1.9+dfsg-1+b on Debian Squeeze/Testing).</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">My radiusd.conf is:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">prefix = /usr<br />exec_prefix = /usr<br />sysconfdir = /etc<br />localstatedir = /var<br />sbindir = ${exec_prefix}/sbin<br />logdir = /var/log/freeradius<br />raddbdir = /etc/freeradius<br />radacctdir = ${logdir}/radacct<br /><br />name = freeradius<br /><br />confdir = ${raddbdir}<br />run_dir = ${localstatedir}/run/${name}<br />db_dir = ${raddbdir}<br />libdir = /usr/lib/freeradius<br /><br />pidfile = ${run_dir}/${name}.pid<br /><br />user = freerad<br />group = freerad<br /><br />max_request_time = 30<br /><br />cleanup_delay = 5<br /><br />max_requests = 1024<br /><br />listen {<br /> type = auth<br /> ipaddr = *<br /> port = 0<br />}</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">hostname_lookups = no<br />allow_core_dumps = no<br /><br />regular_expressions = yes<br />extended_expressions = yes<br /><br />log {<br /> destination = files<br /> file = ${logdir}/radius.log<br /> syslog_facility = daemon<br /> stripped_names = no<br /> auth = no<br /> auth_badpass = no<br /> auth_goodpass = no<br />}<br /><br />checkrad = ${sbindir}/checkrad<br /><br />security {<br /> max_attributes = 200<br /> reject_delay = 1<br /> status_server = yes<br />}<br /><br />proxy_requests = yes<br /><br /><br />client switch {<br /> ipaddr = 10.10.10.254</p>
<p style="margin:0px;padding:0px;"> secret = juniper<br /> require_message_authenticator = no<br /> nastype = other<br />}<br /><br /><br />thread pool {<br /> start_servers = 5<br /> max_servers = 32<br /> min_spare_servers = 3<br /> max_spare_servers = 10<br /> max_requests_per_server = 0<br />}<br /><br />modules {<br /> $INCLUDE ${confdir}/modules/<br /> $INCLUDE eap.conf<br />}<br /><br />instantiate {<br /> exec<br /> expr<br /> expiration<br /> logintime<br /><br />}<br /><br />authorize {<br /> preprocess<br /> files<br />}<br /><br />authenticate {<br />}</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">You can see, I disabled any authentication method beside of files. The users file is this:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">aa00007f9c90 Auth-Type := "EAP", Cleartext-Password == aa00007f9c90<br /> Tunnel-Type = VLAN,<br /> Tunnel-Medium-Type = IEEE-802,<br /> Tunnel-Private-Group-Id = "110"</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">Now I start auth:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">root@EX4200-VC> restart dot1x-protocol <br />Port based Network Access Control started, pid 25579<br /><br />{master:0}<br />root@EX4200-VC> show dot1x interface <br />802.1X Information:<br />Interface Role State MAC address User<br />ge-1/0/4.0 Authenticator Connecting <br />ge-1/0/5.0 Authenticator Connecting</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">and on the radius server:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">root@data:~# freeradius -X <br />FreeRADIUS Version 2.1.9, for host x86_64-pc-linux-gnu, built on Jun 18 2010 at 03:16:00<br />Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br />There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br />PARTICULAR PURPOSE. <br />You may redistribute copies of FreeRADIUS under the terms of the <br />GNU General Public License v2. <br />Starting - reading configuration files ...<br />including configuration file /etc/freeradius/radiusd.conf<br />including files in directory /etc/freeradius/modules/<br />including configuration file /etc/freeradius/modules/always<br />including configuration file /etc/freeradius/modules/chap<br />including configuration file /etc/freeradius/modules/otp<br />including configuration file /etc/freeradius/modules/realm<br />including configuration file /etc/freeradius/modules/linelog<br />including configuration file /etc/freeradius/modules/ldap<br />including configuration file /etc/freeradius/modules/passwd<br />including configuration file /etc/freeradius/modules/mac2ip<br />including configuration file /etc/freeradius/modules/acct_unique<br />including configuration file /etc/freeradius/modules/counter<br />including configuration file /etc/freeradius/modules/inner-eap<br />including configuration file /etc/freeradius/modules/krb5<br />including configuration file /etc/freeradius/modules/wimax<br />including configuration file /etc/freeradius/modules/files<br />including configuration file /etc/freeradius/modules/expr<br />including configuration file /etc/freeradius/modules/pap<br />including configuration file /etc/freeradius/modules/detail.log<br />including configuration file /etc/freeradius/modules/expiration<br />including configuration file /etc/freeradius/modules/attr_rewrite<br />including configuration file /etc/freeradius/modules/ippool<br />including configuration file /etc/freeradius/modules/unix<br />including configuration file /etc/freeradius/modules/detail.example.com<br />including configuration file /etc/freeradius/modules/mschap<br />including configuration file /etc/freeradius/modules/echo<br />including configuration file /etc/freeradius/modules/mac2vlan<br />including configuration file /etc/freeradius/modules/checkval<br />including configuration file /etc/freeradius/modules/pam<br />including configuration file /etc/freeradius/modules/etc_group<br />including configuration file /etc/freeradius/modules/perl<br />including configuration file /etc/freeradius/modules/ntlm_auth<br />including configuration file /etc/freeradius/modules/attr_filter<br />including configuration file /etc/freeradius/modules/preprocess<br />including configuration file /etc/freeradius/modules/sradutmp<br />including configuration file /etc/freeradius/modules/smbpasswd<br />including configuration file /etc/freeradius/modules/cui<br />including configuration file /etc/freeradius/modules/smsotp<br />including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login<br />including configuration file /etc/freeradius/modules/detail<br />including configuration file /etc/freeradius/modules/logintime<br />including configuration file /etc/freeradius/modules/exec<br />including configuration file /etc/freeradius/modules/digest<br />including configuration file /etc/freeradius/modules/sql_log<br />including configuration file /etc/freeradius/modules/policy<br />including configuration file /etc/freeradius/modules/radutmp<br />including configuration file /etc/freeradius/eap.conf<br />main {<br /> user = "freerad"<br /> group = "freerad"<br /> allow_core_dumps = no<br />}<br />including dictionary file /etc/freeradius/dictionary<br />main {<br /> prefix = "/usr"<br /> localstatedir = "/var"<br /> logdir = "/var/log/freeradius"<br /> libdir = "/usr/lib/freeradius"<br /> radacctdir = "/var/log/freeradius/radacct"<br /> hostname_lookups = no<br /> max_request_time = 30<br /> cleanup_delay = 5<br /> max_requests = 1024<br /> pidfile = "/var/run/freeradius/freeradius.pid"<br /> checkrad = "/usr/sbin/checkrad"<br /> debug_level = 0<br /> proxy_requests = yes<br /> log {<br /> stripped_names = no<br /> auth = no<br /> auth_badpass = no<br /> auth_goodpass = no<br /> }<br /> security {<br /> max_attributes = 200<br /> reject_delay = 1<br /> status_server = yes<br /> }<br />}<br />radiusd: #### Loading Realms and Home Servers ####<br />...</p>
<p style="margin:0px;padding:0px;">radiusd: #### Instantiating modules ####<br /> instantiate {<br /> Module: Linked to module rlm_exec<br /> Module: Instantiating exec<br /> exec {<br /> wait = no<br /> input_pairs = "request"<br /> shell_escape = yes<br /> }<br /> Module: Linked to module rlm_expr<br /> Module: Instantiating expr<br /> Module: Linked to module rlm_expiration<br /> Module: Instantiating expiration<br /> expiration {<br /> reply-message = "Password Has Expired "<br /> }<br /> Module: Linked to module rlm_logintime<br /> Module: Instantiating logintime<br /> logintime {<br /> reply-message = "You are calling outside your allowed timespan "<br /> minimum-timeout = 60<br /> }<br /> }<br />radiusd: #### Loading Virtual Servers ####<br />server {<br /> modules {<br /> Module: Checking authorize {...} for more modules to load<br /> Module: Linked to module rlm_preprocess<br /> Module: Instantiating preprocess<br /> preprocess {<br /> huntgroups = "/etc/freeradius/huntgroups"<br /> hints = "/etc/freeradius/hints"<br /> with_ascend_hack = no<br /> ascend_channels_per_line = 23<br /> with_ntdomain_hack = no<br /> with_specialix_jetstream_hack = no<br /> with_cisco_vsa_hack = no<br /> with_alvarion_vsa_hack = no<br /> }<br /> Module: Linked to module rlm_files<br /> Module: Instantiating files<br /> files {<br /> usersfile = "/etc/freeradius/users"<br /> acctusersfile = "/etc/freeradius/acct_users"<br /> preproxy_usersfile = "/etc/freeradius/preproxy_users"<br /> compat = "no"<br /> }<br /> } # modules<br />} # server<br />radiusd: #### Opening IP addresses and Ports ####<br />listen {<br /> type = "auth"<br /> ipaddr = *<br /> port = 0<br />}<br />Listening on authentication address * port 1812<br />Listening on proxy address * port 1814<br />Ready to process requests.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">If I now try to communicate through the interface to be authenticated I get:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">Hi</p>
<p style="margin:0px;padding:0px;">I want to deploy MAC based RADIUS authentication (only - non responsive hosts). To be honest, I don't want to authenticate users at all, all I want is to assign hosts dynamically to different VLANS according to their MAC address.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">The one side is done by a Juniper EX series switch, which is - I think - configured appropriately and forwards requests to my RADIUS server (freeradius 2.1.9+dfsg-1+b on Debian Squeeze/Testing).</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">My radiusd.conf is:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">prefix = /usr<br />exec_prefix = /usr<br />sysconfdir = /etc<br />localstatedir = /var<br />sbindir = ${exec_prefix}/sbin<br />logdir = /var/log/freeradius<br />raddbdir = /etc/freeradius<br />radacctdir = ${logdir}/radacct<br /><br />name = freeradius<br /><br />confdir = ${raddbdir}<br />run_dir = ${localstatedir}/run/${name}<br />db_dir = ${raddbdir}<br />libdir = /usr/lib/freeradius<br /><br />pidfile = ${run_dir}/${name}.pid<br /><br />user = freerad<br />group = freerad<br /><br />max_request_time = 30<br /><br />cleanup_delay = 5<br /><br />max_requests = 1024<br /><br />listen {<br /> type = auth<br /> ipaddr = *<br /> port = 0<br />}</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">hostname_lookups = no<br />allow_core_dumps = no<br /><br />regular_expressions = yes<br />extended_expressions = yes<br /><br />log {<br /> destination = files<br /> file = ${logdir}/radius.log<br /> syslog_facility = daemon<br /> stripped_names = no<br /> auth = no<br /> auth_badpass = no<br /> auth_goodpass = no<br />}<br /><br />checkrad = ${sbindir}/checkrad<br /><br />security {<br /> max_attributes = 200<br /> reject_delay = 1<br /> status_server = yes<br />}<br /><br />proxy_requests = yes<br /><br /><br />client switch {<br /> ipaddr = 10.10.10.254</p>
<p style="margin:0px;padding:0px;"> secret = juniper<br /> require_message_authenticator = no<br /> nastype = other<br />}<br /><br /><br />thread pool {<br /> start_servers = 5<br /> max_servers = 32<br /> min_spare_servers = 3<br /> max_spare_servers = 10<br /> max_requests_per_server = 0<br />}<br /><br />modules {<br /> $INCLUDE ${confdir}/modules/<br /> $INCLUDE eap.conf<br />}<br /><br />instantiate {<br /> exec<br /> expr<br /> expiration<br /> logintime<br /><br />}<br /><br />authorize {<br /> preprocess<br /> files<br />}<br /><br />authenticate {<br />}</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">You can see, I disabled any authentication method beside of files. The users file is this:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">aa00007f9c90 Auth-Type := "EAP", Cleartext-Password == aa00007f9c90<br /> Tunnel-Type = VLAN,<br /> Tunnel-Medium-Type = IEEE-802,<br /> Tunnel-Private-Group-Id = "110"</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">Now I start auth:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">root@EX4200-VC> restart dot1x-protocol <br />Port based Network Access Control started, pid 25579<br /><br />{master:0}<br />root@EX4200-VC> show dot1x interface <br />802.1X Information:<br />Interface Role State MAC address User<br />ge-1/0/4.0 Authenticator Connecting <br />ge-1/0/5.0 Authenticator Connecting</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">and on the radius server:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">root@data:~# freeradius -X <br />FreeRADIUS Version 2.1.9, for host x86_64-pc-linux-gnu, built on Jun 18 2010 at 03:16:00<br />Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. <br />There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A <br />PARTICULAR PURPOSE. <br />You may redistribute copies of FreeRADIUS under the terms of the <br />GNU General Public License v2. <br />Starting - reading configuration files ...<br />including configuration file /etc/freeradius/radiusd.conf<br />including files in directory /etc/freeradius/modules/<br />including configuration file /etc/freeradius/modules/always<br />including configuration file /etc/freeradius/modules/chap<br />including configuration file /etc/freeradius/modules/otp<br />including configuration file /etc/freeradius/modules/realm<br />including configuration file /etc/freeradius/modules/linelog<br />including configuration file /etc/freeradius/modules/ldap<br />including configuration file /etc/freeradius/modules/passwd<br />including configuration file /etc/freeradius/modules/mac2ip<br />including configuration file /etc/freeradius/modules/acct_unique<br />including configuration file /etc/freeradius/modules/counter<br />including configuration file /etc/freeradius/modules/inner-eap<br />including configuration file /etc/freeradius/modules/krb5<br />including configuration file /etc/freeradius/modules/wimax<br />including configuration file /etc/freeradius/modules/files<br />including configuration file /etc/freeradius/modules/expr<br />including configuration file /etc/freeradius/modules/pap<br />including configuration file /etc/freeradius/modules/detail.log<br />including configuration file /etc/freeradius/modules/expiration<br />including configuration file /etc/freeradius/modules/attr_rewrite<br />including configuration file /etc/freeradius/modules/ippool<br />including configuration file /etc/freeradius/modules/unix<br />including configuration file /etc/freeradius/modules/detail.example.com<br />including configuration file /etc/freeradius/modules/mschap<br />including configuration file /etc/freeradius/modules/echo<br />including configuration file /etc/freeradius/modules/mac2vlan<br />including configuration file /etc/freeradius/modules/checkval<br />including configuration file /etc/freeradius/modules/pam<br />including configuration file /etc/freeradius/modules/etc_group<br />including configuration file /etc/freeradius/modules/perl<br />including configuration file /etc/freeradius/modules/ntlm_auth<br />including configuration file /etc/freeradius/modules/attr_filter<br />including configuration file /etc/freeradius/modules/preprocess<br />including configuration file /etc/freeradius/modules/sradutmp<br />including configuration file /etc/freeradius/modules/smbpasswd<br />including configuration file /etc/freeradius/modules/cui<br />including configuration file /etc/freeradius/modules/smsotp<br />including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login<br />including configuration file /etc/freeradius/modules/detail<br />including configuration file /etc/freeradius/modules/logintime<br />including configuration file /etc/freeradius/modules/exec<br />including configuration file /etc/freeradius/modules/digest<br />including configuration file /etc/freeradius/modules/sql_log<br />including configuration file /etc/freeradius/modules/policy<br />including configuration file /etc/freeradius/modules/radutmp<br />including configuration file /etc/freeradius/eap.conf<br />main {<br /> user = "freerad"<br /> group = "freerad"<br /> allow_core_dumps = no<br />}<br />including dictionary file /etc/freeradius/dictionary<br />main {<br /> prefix = "/usr"<br /> localstatedir = "/var"<br /> logdir = "/var/log/freeradius"<br /> libdir = "/usr/lib/freeradius"<br /> radacctdir = "/var/log/freeradius/radacct"<br /> hostname_lookups = no<br /> max_request_time = 30<br /> cleanup_delay = 5<br /> max_requests = 1024<br /> pidfile = "/var/run/freeradius/freeradius.pid"<br /> checkrad = "/usr/sbin/checkrad"<br /> debug_level = 0<br /> proxy_requests = yes<br /> log {<br /> stripped_names = no<br /> auth = no<br /> auth_badpass = no<br /> auth_goodpass = no<br /> }<br /> security {<br /> max_attributes = 200<br /> reject_delay = 1<br /> status_server = yes<br /> }<br />}<br />radiusd: #### Loading Realms and Home Servers ####<br />...</p>
<p style="margin:0px;padding:0px;">radiusd: #### Instantiating modules ####<br /> instantiate {<br /> Module: Linked to module rlm_exec<br /> Module: Instantiating exec<br /> exec {<br /> wait = no<br /> input_pairs = "request"<br /> shell_escape = yes<br /> }<br /> Module: Linked to module rlm_expr<br /> Module: Instantiating expr<br /> Module: Linked to module rlm_expiration<br /> Module: Instantiating expiration<br /> expiration {<br /> reply-message = "Password Has Expired "<br /> }<br /> Module: Linked to module rlm_logintime<br /> Module: Instantiating logintime<br /> logintime {<br /> reply-message = "You are calling outside your allowed timespan "<br /> minimum-timeout = 60<br /> }<br /> }<br />radiusd: #### Loading Virtual Servers ####<br />server {<br /> modules {<br /> Module: Checking authorize {...} for more modules to load<br /> Module: Linked to module rlm_preprocess<br /> Module: Instantiating preprocess<br /> preprocess {<br /> huntgroups = "/etc/freeradius/huntgroups"<br /> hints = "/etc/freeradius/hints"<br /> with_ascend_hack = no<br /> ascend_channels_per_line = 23<br /> with_ntdomain_hack = no<br /> with_specialix_jetstream_hack = no<br /> with_cisco_vsa_hack = no<br /> with_alvarion_vsa_hack = no<br /> }<br /> Module: Linked to module rlm_files<br /> Module: Instantiating files<br /> files {<br /> usersfile = "/etc/freeradius/users"<br /> acctusersfile = "/etc/freeradius/acct_users"<br /> preproxy_usersfile = "/etc/freeradius/preproxy_users"<br /> compat = "no"<br /> }<br /> } # modules<br />} # server<br />radiusd: #### Opening IP addresses and Ports ####<br />listen {<br /> type = "auth"<br /> ipaddr = *<br /> port = 0<br />}<br />Listening on authentication address * port 1812<br />Listening on proxy address * port 1814<br />Ready to process requests.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">If I now try to communicate through the interface to be authenticated I get:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">rad_recv: Access-Request packet from host 10.10.10.254 port 58798, id=45, length=118<br /> User-Name = "aa00007f9c90"<br /> NAS-Port = 119<br /> EAP-Message = 0x0200001101616130303030376639633930<br /> Message-Authenticator = 0x4ab3cccda64e92e76dfa2a97172cebca<br /> Acct-Session-Id = "8O2.1x81eb00c2"<br /> NAS-Identifier = "EX4200-VC"<br /> NAS-Port-Type = Virtual<br />+- entering group authorize {...}<br />++[preprocess] returns ok<br />++[files] returns noop<br />No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<br />Failed to authenticate the user.<br />Delaying reject of request 0 for 1 seconds<br />Going to the next request<br />Waking up in 0.9 seconds.<br />Sending delayed reject for request 0<br />Sending Access-Reject of id 45 to 10.10.10.254 port 58798<br />Waking up in 4.9 seconds.<br />Cleaning up request 0 ID 45 with timestamp +62<br />Ready to process requests.</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">and on the switch it remains on:</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">ge-1/0/4.0<br /> Role: Authenticator<br /> Administrative state: Auto<br /> Supplicant mode: Multiple<br /> Number of retries: 3<br /> Quiet period: 60 seconds<br /> Transmit period: 30 seconds<br /> Mac Radius: Disabled<br /> Mac Radius Strict: Enabled<br /> Reauthentication: Enabled Reauthentication interval: 3600 seconds<br /> Supplicant timeout: 30 seconds<br /> Server timeout: 30 seconds<br /> Maximum EAPOL requests: 2<br /> Guest VLAN member: <not configured><br /> Number of connected supplicants: 1<br /> Supplicant: aa00007f9c90, AA:00:00:7F:9C:90<br /> Operational state: Authenticating<br /> Authentcation method: Radius<br /> Authenticated VLAN: configured/default<br /> Reauthentication due in 0 seconds</p>
<p style="margin:0px;padding:0px;"> </p>
<p style="margin:0px;padding:0px;">Any clues?</p></div><br><br><div style="font-family:arial;font-size:10pt;">freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de<br>Jetzt kostenlose E-Mail-Adresse mit 1 GB Speicher und Profi-Spamschutz sichern!<br><a style="font-family:arial;font-size:10pt;" href="http://tls.freenet.de/tipp/1gb-speicher/index.html" target="_blank">Sofort anmelden!</a></div></BODY></HTML>