<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-forward-container">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<br>
<br>
Hi Guys, we are trying to get Free Radius to authenticate our
users who connect through a Cisco Small Business POE switch.<br>
<br>
<br>
When testing authentication with a shutdown / no shutdown command
on port fa/17 which has an IP phone connected to it we receive
the following errors:<br>
<br>
FREE RADIUS :<br>
<br>
[ldap] expand: %{User-Name} -> root<br>
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=root)<br>
[ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] performing search in dc=citlao,dc=local, with filter
(uid=root)<br>
[ldap] object not found<br>
[ldap] search failed<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns notfound<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.<br>
++[pap] returns noop<br>
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user<br>
Failed to authenticate the user.<br>
Login incorrect ( [ldap] User not found): [root/trash] (from
client LTC-ROUTER port 2)<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> root<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 12 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 12<br>
Sending Access-Reject of id 31 to 192.168.1.1 port 1645<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 12 ID 31 with timestamp +10922<br>
Ready to process requests.<br>
<br>
CISCO POE SWITCH:<br>
<br>
<br>
SW-BN3-PoE(config-if)#shutdown<br>
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17<br>
<br>
SW-BN3-PoE(config-if)#<br>
SW-BN3-PoE(config-if)#no shutdown<br>
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS:
fa17: STP status Forwarding<br>
23-Sep-2013 14:17:42 %LINK-I-Up: fa17<br>
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name
or password in Radius server<br>
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)<br>
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status
Forwarding, aggregated (3)<br>
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)<br>
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name
or password in Radius server, aggregated (1)<br>
<br>
<br>
<br>
<br>
However when we try the same test on a port that has a PC
connected to it we do not receive such an error.<br>
<br>
The CISCO switch says that we have the wrong user name and the
Free Radius log says access rejected. Why would this only be the
case when a CISCO IP phone tries to authenticate? <br>
<br>
The Cisco switch port configurations are exactly the same and are
as follows :<br>
<br>
dot1x max-req 1<br>
dot1x reauthentication<br>
dot1x timeout quiet-period 30<br>
dot1x mac-authentication mac-only<br>
dot1x port-control auto<br>
storm-control broadcast enable<br>
storm-control broadcast level 10<br>
storm-control include-multicast<br>
spanning-tree portfast<br>
macro description "no_ip_phone_desktop | ip_phone_desktop"<br>
switchport trunk allowed vlan add 100<br>
macro auto smartport type ip_phone_desktop<br>
<br>
<pre>What can I try to fix the authentication issues so that all ports are being successfully authenticated ?
Thanks for your assistance,
Dan
</pre>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
<br>
</body>
</html>