31 Jan
2018
31 Jan
'18
5:13 a.m.
hi, freeradius debug radiusd -X from the very start to the final packet sent back to the NAS. i dont care about cisco debug. alan On 31 January 2018 at 08:10, Vacheslav <m_zouhairy@skno.by> wrote: > Did you mean a radius debug?... I thought of a cisco debug. I am sure > about freeradius like you most likely haven't heard of Dr. Bob Beck's > purifier. > I changed the following to reply attributes: > Tunnel-Type:=VLAN > Tunnel-Medium-Type:= IEEE-802 > Tunnel-Private-Group-Id:=23 > > Got: > > Auth: (192) Invalid user (sql: Failed to create the pair: Invalid > character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type > = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) > Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to > create the pair: Invalid character ' ' in attribute): > [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch > port 50145 cli 2D1B-E9-04-29-83) > > Cisco output: > > 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating client > 0x36000F6B (2c0b.e904.2892) > 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already authenticating > client 0x36000F6B (2c0b.e904.2892) > 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting > QUIET_WHILE_EXPIRE on Client 0x36000F6B > 381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state > auth_held, got event 5(quietWhile_expire) > 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held -> > auth_restart > 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_exit > called > 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_restart_enter called > 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new > context event to EAP for 0x36000F6B (2c0b.e904.2892) > 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_held_restart_action called > 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART on > Client 0x36000F6B > 381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state > auth_restart, got event 6(no_eapRestart) > 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart -> > auth_connecting > 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_connecting_enter called > 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_connecting_action > called > 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on Client > 0x36000F6B > 381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state > auth_connecting, got event 10(eapReq_no_reAuthMax) > 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting -> > auth_authenticating > 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_enter > called > 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_connecting_authenticating_action called > 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START for > 0x36000F6B > 381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state > auth_bend_idle, got event 4(eapReq_authStart) > 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_idle > -> auth_bend_request > 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_enter called > 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > 2c0b.e904.2892 > 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination not > required > 381380: Jan 30 17:44:11.049: dot1x-registry:registry:dot1x_ether_macaddr > called > 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx > 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length: 0x0005 > 381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type: > 0x1 > 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x36000F6B (2c0b.e904.2892) > 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_request_action > called > 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination not > required > 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt > on Authenticator Q > 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the > global authenticator queue > 381390: Jan 30 17:44:11.052: EAPOL pak dump rx > 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C > 381392: Jan 30 17:44:11.052: dot1x-ev: > dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28 > > 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL > frame > 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr > =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001c > 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet > 381396: Jan 30 17:44:11.052: EAPOL pak dump rx > 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C > 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP > packet from 2c0b.e904.2892 > 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for > 0x36000F6B > 381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state > auth_bend_request, got event 6(eapolEap) > 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_request -> auth_bend_response > 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_enter called > 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: > Response sent to the server from 0x36000F6B (2c0b.e904.2892) > 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_response_action called > 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for > 0x36000F6B > 381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state > auth_bend_response, got event 7(eapReq) > 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_response -> auth_bend_request > 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_exit called > 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_enter called > 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > 2c0b.e904.2892 > 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination not > required > 381412: Jan 30 17:44:11.063: dot1x-registry:registry:dot1x_ether_macaddr > called > 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx > 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length: 0x0016 > 381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type: > 0x4 > 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x36000F6B (2c0b.e904.2892) > 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_request_action called > 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination not > required > 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt > on Authenticator Q > 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the > global authenticator queue > 381422: Jan 30 17:44:11.066: EAPOL pak dump rx > 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length: 0x0016 > 381424: Jan 30 17:44:11.066: dot1x-ev: > dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22 > > 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL > frame > 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr > =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0016 > 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet > 381428: Jan 30 17:44:11.070: EAPOL pak dump rx > 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length: 0x0016 > 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP > packet from 2c0b.e904.2892 > 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for > 0x36000F6B > 381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state > auth_bend_request, got event 6(eapolEap) > 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_request -> auth_bend_response > 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_enter called > Switch# > 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: > Response sent to the server from 0x36000F6B (2c0b.e904.2892) > 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_response_action called > 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for > 0x31000F6C > 381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state > auth_bend_request, got event 7(eapReq) > 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_request -> auth_bend_request > 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): > 0x31000F6C:auth_bend_request_request_action called > 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): > 0x31000F6C:auth_bend_request_enter called > 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > c46e.1f05.8999 > 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination not > required > 381444: Jan 30 17:44:11.489: dot1x-registry:registry:dot1x_ether_macaddr > called > 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx > 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length: 0x0005 > 381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type: > 0x1 > 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x31000F6C (c46e.1f05.8999) > 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail > 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for > 0x36000F6B > 381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state > auth_bend_response, got event 10(eapFail) > 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_response -> auth_bend_fail > 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_exit called > 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_fail_enter > called > 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_fail_action called > 381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during > state auth_bend_fail > 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_fail > -> auth_bend_idle > 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_enter > called > 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on > Client 0x36000F6B > 381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state > auth_authenticating, got event 15(authFail) > 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45: auth_authenticating > -> auth_authc_result > 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_exit > called > 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_authc_result_enter called > 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for > client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID > 0A6000FC0001DEAA32DDD387 > 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to Auth > Mgr for 2c0b.e904.2892 > 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result > 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45 > AuditSessionID 0A6000FC0001DEAA32DDD387 > 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or > unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID > 0A6000FC0001DEAA32DDD387 > 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client > 2c0b.e904.2892 successfully retrieved > 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail for > the client 0x36000F6B (2c0b.e904.2892) > 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on > Client 0x36000F6B > 381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state > auth_authc_result, got event 22(authzFail) > 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45: auth_authc_result -> > auth_held > 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_held_enter called > 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > 2c0b.e904.2892 > Switch# > 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination not > required > 381477: Jan 30 17:44:12.091: dot1x-registry:registry:dot1x_ether_macaddr > called > 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx > 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length: 0x0004 > 381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004 > 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x36000F6B (2c0b.e904.2892) > > Actual values have been substituted from ill hackers especially those > communists > > -----Original Message----- > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= > skno.by@lists.freeradius.org] On Behalf Of Alan Buxey > Sent: Tuesday, January 30, 2018 3:58 PM > To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> > Subject: RE: cisco phones > > >Are you sure that you don't want these to be reply attributes? Show debug > to see what's coming through. > > alan > > On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy@skno.by> wrote: > > > Thanks for the tip. > > According to https://supportforums.cisco.com/t5/other-security- > > subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-ph > > one/ > > td-p/1652836 > > These need to be added > > cisco-avpair="device-traffic-class=voice" > > Tunnel-Type=1:VLAN > > Tunnel-Medium-Type=1:802 > > Tunnel-Private-Group-ID=1:VOICE-LAN > > > > So I added them as check attributes, with := but I got: > > Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid > > value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via > > Auth-Type = > > eap>] (from client Switch port 50145 cli mac) > > Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error > > parsing > > value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): > > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 > > cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does > > not matter if I set it as a reply attribute, same error) I get: > > Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid > > value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via > > Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 > > 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing > > value: Unknown or invalid value "1:802" for attribute > Tunnel-Medium-Type): > > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 > > cli > > mac) > > The progress is that the ip phone now shows dropping packets on the > > voice vlan which means it accepted: > > Tunnel-Private-Group-ID:=1:VOICE-LAN > > After reading an email here: I'm inclined to replace ":=" with = but I > > have a limited lunch break to test these settings each day so perhaps > > someone who has dealt with this can save me some wasted time? > > > > > > -----Original Message----- > > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= > > skno.by@lists.freeradius.org] On Behalf Of Alan DeKok > > Sent: Friday, January 26, 2018 4:07 PM > > To: FreeRadius users mailing list > > <freeradius-users@lists.freeradius.org> > > Subject: Re: cisco phones > > > > On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote: > > > > > > I still can't authenticate the ip phones using md5 on the voice > > > vlan, > > they keep getting authenticated on the data vlan. I ducked ducked the > > internet and found that: > > > "device-traffic-class=voice:= Cisco-AVPair" > > > Must be added. So I added it username of the ip phone in daloradius > > > but > > the behavior has not changed. Perhaps, that must be added manually to > > the users file for it work. I only found documentation on how to do > > that in cisco ACS. > > > > > That documentation tells you what attributes to return, and what > > > values > > to use for those attributes. Do the same thing in FreeRADIUS. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html