On Tue, Jul 17, 2012 at 2:55 PM, Kaya Saman <kayasaman@gmail.com> wrote:
[...]
# cat users | more 0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000
[...]
I managed to figure the issue of **authentication** and it's really embarrassing!
From copy/pasting the config there was a 'space' between the <username> attribute and getting rid of it just now the server started accepting the user :-)
Running the suggested debug commands on the switch it is claiming:
"authorization failed"
"accounting failed"
mab failure due to 'dead server'
I took the liberty of changing the Tunnel-Private-Group-Id to 20 since I have vlan 1 and 20 configured on the switch I am using in the hope that the laptop would get a DHCP address from the DHCP server configured on the switch, however I think due to the above errors there is something additional which needs to be done.
Regards,
Kaya
Finally I managed to get some debug output going and from my highly limited knowledge and experience regarding FreeRADIUS looks like the Server is sending an ACCESS=ACCEPT response however, the switch is either unable to understand (decode??) it or doesn't recieve it at all?? Anyway here is the output: Cisco debug: *Mar 1 04:26:40.472: mab-ev(Gi0/13): Reauthenticating client 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: mab-sm(Gi0/13): Received event 'MAB_REAUTHENTICATE' on handle 0x31000001 *Mar 1 04:26:40.472: mab : during state mab_terminate, got event 2(mabReauthenticate) *Mar 1 04:26:40.472: @@@ mab : mab_terminate -> mab_authorizing *Mar 1 04:26:40.472: mab-ev(Gi0/13): Sending create new context event to EAP from MAB for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: mab-ev(Gi0/13): Starting MAC-AUTH-BYPASS for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: mab-ev(Gi0/13): Attribute (NAS-Identifier) value 1 received for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: RADIUS/ENCODE(00000009):Orig. component type = DOT1X *Mar 1 04:26:40.472: RADIUS(00000009): Config NAS IP: 10.0.0.1 *Mar 1 04:26:40.472: RADIUS(00000009): Started 10 sec timeout *Mar 1 04:26:40.489: RADIUS: Received from id 1645/252 10.0.0.90:1812, Access-Accept, len 42 *Mar 1 04:26:40.489: RADIUS/DECODE: Ascend auth type; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: decoder; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: parse response op decode; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: parse response; FAIL *Mar 1 04:26:40.489: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.0.0.90:1812,1813 is not responding. *Mar 1 04:26:40.489: mab-ev(Gi0/13): MAB received an Access-Reject for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.489: %MAB-5-FAIL: Authentication failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:26:40.489: mab-sm(Gi0/13): Received event 'MAB_RESULT' on handle 0x31000001 *Mar 1 04:26:40.489: mab : during state mab_authorizing, got event 5(mabResult) *Mar 1 04:26:40.489: @@@ mab : mab_authorizing -> mab_terminate *Mar 1 04:26:40.489: mab-ev(Gi0/13): Deleted credentials profile for 0x31000001 (dot1x_mac_auth_0015c5537baa) *Mar 1 04:26:40.489: mab-ev(Gi0/13): Sending event (2) to AuthMGR for 0015.c553.7baa *Mar 1 04:26:40.489: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:26:40.489: %AUTHMGR-5-FAIL: Authorization failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:26:40.547: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.0.0.90:1812,1813 is being marked alive. *Mar 1 04:27:41.197: mab-ev(Gi0/13): Reauthenticating client 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: mab-sm(Gi0/13): Received event 'MAB_REAUTHENTICATE' on handle 0x31000001 *Mar 1 04:27:41.197: mab : during state mab_terminate, got event 2(mabReauthenticate) *Mar 1 04:27:41.197: @@@ mab : mab_terminate -> mab_authorizing *Mar 1 04:27:41.197: mab-ev(Gi0/13): Sending create new context event to EAP from MAB for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: mab-ev(Gi0/13): Starting MAC-AUTH-BYPASS for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: mab-ev(Gi0/13): Attribute (NAS-Identifier) value 1 received for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: RADIUS/ENCODE(00000009):Orig. component type = DOT1X *Mar 1 04:27:41.197: RADIUS(00000009): Config NAS IP: 10.0.0.1 *Mar 1 04:27:41.197: RADIUS(00000009): Started 10 sec timeout *Mar 1 04:27:41.214: RADIUS: Received from id 1645/253 10.0.0.90:1812, Access-Accept, len 42 *Mar 1 04:27:41.214: RADIUS/DECODE: Ascend auth type; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: decoder; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: parse response op decode; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: parse response; FAIL *Mar 1 04:27:41.214: mab-ev(Gi0/13): MAB received an Access-Reject for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.214: %MAB-5-FAIL: Authentication failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:27:41.214: mab-sm(Gi0/13): Received event 'MAB_RESULT' on handle 0x31000001 *Mar 1 04:27:41.214: mab : during state mab_authorizing, got event 5(mabResult) *Mar 1 04:27:41.214: @@@ mab : mab_authorizing -> mab_terminate *Mar 1 04:27:41.214: mab-ev(Gi0/13): Deleted credentials profile for 0x31000001 (dot1x_mac_auth_0015c5537baa) *Mar 1 04:27:41.214: mab-ev(Gi0/13): Sending event (2) to AuthMGR for 0015.c553.7baa *Mar 1 04:27:41.214: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:27:41.214: %AUTHMGR-5-FAIL: Authorization failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 FreeRADIUS radiusd -X output: rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=223, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x47ebb33764e906b2adedb9e599083ff1 Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 223 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 223 with timestamp +92 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=224, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0xf7b91a130b97cdd1d414383ca7bc92e6 Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 224 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 224 with timestamp +153 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=225, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0xe5a0a2da63073867e6e104d09a51e28e Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 225 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 225 with timestamp +213 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=226, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x96f6df8c1e73330407cb7c9408ba8851 Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 226 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 226 with timestamp +274 Ready to process requests. The configuration hasn't changed as I was apprehensive about altering it, though I have attempted to adjust the switch timers after Google'ing the: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 line which showed up prior to me running the debug commands...... So now for my Cisco lines I have this: radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast According to what I read I tried different values in addition: http://routerdiscussions.com/viewtopic.php?f=8&t=13364 http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1... http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/1... http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/1... At present I don't understand if the issue is with the RADIUS server config or the switch config, from here: [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 226 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 4. I see that the server is authenticating (finally) and sending the information after the Access-Accept line, however, I do notice that there is no 'tunnel' being created between the switch and Radius server..... should there even be? Regards, Kaya