Did you mean a radius debug?... I thought of a cisco debug. I am sure about freeradius like you most likely haven't heard of Dr. Bob Beck's purifier. I changed the following to reply attributes: Tunnel-Type:=VLAN Tunnel-Medium-Type:= IEEE-802 Tunnel-Private-Group-Id:=23 Got: Auth: (192) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) Cisco output: 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating client 0x36000F6B (2c0b.e904.2892) 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already authenticating client 0x36000F6B (2c0b.e904.2892) 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting QUIET_WHILE_EXPIRE on Client 0x36000F6B 381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_held, got event 5(quietWhile_expire) 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held -> auth_restart 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_exit called 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_enter called 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new context event to EAP for 0x36000F6B (2c0b.e904.2892) 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_restart_action called 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART on Client 0x36000F6B 381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_restart, got event 6(no_eapRestart) 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart -> auth_connecting 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_connecting_enter called 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_connecting_action called 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on Client 0x36000F6B 381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_connecting, got event 10(eapReq_no_reAuthMax) 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting -> auth_authenticating 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_enter called 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_connecting_authenticating_action called 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START for 0x36000F6B 381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state auth_bend_idle, got event 4(eapReq_authStart) 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_idle -> auth_bend_request 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_enter called 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination not required 381380: Jan 30 17:44:11.049: dot1x-registry:registry:dot1x_ether_macaddr called 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length: 0x0005 381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892) 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_request_action called 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination not required 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt on Authenticator Q 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the global authenticator queue 381390: Jan 30 17:44:11.052: EAPOL pak dump rx 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C 381392: Jan 30 17:44:11.052: dot1x-ev: dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL frame 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001c 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet 381396: Jan 30 17:44:11.052: EAPOL pak dump rx 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet from 2c0b.e904.2892 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for 0x36000F6B 381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 6(eapolEap) 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_response 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_enter called 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: Response sent to the server from 0x36000F6B (2c0b.e904.2892) 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_response_action called 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for 0x36000F6B 381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state auth_bend_response, got event 7(eapReq) 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_response -> auth_bend_request 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_exit called 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_enter called 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination not required 381412: Jan 30 17:44:11.063: dot1x-registry:registry:dot1x_ether_macaddr called 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length: 0x0016 381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type: 0x4 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892) 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_request_action called 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination not required 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt on Authenticator Q 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the global authenticator queue 381422: Jan 30 17:44:11.066: EAPOL pak dump rx 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length: 0x0016 381424: Jan 30 17:44:11.066: dot1x-ev: dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL frame 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0016 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet 381428: Jan 30 17:44:11.070: EAPOL pak dump rx 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length: 0x0016 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet from 2c0b.e904.2892 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for 0x36000F6B 381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 6(eapolEap) 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_response 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_enter called Switch# 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: Response sent to the server from 0x36000F6B (2c0b.e904.2892) 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_response_action called 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for 0x31000F6C 381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 7(eapReq) 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_request 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): 0x31000F6C:auth_bend_request_request_action called 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): 0x31000F6C:auth_bend_request_enter called 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet to c46e.1f05.8999 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination not required 381444: Jan 30 17:44:11.489: dot1x-registry:registry:dot1x_ether_macaddr called 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length: 0x0005 381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x31000F6C (c46e.1f05.8999) 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for 0x36000F6B 381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state auth_bend_response, got event 10(eapFail) 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_response -> auth_bend_fail 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_exit called 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_fail_enter called 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_fail_action called 381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during state auth_bend_fail 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_fail -> auth_bend_idle 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_enter called 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on Client 0x36000F6B 381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state auth_authenticating, got event 15(authFail) 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45: auth_authenticating -> auth_authc_result 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_exit called 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authc_result_enter called 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to Auth Mgr for 2c0b.e904.2892 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client 2c0b.e904.2892 successfully retrieved 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail for the client 0x36000F6B (2c0b.e904.2892) 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on Client 0x36000F6B 381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state auth_authc_result, got event 22(authzFail) 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45: auth_authc_result -> auth_held 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_enter called 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892 Switch# 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination not required 381477: Jan 30 17:44:12.091: dot1x-registry:registry:dot1x_ether_macaddr called 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length: 0x0004 381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892) Actual values have been substituted from ill hackers especially those communists -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, January 30, 2018 3:58 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: cisco phones
Are you sure that you don't want these to be reply attributes? Show debug to see what's coming through.
Thanks for the tip. According to https://supportforums.cisco.com/t5/other-security- subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-ph one/ td-p/1652836 These need to be added cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does not matter if I set it as a reply attribute, same error) I get: Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) The progress is that the ip phone now shows dropping packets on the voice vlan which means it accepted: Tunnel-Private-Group-ID:=1:VOICE-LAN After reading an email here: I'm inclined to replace ":=" with = but I have a limited lunch break to test these settings each day so perhaps someone who has dealt with this can save me some wasted time?
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, January 26, 2018 4:07 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I still can't authenticate the ip phones using md5 on the voice vlan,
they keep getting authenticated on the data vlan. I ducked ducked the internet and found that:
"device-traffic-class=voice:= Cisco-AVPair" Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS.
That documentation tells you what attributes to return, and what values to use for those attributes. Do the same thing in FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
alan On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy@skno.by> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html