Peace, I still can't authenticate the ip phones using md5 on the voice vlan, they keep getting authenticated on the data vlan. I ducked ducked the internet and found that: "device-traffic-class=voice:= Cisco-AVPair" Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS.
On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I still can't authenticate the ip phones using md5 on the voice vlan, they keep getting authenticated on the data vlan. I ducked ducked the internet and found that: "device-traffic-class=voice:= Cisco-AVPair" Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS.
That documentation tells you what attributes to return, and what values to use for those attributes. Do the same thing in FreeRADIUS. Alan DeKok.
Thanks for the tip. According to https://supportforums.cisco.com/t5/other-security-subjects/802-1x-authentica... These need to be added cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does not matter if I set it as a reply attribute, same error) I get: Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) The progress is that the ip phone now shows dropping packets on the voice vlan which means it accepted: Tunnel-Private-Group-ID:=1:VOICE-LAN After reading an email here: I'm inclined to replace ":=" with = but I have a limited lunch break to test these settings each day so perhaps someone who has dealt with this can save me some wasted time? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, January 26, 2018 4:07 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I still can't authenticate the ip phones using md5 on the voice vlan, they keep getting authenticated on the data vlan. I ducked ducked the internet and found that: "device-traffic-class=voice:= Cisco-AVPair" Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS.
That documentation tells you what attributes to return, and what values to use for those attributes. Do the same thing in FreeRADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 2018-01-30 at 14:07 +0300, Vacheslav wrote:
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := xxx where xxx is the VLAN number you want the device put in to. -- Matthew
Thank you for replying, we're getting closer to the resolution: tried Cisco-AVPair:="device-traffic-class=voice" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 23 Got: Auth: (175) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 15:14:37 2018 : Auth: (175) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Then I tried: Cisco-AVPair:=device-traffic-class=voice Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 1:VOICE-LAN With same error. I also tried: Cisco-AVPair:=device-traffic-class=voice Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 23 What does this mean? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Tuesday, January 30, 2018 3:05 PM To: freeradius-users@lists.freeradius.org Subject: Re: cisco phones On Tue, 2018-01-30 at 14:07 +0300, Vacheslav wrote:
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := xxx where xxx is the VLAN number you want the device put in to. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew I have been watching this thread and we do a similar thing except most of our sites use brocade device and there were much easier to deal with. We do have a site that has cisco switches and am wondering when this gets resolved if you might share the final output (attributes and relevant switch config) for reference. We have quickly experimented with the devices and although we never got any errors the devices never seem to do the assignments. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu@lists.freeradius.org] On Behalf Of Vacheslav Sent: Tuesday, January 30, 2018 7:26 AM To: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Subject: RE: cisco phones Thank you for replying, we're getting closer to the resolution: tried Cisco-AVPair:="device-traffic-class=voice" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 23 Got: Auth: (175) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 15:14:37 2018 : Auth: (175) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Then I tried: Cisco-AVPair:=device-traffic-class=voice Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 1:VOICE-LAN With same error. I also tried: Cisco-AVPair:=device-traffic-class=voice Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 23 What does this mean? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Matthew Newton Sent: Tuesday, January 30, 2018 3:05 PM To: freeradius-users@lists.freeradius.org Subject: Re: cisco phones On Tue, 2018-01-30 at 14:07 +0300, Vacheslav wrote:
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := xxx where xxx is the VLAN number you want the device put in to. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are you sure that you don't want these to be reply attributes? Show debug to see what's coming through. alan On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy@skno.by> wrote:
Thanks for the tip. According to https://supportforums.cisco.com/t5/other-security- subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-phone/ td-p/1652836 These need to be added cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does not matter if I set it as a reply attribute, same error) I get: Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) The progress is that the ip phone now shows dropping packets on the voice vlan which means it accepted: Tunnel-Private-Group-ID:=1:VOICE-LAN After reading an email here: I'm inclined to replace ":=" with = but I have a limited lunch break to test these settings each day so perhaps someone who has dealt with this can save me some wasted time?
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, January 26, 2018 4:07 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I still can't authenticate the ip phones using md5 on the voice vlan,
they keep getting authenticated on the data vlan. I ducked ducked the internet and found that:
"device-traffic-class=voice:= Cisco-AVPair" Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS.
That documentation tells you what attributes to return, and what values to use for those attributes. Do the same thing in FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Did you mean a radius debug?... I thought of a cisco debug. I am sure about freeradius like you most likely haven't heard of Dr. Bob Beck's purifier. I changed the following to reply attributes: Tunnel-Type:=VLAN Tunnel-Medium-Type:= IEEE-802 Tunnel-Private-Group-Id:=23 Got: Auth: (192) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) Cisco output: 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating client 0x36000F6B (2c0b.e904.2892) 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already authenticating client 0x36000F6B (2c0b.e904.2892) 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting QUIET_WHILE_EXPIRE on Client 0x36000F6B 381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_held, got event 5(quietWhile_expire) 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held -> auth_restart 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_exit called 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_enter called 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new context event to EAP for 0x36000F6B (2c0b.e904.2892) 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_restart_action called 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART on Client 0x36000F6B 381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_restart, got event 6(no_eapRestart) 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart -> auth_connecting 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_connecting_enter called 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_connecting_action called 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on Client 0x36000F6B 381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_connecting, got event 10(eapReq_no_reAuthMax) 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting -> auth_authenticating 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_enter called 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_connecting_authenticating_action called 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START for 0x36000F6B 381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state auth_bend_idle, got event 4(eapReq_authStart) 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_idle -> auth_bend_request 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_enter called 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination not required 381380: Jan 30 17:44:11.049: dot1x-registry:registry:dot1x_ether_macaddr called 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length: 0x0005 381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892) 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_request_action called 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination not required 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt on Authenticator Q 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the global authenticator queue 381390: Jan 30 17:44:11.052: EAPOL pak dump rx 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C 381392: Jan 30 17:44:11.052: dot1x-ev: dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL frame 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001c 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet 381396: Jan 30 17:44:11.052: EAPOL pak dump rx 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet from 2c0b.e904.2892 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for 0x36000F6B 381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 6(eapolEap) 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_response 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_enter called 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: Response sent to the server from 0x36000F6B (2c0b.e904.2892) 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_response_action called 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for 0x36000F6B 381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state auth_bend_response, got event 7(eapReq) 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_response -> auth_bend_request 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_exit called 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_enter called 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination not required 381412: Jan 30 17:44:11.063: dot1x-registry:registry:dot1x_ether_macaddr called 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length: 0x0016 381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type: 0x4 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892) 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_request_action called 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination not required 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt on Authenticator Q 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the global authenticator queue 381422: Jan 30 17:44:11.066: EAPOL pak dump rx 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length: 0x0016 381424: Jan 30 17:44:11.066: dot1x-ev: dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL frame 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0016 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet 381428: Jan 30 17:44:11.070: EAPOL pak dump rx 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length: 0x0016 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet from 2c0b.e904.2892 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for 0x36000F6B 381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 6(eapolEap) 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_response 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_enter called Switch# 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: Response sent to the server from 0x36000F6B (2c0b.e904.2892) 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_response_action called 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for 0x31000F6C 381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 7(eapReq) 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_request 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): 0x31000F6C:auth_bend_request_request_action called 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): 0x31000F6C:auth_bend_request_enter called 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet to c46e.1f05.8999 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination not required 381444: Jan 30 17:44:11.489: dot1x-registry:registry:dot1x_ether_macaddr called 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length: 0x0005 381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x31000F6C (c46e.1f05.8999) 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for 0x36000F6B 381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state auth_bend_response, got event 10(eapFail) 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_response -> auth_bend_fail 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_exit called 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_fail_enter called 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_fail_action called 381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during state auth_bend_fail 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_fail -> auth_bend_idle 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_enter called 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on Client 0x36000F6B 381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state auth_authenticating, got event 15(authFail) 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45: auth_authenticating -> auth_authc_result 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_exit called 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authc_result_enter called 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to Auth Mgr for 2c0b.e904.2892 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client 2c0b.e904.2892 successfully retrieved 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail for the client 0x36000F6B (2c0b.e904.2892) 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on Client 0x36000F6B 381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state auth_authc_result, got event 22(authzFail) 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45: auth_authc_result -> auth_held 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_enter called 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892 Switch# 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination not required 381477: Jan 30 17:44:12.091: dot1x-registry:registry:dot1x_ether_macaddr called 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL packet 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length: 0x0004 381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892) Actual values have been substituted from ill hackers especially those communists -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, January 30, 2018 3:58 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: cisco phones
Are you sure that you don't want these to be reply attributes? Show debug to see what's coming through.
Thanks for the tip. According to https://supportforums.cisco.com/t5/other-security- subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-ph one/ td-p/1652836 These need to be added cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
So I added them as check attributes, with := but I got: Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does not matter if I set it as a reply attribute, same error) I get: Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) The progress is that the ip phone now shows dropping packets on the voice vlan which means it accepted: Tunnel-Private-Group-ID:=1:VOICE-LAN After reading an email here: I'm inclined to replace ":=" with = but I have a limited lunch break to test these settings each day so perhaps someone who has dealt with this can save me some wasted time?
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, January 26, 2018 4:07 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I still can't authenticate the ip phones using md5 on the voice vlan,
they keep getting authenticated on the data vlan. I ducked ducked the internet and found that:
"device-traffic-class=voice:= Cisco-AVPair" Must be added. So I added it username of the ip phone in daloradius but the behavior has not changed. Perhaps, that must be added manually to the users file for it work. I only found documentation on how to do that in cisco ACS.
That documentation tells you what attributes to return, and what values to use for those attributes. Do the same thing in FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
alan On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy@skno.by> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I really have no idea what garbage you are on about about bob beck and communists, leave that junk out. Post a *full* `radiusd -X` debug. It looks like you have a space char in between = and IEEE below - but I have no idea where that is from so I have no idea if that is your copy/paste error or if it’s an error in your database - it appears that you use SQL. Perhaps you can paste the contents of your radreply and radcheck tables for the user in question.
On 31/01/2018, at 9:10 PM, Vacheslav <m_zouhairy@skno.by> wrote:
Did you mean a radius debug?... I thought of a cisco debug. I am sure about freeradius like you most likely haven't heard of Dr. Bob Beck's purifier. I changed the following to reply attributes: Tunnel-Type:=VLAN Tunnel-Medium-Type:= IEEE-802 Tunnel-Private-Group-Id:=23
Got:
Auth: (192) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83)
Cisco output: <not useful> <nonsense> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, freeradius debug radiusd -X from the very start to the final packet sent back to the NAS. i dont care about cisco debug. alan On 31 January 2018 at 08:10, Vacheslav <m_zouhairy@skno.by> wrote: > Did you mean a radius debug?... I thought of a cisco debug. I am sure > about freeradius like you most likely haven't heard of Dr. Bob Beck's > purifier. > I changed the following to reply attributes: > Tunnel-Type:=VLAN > Tunnel-Medium-Type:= IEEE-802 > Tunnel-Private-Group-Id:=23 > > Got: > > Auth: (192) Invalid user (sql: Failed to create the pair: Invalid > character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type > = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83) > Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to > create the pair: Invalid character ' ' in attribute): > [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch > port 50145 cli 2D1B-E9-04-29-83) > > Cisco output: > > 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating client > 0x36000F6B (2c0b.e904.2892) > 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already authenticating > client 0x36000F6B (2c0b.e904.2892) > 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting > QUIET_WHILE_EXPIRE on Client 0x36000F6B > 381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state > auth_held, got event 5(quietWhile_expire) > 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held -> > auth_restart > 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_exit > called > 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_restart_enter called > 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new > context event to EAP for 0x36000F6B (2c0b.e904.2892) > 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_held_restart_action called > 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART on > Client 0x36000F6B > 381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state > auth_restart, got event 6(no_eapRestart) > 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart -> > auth_connecting > 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_connecting_enter called > 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_connecting_action > called > 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on Client > 0x36000F6B > 381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state > auth_connecting, got event 10(eapReq_no_reAuthMax) > 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting -> > auth_authenticating > 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_enter > called > 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_connecting_authenticating_action called > 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START for > 0x36000F6B > 381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state > auth_bend_idle, got event 4(eapReq_authStart) > 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_idle > -> auth_bend_request > 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_enter called > 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > 2c0b.e904.2892 > 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination not > required > 381380: Jan 30 17:44:11.049: dot1x-registry:registry:dot1x_ether_macaddr > called > 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx > 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length: 0x0005 > 381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type: > 0x1 > 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x36000F6B (2c0b.e904.2892) > 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_request_action > called > 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination not > required > 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt > on Authenticator Q > 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the > global authenticator queue > 381390: Jan 30 17:44:11.052: EAPOL pak dump rx > 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C > 381392: Jan 30 17:44:11.052: dot1x-ev: > dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28 > > 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL > frame > 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr > =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001c > 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet > 381396: Jan 30 17:44:11.052: EAPOL pak dump rx > 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C > 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP > packet from 2c0b.e904.2892 > 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for > 0x36000F6B > 381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state > auth_bend_request, got event 6(eapolEap) > 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_request -> auth_bend_response > 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_enter called > 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: > Response sent to the server from 0x36000F6B (2c0b.e904.2892) > 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_response_action called > 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for > 0x36000F6B > 381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state > auth_bend_response, got event 7(eapReq) > 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_response -> auth_bend_request > 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_exit called > 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_enter called > 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > 2c0b.e904.2892 > 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination not > required > 381412: Jan 30 17:44:11.063: dot1x-registry:registry:dot1x_ether_macaddr > called > 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx > 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length: 0x0016 > 381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type: > 0x4 > 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x36000F6B (2c0b.e904.2892) > 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_request_action called > 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination not > required > 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt > on Authenticator Q > 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the > global authenticator queue > 381422: Jan 30 17:44:11.066: EAPOL pak dump rx > 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length: 0x0016 > 381424: Jan 30 17:44:11.066: dot1x-ev: > dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22 > > 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL > frame > 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr > =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0016 > 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet > 381428: Jan 30 17:44:11.070: EAPOL pak dump rx > 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length: 0x0016 > 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP > packet from 2c0b.e904.2892 > 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for > 0x36000F6B > 381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state > auth_bend_request, got event 6(eapolEap) > 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_request -> auth_bend_response > 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_enter called > Switch# > 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: > Response sent to the server from 0x36000F6B (2c0b.e904.2892) > 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_request_response_action called > 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for > 0x31000F6C > 381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state > auth_bend_request, got event 7(eapReq) > 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_request -> auth_bend_request > 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): > 0x31000F6C:auth_bend_request_request_action called > 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): > 0x31000F6C:auth_bend_request_enter called > 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > c46e.1f05.8999 > 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination not > required > 381444: Jan 30 17:44:11.489: dot1x-registry:registry:dot1x_ether_macaddr > called > 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx > 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length: 0x0005 > 381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type: > 0x1 > 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x31000F6C (c46e.1f05.8999) > 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail > 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for > 0x36000F6B > 381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state > auth_bend_response, got event 10(eapFail) > 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: > auth_bend_response -> auth_bend_fail > 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_exit called > 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_fail_enter > called > 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_bend_response_fail_action called > 381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during > state auth_bend_fail > 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_fail > -> auth_bend_idle > 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_enter > called > 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on > Client 0x36000F6B > 381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state > auth_authenticating, got event 15(authFail) > 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45: auth_authenticating > -> auth_authc_result > 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_exit > called > 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_authc_result_enter called > 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for > client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID > 0A6000FC0001DEAA32DDD387 > 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to Auth > Mgr for 2c0b.e904.2892 > 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result > 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45 > AuditSessionID 0A6000FC0001DEAA32DDD387 > 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or > unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID > 0A6000FC0001DEAA32DDD387 > 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client > 2c0b.e904.2892 successfully retrieved > 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail for > the client 0x36000F6B (2c0b.e904.2892) > 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on > Client 0x36000F6B > 381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state > auth_authc_result, got event 22(authzFail) > 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45: auth_authc_result -> > auth_held > 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): > 0x36000F6B:auth_held_enter called > 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet to > 2c0b.e904.2892 > Switch# > 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination not > required > 381477: Jan 30 17:44:12.091: dot1x-registry:registry:dot1x_ether_macaddr > called > 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL packet > 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx > 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length: 0x0004 > 381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004 > 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent to > client 0x36000F6B (2c0b.e904.2892) > > Actual values have been substituted from ill hackers especially those > communists > > -----Original Message----- > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= > skno.by@lists.freeradius.org] On Behalf Of Alan Buxey > Sent: Tuesday, January 30, 2018 3:58 PM > To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> > Subject: RE: cisco phones > > >Are you sure that you don't want these to be reply attributes? Show debug > to see what's coming through. > > alan > > On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy@skno.by> wrote: > > > Thanks for the tip. > > According to https://supportforums.cisco.com/t5/other-security- > > subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-ph > > one/ > > td-p/1652836 > > These need to be added > > cisco-avpair="device-traffic-class=voice" > > Tunnel-Type=1:VLAN > > Tunnel-Medium-Type=1:802 > > Tunnel-Private-Group-ID=1:VOICE-LAN > > > > So I added them as check attributes, with := but I got: > > Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid > > value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via > > Auth-Type = > > eap>] (from client Switch port 50145 cli mac) > > Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error > > parsing > > value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): > > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 > > cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does > > not matter if I set it as a reply attribute, same error) I get: > > Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid > > value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via > > Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30 > > 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing > > value: Unknown or invalid value "1:802" for attribute > Tunnel-Medium-Type): > > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 > > cli > > mac) > > The progress is that the ip phone now shows dropping packets on the > > voice vlan which means it accepted: > > Tunnel-Private-Group-ID:=1:VOICE-LAN > > After reading an email here: I'm inclined to replace ":=" with = but I > > have a limited lunch break to test these settings each day so perhaps > > someone who has dealt with this can save me some wasted time? > > > > > > -----Original Message----- > > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= > > skno.by@lists.freeradius.org] On Behalf Of Alan DeKok > > Sent: Friday, January 26, 2018 4:07 PM > > To: FreeRadius users mailing list > > <freeradius-users@lists.freeradius.org> > > Subject: Re: cisco phones > > > > On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote: > > > > > > I still can't authenticate the ip phones using md5 on the voice > > > vlan, > > they keep getting authenticated on the data vlan. I ducked ducked the > > internet and found that: > > > "device-traffic-class=voice:= Cisco-AVPair" > > > Must be added. So I added it username of the ip phone in daloradius > > > but > > the behavior has not changed. Perhaps, that must be added manually to > > the users file for it work. I only found documentation on how to do > > that in cisco ACS. > > > > > That documentation tells you what attributes to return, and what > > > values > > to use for those attributes. Do the same thing in FreeRADIUS. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html
Well diamonds to swine are worthless but crap is worthy to them.
I tried to stop free radius and it failed to stop, status revealed that it crashed!
However, radiusd -X worked.
SELECT * FROM radcheck;
| 50 | CP-3905-SEP2C0BA7291783| Cleartext-Password | := | communistssuck |
| 60 | CP-3905-SEP2C0BA7291783| Cisco-AVPair | := | device-traffic-class=voice |
SELECT * FROM radreply;
| id | username | attribute | op | value |
+----+-------------------------+-------------------------+----+----------+
| 7 | CP-3905-SEP2C0BA7291783| Tunnel-Type | := | VLAN |
| 8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type | := | IEEE-802 |
| 9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23 |
+----+-------------------------+-------------------------+----+----------+
FreeRADIUS Version 3.0.15
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/sql
including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/expiration
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/abfab-tr
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sql.conf
main {
security {
user = "radius"
group = "radius"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib"
logdir = "/var/log/radius"
run_dir = "/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/run/radiusd"
libdir = "/usr/lib64"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client Switch {
ipv4addr = 10.0.0.143/24
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
instantiate {
}
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.29-MariaDB
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:331
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 55989
Listening on proxy address :: port 60892
Ready to process requests
(0) Received Access-Request Id 88 from 10.0.0.143:1645 to 10.0.11.117:1812 length 186
(0) User-Name = "CP-3905-SEP2C0BA7291783"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1500
(0) Called-Station-Id = "AC-7E-8A-EB-86-2D"
(0) Calling-Station-Id = "2C-0B-E9-04-28-92"
(0) EAP-Message = 0x0201001c0143502d333930352d534550324330424539303432383932
(0) Message-Authenticator = 0x13fbef916e14dd6489ff6407f194d7b4
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50145
(0) NAS-Port-Id = "GigabitEthernet1/0/45"
(0) NAS-IP-Address = 10.0.0.143
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "CP-3905-SEP2C0BA7291783", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 28
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0xa79cd138a79ed587
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 88 from 10.0.11.117:1812 to 10.0.0.143:1645 length 0
(0) EAP-Message = 0x010200160410e487f4dfe24e098ca725b6e6ef54b9d6
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xa79cd138a79ed5872e402a36c30c6a20
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 89 from 10.0.0.143:1645 to 10.0.11.117:1812 length 186
(1) User-Name = "CP-3905-SEP2C0BA7291783"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1500
(1) Called-Station-Id = "AC-7E-8A-EB-86-2D"
(1) Calling-Station-Id = "2C-0B-E9-04-28-92"
(1) EAP-Message = 0x0201001c0143502d333930352d534550324330424539303432383932
(1) Message-Authenticator = 0x4d05f2913326ddfcac12288c5212127d
(1) NAS-Port-Type = Ethernet
(1) NAS-Port = 50145
(1) NAS-Port-Id = "GigabitEthernet1/0/45"
(1) NAS-IP-Address = 10.0.0.143
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "CP-3905-SEP2C0BA7291783", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 28
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_md5 to process data
(1) eap_md5: Issuing MD5 Challenge
(1) eap: Sending EAP Request (code 1) ID 2 length 22
(1) eap: EAP session adding &reply:State = 0x84360afd84340efc
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 89 from 10.0.11.117:1812 to 10.0.0.143:1645 length 0
(1) EAP-Message = 0x010200160410042e6e06c3809c1cff134b2787fb6291
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x84360afd84340efcda38388a1765ed18
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 90 from 10.0.0.143:1645 to 10.0.11.117:1812 length 198
(2) User-Name = "CP-3905-SEP2C0BA7291783"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1500
(2) Called-Station-Id = "AC-7E-8A-EB-86-2D"
(2) Calling-Station-Id = "2C-0B-E9-04-28-92"
(2) EAP-Message = 0x020200160410925c98c49db5167473e9f3c43f9909db
(2) Message-Authenticator = 0x9755a81d5fcd90df4e51a08e2cd143a9
(2) NAS-Port-Type = Ethernet
(2) NAS-Port = 50145
(2) NAS-Port-Id = "GigabitEthernet1/0/45"
(2) State = 0x84360afd84340efcda38388a1765ed18
(2) NAS-IP-Address = 10.0.0.143
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "CP-3905-SEP2C0BA7291783", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 22
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) sql: EXPAND %{User-Name}
(2) sql: --> CP-3905-SEP2C0BA7291783
(2) sql: SQL-User-Name set to 'CP-3905-SEP2C0BA7291783'
rlm_sql (sql): Reserved connection (0)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: User found in radcheck table
(2) sql: Conditional check items matched, merging assignment check items
(2) sql: Cleartext-Password := "communistssuck"
(2) sql: Cisco-AVPair := "device-traffic-class=voice"
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'CP-3905-SEP2C0BA7291783' ORDER BY id
(2) sql: ERROR: Failed to create the pair: Invalid character ' ' in attribute
(2) sql: ERROR: Error parsing user data from database result
(2) sql: ERROR: SQL query error getting reply attributes
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.29-MariaDB, protocol version 10
(2) [sql] = fail
(2) } # authorize = fail
(2) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2C0BA7291783/<via Auth-Type = eap>] (from client Switch port 50145 cli 2C-0B-E9-04-28-92)
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) sql: EXPAND .query
(2) sql: --> .query
(2) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(2) sql: EXPAND %{User-Name}
(2) sql: --> CP-3905-SEP2C0BA7291783
(2) sql: SQL-User-Name set to 'CP-3905-SEP2C0BA7291783'
(2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'CP-3905-SEP2C0BA7291783', '', 'Access-Reject', '2018-02-01 08:33:08')
(2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'CP-3905-SEP2C0BA7291783', '', 'Access-Reject', '2018-02-01 08:33:08')
(2) sql: SQL query returned: success
(2) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(2) [sql] = ok
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject: --> CP-3905-SEP2C0BA7291783
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) eap: Expiring EAP session with state 0xa79cd138a79ed587
(2) eap: Finished EAP session with state 0x84360afd84340efc
(2) eap: Previous EAP request found for state 0x84360afd84340efc, released from the list
(2) eap: Request was previously rejected, inserting EAP-Failure
(2) eap: Sending EAP Failure (code 4) ID 2 length 4
(2) [eap] = updated
(2) policy remove_reply_message_if_eap {
(2) if (&reply:EAP-Message && &reply:Reply-Message) {
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(2) else {
(2) [noop] = noop
(2) } # else = noop
(2) } # policy remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2C0BA7291783/<via Auth-Type = eap>] (from client Switch port 50145 cli 2C-0B-E9-04-28-92)
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 90 from 10.0.11.117:1812 to 10.0.0.143:1645 length 44
(2) EAP-Message = 0x04020004
(2) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 88 with timestamp +44
(1) Cleaning up request packet ID 89 with timestamp +44
(2) Cleaning up request packet ID 90 with timestamp +44
Ready to process requests
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Wednesday, January 31, 2018 1:13 PM
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: cisco phones
>hi,
>freeradius debug
>radiusd -X
>from the very start to the final packet sent back to the NAS.
> i dont care about cisco debug.
That's a lie!
alan
On 31 January 2018 at 08:10, Vacheslav <m_zouhairy@skno.by> wrote:
> Did you mean a radius debug?... I thought of a cisco debug. I am sure
> about freeradius like you most likely haven't heard of Dr. Bob Beck's
> purifier.
> I changed the following to reply attributes:
> Tunnel-Type:=VLAN
> Tunnel-Medium-Type:= IEEE-802
> Tunnel-Private-Group-Id:=23
>
> Got:
>
> Auth: (192) Invalid user (sql: Failed to create the pair: Invalid
> character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via
> Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83)
> Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to
> create the pair: Invalid character ' ' in attribute):
> [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client
> Switch port 50145 cli 2D1B-E9-04-29-83)
>
> Cisco output:
>
> 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating
> client 0x36000F6B (2c0b.e904.2892)
> 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already
> authenticating client 0x36000F6B (2c0b.e904.2892)
> 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting
> QUIET_WHILE_EXPIRE on Client 0x36000F6B
> 381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state
> auth_held, got event 5(quietWhile_expire)
> 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held ->
> auth_restart
> 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_exit called
> 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_restart_enter called
> 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new
> context event to EAP for 0x36000F6B (2c0b.e904.2892)
> 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_restart_action called
> 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART
> on Client 0x36000F6B
> 381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state
> auth_restart, got event 6(no_eapRestart)
> 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart ->
> auth_connecting
> 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_connecting_enter called
> 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_restart_connecting_action
> called
> 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on
> Client 0x36000F6B
> 381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state
> auth_connecting, got event 10(eapReq_no_reAuthMax)
> 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting
> -> auth_authenticating
> 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authenticating_enter
> called
> 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_connecting_authenticating_action called
> 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START
> for 0x36000F6B
> 381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_idle, got event 4(eapReq_authStart)
> 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_idle
> -> auth_bend_request
> 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_enter called
> 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> 2c0b.e904.2892
> 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381380: Jan 30 17:44:11.049:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx
> 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length:
> 0x0005
> 381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type:
> 0x1
> 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x36000F6B (2c0b.e904.2892)
> 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_idle_request_action
> called
> 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL
> pkt on Authenticator Q
> 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the
> global authenticator queue
> 381390: Jan 30 17:44:11.052: EAPOL pak dump rx
> 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length:
> 0x001C
> 381392: Jan 30 17:44:11.052: dot1x-ev:
> dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28
>
> 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL
> frame
> 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr
> =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type =
> 888e.0100.001c
> 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP
> packet
> 381396: Jan 30 17:44:11.052: EAPOL pak dump rx
> 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length:
> 0x001C
> 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP
> packet from 2c0b.e904.2892
> 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for
> 0x36000F6B
> 381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 6(eapolEap)
> 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_response
> 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_enter called
> 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer:
> Response sent to the server from 0x36000F6B (2c0b.e904.2892)
> 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_response_action called
> 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for
> 0x36000F6B
> 381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_response, got event 7(eapReq)
> 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_response -> auth_bend_request
> 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_exit called
> 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_enter called
> 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> 2c0b.e904.2892
> 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381412: Jan 30 17:44:11.063:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx
> 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length:
> 0x0016
> 381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type:
> 0x4
> 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x36000F6B (2c0b.e904.2892)
> 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_request_action called
> 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL
> pkt on Authenticator Q
> 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the
> global authenticator queue
> 381422: Jan 30 17:44:11.066: EAPOL pak dump rx
> 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length:
> 0x0016
> 381424: Jan 30 17:44:11.066: dot1x-ev:
> dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22
>
> 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL
> frame
> 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr
> =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type =
> 888e.0100.0016
> 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP
> packet
> 381428: Jan 30 17:44:11.070: EAPOL pak dump rx
> 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length:
> 0x0016
> 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP
> packet from 2c0b.e904.2892
> 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for
> 0x36000F6B
> 381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 6(eapolEap)
> 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_response
> 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_enter called Switch#
> 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer:
> Response sent to the server from 0x36000F6B (2c0b.e904.2892)
> 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_response_action called
> 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for
> 0x31000F6C
> 381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 7(eapReq)
> 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_request
> 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45):
> 0x31000F6C:auth_bend_request_request_action called
> 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45):
> 0x31000F6C:auth_bend_request_enter called
> 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> c46e.1f05.8999
> 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381444: Jan 30 17:44:11.489:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx
> 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length:
> 0x0005
> 381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type:
> 0x1
> 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x31000F6C (c46e.1f05.8999)
> 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail
> 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for
> 0x36000F6B
> 381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state
> auth_bend_response, got event 10(eapFail)
> 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_response -> auth_bend_fail
> 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_exit called
> 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_fail_enter called
> 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_fail_action called
> 381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during
> state auth_bend_fail
> 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_fail
> -> auth_bend_idle
> 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_idle_enter called
> 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on
> Client 0x36000F6B
> 381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state
> auth_authenticating, got event 15(authFail)
> 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45:
> auth_authenticating
> -> auth_authc_result
> 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authenticating_exit
> called
> 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authc_result_enter called
> 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for
> client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID
> 0A6000FC0001DEAA32DDD387
> 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to
> Auth Mgr for 2c0b.e904.2892
> 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result
> 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45
> AuditSessionID 0A6000FC0001DEAA32DDD387
> 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or
> unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45
> AuditSessionID
> 0A6000FC0001DEAA32DDD387
> 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client
> 2c0b.e904.2892 successfully retrieved
> 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail
> for the client 0x36000F6B (2c0b.e904.2892)
> 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on
> Client 0x36000F6B
> 381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state
> auth_authc_result, got event 22(authzFail)
> 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45:
> auth_authc_result -> auth_held
> 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_enter called
> 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet
> to
> 2c0b.e904.2892
> Switch#
> 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination
> not required
> 381477: Jan 30 17:44:12.091:
> dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL
> packet
> 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx
> 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length:
> 0x0004
> 381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004
> 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent
> to client 0x36000F6B (2c0b.e904.2892)
>
> Actual values have been substituted from ill hackers especially those
> communists
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> skno.by@lists.freeradius.org] On Behalf Of Alan Buxey
> Sent: Tuesday, January 30, 2018 3:58 PM
> To: FreeRadius users mailing list
> <freeradius-users@lists.freeradius.org>
> Subject: RE: cisco phones
>
> >Are you sure that you don't want these to be reply attributes? Show
> >debug
> to see what's coming through.
>
> alan
>
> On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy@skno.by> wrote:
>
> > Thanks for the tip.
> > According to https://supportforums.cisco.com/t5/other-security-
> > subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-
> > ph
> > one/
> > td-p/1652836
> > These need to be added
> > cisco-avpair="device-traffic-class=voice"
> > Tunnel-Type=1:VLAN
> > Tunnel-Medium-Type=1:802
> > Tunnel-Private-Group-ID=1:VOICE-LAN
> >
> > So I added them as check attributes, with := but I got:
> > Auth: (163) Invalid user (sql: Error parsing value: Unknown or
> > invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone
> > name/<via Auth-Type =
> > eap>] (from client Switch port 50145 cli mac)
> > Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error
> > parsing
> > value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
> > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> > cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does
> > not matter if I set it as a reply attribute, same error) I get:
> > Auth: (159) Invalid user (sql: Error parsing value: Unknown or
> > invalid value "1:802" for attribute Tunnel-Medium-Type): [ip phone
> > name<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
> > Tue Jan 30
> > 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing
> > value: Unknown or invalid value "1:802" for attribute
> Tunnel-Medium-Type):
> > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> > cli
> > mac)
> > The progress is that the ip phone now shows dropping packets on the
> > voice vlan which means it accepted:
> > Tunnel-Private-Group-ID:=1:VOICE-LAN
> > After reading an email here: I'm inclined to replace ":=" with = but
> > I have a limited lunch break to test these settings each day so
> > perhaps someone who has dealt with this can save me some wasted time?
> >
> >
> > -----Original Message-----
> > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> > skno.by@lists.freeradius.org] On Behalf Of Alan DeKok
> > Sent: Friday, January 26, 2018 4:07 PM
> > To: FreeRadius users mailing list
> > <freeradius-users@lists.freeradius.org>
> > Subject: Re: cisco phones
> >
> > On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
> > >
> > > I still can't authenticate the ip phones using md5 on the voice
> > > vlan,
> > they keep getting authenticated on the data vlan. I ducked ducked
> > the internet and found that:
> > > "device-traffic-class=voice:= Cisco-AVPair"
> > > Must be added. So I added it username of the ip phone in
> > > daloradius but
> > the behavior has not changed. Perhaps, that must be added manually
> > to the users file for it work. I only found documentation on how to
> > do that in cisco ACS.
> >
> > > That documentation tells you what attributes to return, and what
> > > values
> > to use for those attributes. Do the same thing in FreeRADIUS.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 1/02/2018, at 7:14 PM, Vacheslav <m_zouhairy@skno.by> wrote:
SELECT * FROM radreply;
| id | username | attribute | op | value | +----+-------------------------+-------------------------+----+----------+ | 7 | CP-3905-SEP2C0BA7291783| Tunnel-Type | := | VLAN | | 8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type | := | IEEE-802 | | 9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23 | +----+-------------------------+-------------------------+----+—————+
(2) sql: ERROR: Failed to create the pair: Invalid character ' ' in attribute
It’s not possible to tell from what you have given, but, does one of your attributes in the radreply table have a space at the start or end? I.e. do you perhaps have "Tunnel-Medium-Type<space>”? -- Nathan Ward
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Nathan Ward Sent: Thursday, February 1, 2018 2:43 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On 1/02/2018, at 7:14 PM, Vacheslav <m_zouhairy@skno.by> wrote:
SELECT * FROM radreply;
| id | username | attribute | op | value | +----+-------------------------+-------------------------+----+----------+ | 7 | CP-3905-SEP2C0BA7291783| Tunnel-Type | := | VLAN | | 8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type | := | IEEE-802 | | 9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23 | +----+-------------------------+-------------------------+----+—————+
(2) sql: ERROR: Failed to create the pair: Invalid character ' ' in attribute
It’s not possible to tell from what you have given, but, does one of your attributes in the radreply table have a space at the start or end? I.e. do you perhaps have "Tunnel-Medium-Type<space>”? I finally had time to test. I deleted the attributes one at a time and test and it turns out the Tunnel-Type:=VLAN was that menace. I first added it again, this time as check attribute, without using the auto saved entry in the browser, and the login was ok. You got happy ahead of time. Without the attribute it authenticated on the data vlan. With the attribute, the switch reported the phone as dropped. Then I added the mentioned attribute as a reply keeping it as check also, and again the login was ok but the switch dropped the packets. Then I deleted the mentioned attribute from checking and no change. I final tried putting it 1:VLAN and 23:VLAN but that just makes freeradius spout: Auth: (56) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [CP-3905-SEP2C0BE9042892/<via Auth-Type = eap>] (from client Skorini_Switch port 50145 cli 2C-0B-E9-04-28-92) Fri Feb 2 11:01:35 2018 : Auth: (56) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (35): Hit idle_timeout, was idle for 61 seconds Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (36): Hit idle_timeout, was idle for 61 seconds Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (34): Hit idle_timeout, was idle for 61 seconds Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Opening additional connection (37), 1 of 32 pending slots used Fri Feb 2 11:02:36 2018 : Info: Need 2 more connections to reach min connections (3) Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Opening additional connection (38), 1 of 31 pending slots used Fri Feb 2 11:02:36 2018 : Auth: (58) Login OK: [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri Feb 2 11:03:35 2018 : Info: Need 1 more connections to reach min connections (3) Fri Feb 2 11:03:35 2018 : Info: rlm_sql (sql): Opening additional connection (39), 1 of 30 pending slots used Fri Feb 2 11:03:35 2018 : Auth: (60) Invalid user (sql: Error parsing value: Unknown or invalid value "30:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri Feb 2 11:03:35 2018 : Auth: (60) Login incorrect (sql: Error parsing value: Unknown or invalid value "23:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
I can think of two options: Either the switch needs additional configuration or the attribute configuration is not for cisco. I am bewildered that no one here uses freeradius for cisco md5 phones, and am I the only one working for a money loving government who won't is too stingy even to consider getting the latest acs? --
Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is what Buxley lied that he doesn't care about: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to down 387716: Feb 2 11:20:40.392: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/29, changed state to down Switch(config-if)# 387717: Feb 2 11:20:41.262: %AUTHMGR-5-START: Starting 'dot1x' for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3 387718: Feb 2 11:20:41.297: %DOT1X-5-SUCCESS: Authentication successful for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3 387719: Feb 2 11:20:41.297: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3 Switch(config-if)# 387720: Feb 2 11:20:41.297: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 23 on port GigabitEthernet1/0/29 cannot be equivalent to the Voice VLAN AuditSessionID 0A7000FC2201C28740F37DF3 387721: Feb 2 11:20:41.297: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3 387722: Feb 2 11:20:41.297: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3 Switch(config-if)# 387723: Feb 2 11:20:41.619: %AUTHMGR-5-START: Starting 'dot1x' for client (pc mac) on Interface Gi1/0/29 AuditSessionID 0A8001FC0001E08420F28F66 Switch(config-if)# 387724: Feb 2 11:20:43.241: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to up Switch(config-if)# 387725: Feb 2 11:20:44.240: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/29, changed state to up -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Vacheslav Sent: Friday, February 2, 2018 11:16 AM To: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Subject: RE: cisco phones -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Nathan Ward Sent: Thursday, February 1, 2018 2:43 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On 1/02/2018, at 7:14 PM, Vacheslav <m_zouhairy@skno.by> wrote:
SELECT * FROM radreply;
| id | username | attribute | op | value | +----+-------------------------+-------------------------+----+----------+ | 7 | CP-3905-SEP2C0BA7291783| Tunnel-Type | := | VLAN | | 8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type | := | IEEE-802 | | 9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23 | +----+-------------------------+-------------------------+----+—————+
(2) sql: ERROR: Failed to create the pair: Invalid character ' ' in attribute
It’s not possible to tell from what you have given, but, does one of your attributes in the radreply table have a space at the start or end? >I.e. do you perhaps have "Tunnel-Medium-Type<space>”? I finally had time to test. I deleted the attributes one at a time and test and it turns out the Tunnel-Type:=VLAN was that menace. I first added it again, this time as >check attribute, without using the auto saved entry in the browser, and the login was ok. You got happy ahead of time. Without the >attribute it authenticated on the data vlan. With the attribute, the switch reported the phone as dropped. Then I added the mentioned >attribute as a reply keeping it as check also, and again the login was ok but the switch dropped the packets. Then I deleted the mentioned >attribute from checking and no change. I final tried putting it 1:VLAN and 23:VLAN but that just makes freeradius spout: Auth: (56) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [CP-3905->SEP2C0BE9042892/<via Auth-Type = eap>] (from client Skorini_Switch port 50145 cli 2C-0B-E9-04-28-92) Fri Feb 2 11:01:35 2018 : Auth: >(56) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name via Auth-Type >= eap>] (from client Switch port 50145 cli mac) Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (35): Hit idle_timeout, was >idle for 61 seconds Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (36): Hit idle_timeout, was idle for 61 seconds Fri Feb >2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (34): Hit idle_timeout, was idle for 61 seconds Fri Feb 2 11:02:36 2018 : Info: >rlm_sql (sql): Opening additional connection (37), 1 of 32 pending slots used Fri Feb 2 11:02:36 2018 : Info: Need 2 more connections to >reach min connections (3) Fri Feb 2 11:02:36 2018 : Info: rlm_sql (sql): Opening additional connection (38), 1 of 31 pending slots used Fri >Feb 2 11:02:36 2018 : Auth: (58) Login OK: [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri Feb 2 >11:03:35 2018 : Info: Need 1 more connections to reach min connections (3) Fri Feb 2 11:03:35 2018 : Info: rlm_sql (sql): Opening ?>additional connection (39), 1 of 30 pending slots used Fri Feb 2 11:03:35 2018 : Auth: (60) Invalid user (sql: Error parsing value: Unknown >or invalid value "30:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri >Feb 2 11:03:35 2018 : Auth: (60) Login incorrect (sql: Error parsing value: Unknown or invalid value "23:VLAN" for attribute Tunnel-Type): >[ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)
I can think of two options: Either the switch needs additional configuration or the attribute configuration is not for cisco. I am bewildered that no one here uses freeradius for cisco md5 phones, and am I the only one working for a money loving government >who won't is too stingy even to consider getting the latest acs?
--
Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 2, 2018, at 3:16 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I deleted the attributes one at a time and test and it turns out the Tunnel-Type:=VLAN was that menace. I first added it again, this time as check attribute, without using the auto saved entry in the browser, and the login was ok.
That's weird. Tunnel-Type is a standard attribute.
You got happy ahead of time. Without the attribute it authenticated on the data vlan. With the attribute, the switch reported the phone as dropped. Then I added the mentioned attribute as a reply keeping it as check also, and again the login was ok but the switch dropped the packets. Then I deleted the mentioned attribute from checking and no change. I final tried putting it 1:VLAN and 23:VLAN but that just makes freeradius spout:
"1" is the tag number. It's used for grouping multiple attributes. It is *not* a VLAN number. If you want to use tags, you should use the same tag for all tagged attributes... Tunnel-Type:1 = VLAN Tunnel-Foo:1 = value ... Alan DeKok.
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, February 2, 2018 3:27 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones On Feb 2, 2018, at 3:16 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I deleted the attributes one at a time and test and it turns out the Tunnel-Type:=VLAN was that menace. I first added it again, this time as check attribute, without using the auto saved entry in the browser, and the login was ok.
That's weird. Tunnel-Type is a standard attribute.
When the reason is known it would be the norm.
You got happy ahead of time. Without the attribute it authenticated on the data vlan. With the attribute, the switch reported the phone as dropped. Then I added the mentioned attribute as a reply keeping it as check also, and again the login was ok but the switch dropped the packets. Then I deleted the mentioned attribute from checking and no change. I final tried putting it 1:VLAN and 23:VLAN but that just makes freeradius spout:
"1" is the tag number. It's used for grouping multiple attributes. It is *not* a VLAN number.
If you want to use tags, you should use the same tag for all tagged attributes...
Tunnel-Type:1 = VLAN Tunnel-Foo:1 = value ...
What I want is to make it work so I tried replacing the reply attributes with Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := 802 Tunnel-Private-Group-Id:1 := VOICE-LAN But the phone gets authenticated on the data vlan (24). Then I replaced the last one with : Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 2, 2018, at 7:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
What I want is to make it work so I tried replacing the reply attributes with Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := 802 Tunnel-Private-Group-Id:1 := VOICE-LAN
But the phone gets authenticated on the data vlan (24).
Does the phone know what "VOICE-LAN" is?
Then I replaced the last one with :
Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
If the debug log shows those attributes being sent back to the NAS, then the server is configured correctly. Blame the NAS for not doing what the server says to do. Alan DeKok.
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, February 2, 2018 4:46 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones On Feb 2, 2018, at 7:49 AM, Vacheslav <m_zouhairy@skno.by> wrote:
What I want is to make it work so I tried replacing the reply attributes with Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := 802 Tunnel-Private-Group-Id:1 := VOICE-LAN
But the phone gets authenticated on the data vlan (24).
Does the phone know what "VOICE-LAN" is? The command: switchport voice vlan 23 Is configured. Dot1x network authorization, which is needed to place in the voice vlan is configured.
Then I replaced the last one with :
Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
If the debug log shows those attributes being sent back to the NAS, then the server is configured correctly. Blame the NAS for not doing what the server says to do. How can I blame cisco for not accepting cisco attributes?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 5/02/2018, at 11:23 PM, Vacheslav <m_zouhairy@skno.by> wrote:
Then I replaced the last one with :
Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
If the debug log shows those attributes being sent back to the NAS, then the server is configured correctly. Blame the NAS for not doing what the server says to do. How can I blame cisco for not accepting cisco attributes?
Is FreeRADIUS sending the expected attributes back to the switch/NAS? If FreeRADIUS is sending what you expect (look at FR debug, or a packet capture), then you need to talk to your vendor and ask them why their product is not doing what you expect with that information. If FreeRADIUS is not sending what you expect, please configure FreeRADIUS to send what you want it to send. If you have specific questions about FreeRADIUS I’m sure some people can help. Asking about Cisco things and sharing Cisco config and Cisco debug is not useful. Tell us what your NAS is sending to FreeRADIUS, and what FreeRADIUS is replying with, and what you’d like FreeRADIUS to do differently. We can’t tell you what FreeRADIUS needs to send - if you don’t know what it needs to send, you need to talk to your vendor. It sounds like FreeRADIUS is sending what you expect, so, I think you need to talk to your vendor. -- Nathan Ward
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Nathan Ward Sent: Monday, February 5, 2018 1:35 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On 5/02/2018, at 11:23 PM, Vacheslav <m_zouhairy@skno.by> wrote:
Then I replaced the last one with :
Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
If the debug log shows those attributes being sent back to the NAS, then the server is configured correctly. Blame the NAS for not doing what the server says to do. How can I blame cisco for not accepting cisco attributes?
Is FreeRADIUS sending the expected attributes back to the switch/NAS?
The switch confirms that the phone authenticates and authorizes.
If FreeRADIUS is sending what you expect (look at FR debug, or a packet capture), then you need to talk to your vendor and ask them why their product is not doing what you expect with that information.
If FreeRADIUS is not sending what you expect, please configure FreeRADIUS to send what you want it to send. If you have specific questions about FreeRADIUS I’m sure some people can help. Asking about Cisco things and sharing Cisco config and Cisco debug is not useful. Tell us what your NAS is sending to FreeRADIUS, and what FreeRADIUS is replying with, and what you’d like FreeRADIUS to do differently.
We can’t tell you what FreeRADIUS needs to send - if you don’t know what it needs to send, you need to talk to your vendor.
It sounds like FreeRADIUS is sending what you expect, so, I think you need to talk to your vendor. I did expect that this will end in the cisco forums except I wanted to reach the end here and we are there.
--
Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
not sure why you are sending the :1 parts for those attributes, never had to do that with Cisco - its just the way cisco sends info, you just need the bare words eg Tunnel-Private-Group-Id alan On 5 February 2018 at 10:56, Vacheslav <m_zouhairy@skno.by> wrote:
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= skno.by@lists.freeradius.org] On Behalf Of Nathan Ward Sent: Monday, February 5, 2018 1:35 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On 5/02/2018, at 11:23 PM, Vacheslav <m_zouhairy@skno.by> wrote:
Then I replaced the last one with :
Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
If the debug log shows those attributes being sent back to the NAS, then the server is configured correctly. Blame the NAS for not doing what the server says to do. How can I blame cisco for not accepting cisco attributes?
Is FreeRADIUS sending the expected attributes back to the switch/NAS?
The switch confirms that the phone authenticates and authorizes.
If FreeRADIUS is sending what you expect (look at FR debug, or a packet capture), then you need to talk to your vendor and ask them why their product is not doing what you expect with that information.
If FreeRADIUS is not sending what you expect, please configure FreeRADIUS to send what you want it to send. If you have specific questions about FreeRADIUS I’m sure some people can help. Asking about Cisco things and sharing Cisco config and Cisco debug is not useful. Tell us what your NAS is sending to FreeRADIUS, and what FreeRADIUS is replying with, and what you’d like FreeRADIUS to do differently.
We can’t tell you what FreeRADIUS needs to send - if you don’t know what it needs to send, you need to talk to your vendor.
It sounds like FreeRADIUS is sending what you expect, so, I think you need to talk to your vendor. I did expect that this will end in the cisco forums except I wanted to reach the end here and we are there.
--
Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 5, 2018 3:54 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
not sure why you are sending the :1 parts for those attributes, never had to do that with Cisco - its just the way cisco sends info, you just need the bare words eg Tunnel-Private-Group-Id
I repeat: Here is how it works on acs: NOTE:ALL these attributes should be defined on the ACS group set for phone authentication. cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN All the rest was suggestions given here.
alan
On 5 February 2018 at 10:56, Vacheslav <m_zouhairy@skno.by> wrote:
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= skno.by@lists.freeradius.org] On Behalf Of Nathan Ward Sent: Monday, February 5, 2018 1:35 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: cisco phones
On 5/02/2018, at 11:23 PM, Vacheslav <m_zouhairy@skno.by> wrote:
Then I replaced the last one with :
Tunnel-Private-Group-Id:1 := 23 as a reply attribute And it didn't change anything as a result.
If the debug log shows those attributes being sent back to the NAS, then the server is configured correctly. Blame the NAS for not doing what the server says to do. How can I blame cisco for not accepting cisco attributes?
Is FreeRADIUS sending the expected attributes back to the switch/NAS?
The switch confirms that the phone authenticates and authorizes.
If FreeRADIUS is sending what you expect (look at FR debug, or a packet capture), then you need to talk to your vendor and ask them why their product is not doing what you expect with that information.
If FreeRADIUS is not sending what you expect, please configure FreeRADIUS to send what you want it to send. If you have specific questions about FreeRADIUS I’m sure some people can help. Asking about Cisco things and sharing Cisco config and Cisco debug is not useful. Tell us what your NAS is sending to FreeRADIUS, and what FreeRADIUS is replying with, and what you’d like FreeRADIUS to do differently.
We can’t tell you what FreeRADIUS needs to send - if you don’t know what it needs to send, you need to talk to your vendor.
It sounds like FreeRADIUS is sending what you expect, so, I think you need to talk to your vendor. I did expect that this will end in the cisco forums except I wanted to reach the end here and we are there.
--
Nathan Ward
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 5, 2018, at 7:59 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I repeat: Here is how it works on acs:
That's nice. Maybe ACS is doing something behind the scenes.
NOTE:ALL these attributes should be defined on the ACS group set for phone authentication.
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
All the rest was suggestions given here.
At this point, there's only one solution. Use "radsniff" or "wireshark" to look at the packets sent by ACS. Post the Access-Accept that "works" here (ASCII, please). We can look at it, and tell you how to configure FreeRADIUS to get the same response. My $0.02 is that there is *another* thing needed by the phone. ACS sends it, and FreeRADIUS isn't configured to send it. Alan DeKok.
I'm, it's not something basic and stupid like you don't have "=" in your SQL safe_character list but are trying to use it As for the attribute value, read the switch documentation for requirements don't look at what ACS does. alan On 5 Feb 2018 1:04 pm, "Alan DeKok" <aland@deployingradius.com> wrote:
On Feb 5, 2018, at 7:59 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I repeat: Here is how it works on acs:
That's nice. Maybe ACS is doing something behind the scenes.
NOTE:ALL these attributes should be defined on the ACS group set for phone authentication.
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
All the rest was suggestions given here.
At this point, there's only one solution. Use "radsniff" or "wireshark" to look at the packets sent by ACS. Post the Access-Accept that "works" here (ASCII, please).
We can look at it, and tell you how to configure FreeRADIUS to get the same response. My $0.02 is that there is *another* thing needed by the phone. ACS sends it, and FreeRADIUS isn't configured to send it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
...or your dictionary files are hosed in some wierd way - did you stick v3 over v2 ? alan On 5 February 2018 at 18:01, Alan Buxey <alan.buxey@gmail.com> wrote:
I'm, it's not something basic and stupid like you don't have "=" in your SQL safe_character list but are trying to use it
As for the attribute value, read the switch documentation for requirements don't look at what ACS does.
alan
On 5 Feb 2018 1:04 pm, "Alan DeKok" <aland@deployingradius.com> wrote:
On Feb 5, 2018, at 7:59 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I repeat: Here is how it works on acs:
That's nice. Maybe ACS is doing something behind the scenes.
NOTE:ALL these attributes should be defined on the ACS group set for phone authentication.
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
All the rest was suggestions given here.
At this point, there's only one solution. Use "radsniff" or "wireshark" to look at the packets sent by ACS. Post the Access-Accept that "works" here (ASCII, please).
We can look at it, and tell you how to configure FreeRADIUS to get the same response. My $0.02 is that there is *another* thing needed by the phone. ACS sends it, and FreeRADIUS isn't configured to send it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
Normal 0 false false false EN-US X-NONE X-NONE Thanks for giving a keyword to search for. I love to refute fortune tellers, it was exactly something smart as an "=" sign. I tried searching the internet for an option to donate to free radius but there is no such thing. Alan Buxey <alan.buxey@gmail.com> , 05.02.2018 21:02:
I'm, it's not something basic and stupid like you don't have "=" in your SQL safe_character list but are trying to use it
As for the attribute value, read the switch documentation for requirements don't look at what ACS does.
alan
On Feb 5, 2018, at 7:59 AM, Vacheslav <m_zouhairy@skno.by> wrote:
I repeat: Here is how it works on acs:
That's nice. Maybe ACS is doing something behind the scenes.
NOTE:ALL these attributes should be defined on the ACS group set for phone authentication.
cisco-avpair="device-traffic-class=voice" Tunnel-Type=1:VLAN Tunnel-Medium-Type=1:802 Tunnel-Private-Group-ID=1:VOICE-LAN
All the rest was suggestions given here.
At this point, there's only one solution. Use "radsniff" or "wireshark" to look at the packets sent by ACS. Post the Access-Accept that "works" here (ASCII, please).
We can look at it, and tell you how to configure FreeRADIUS to get the same response. My $0.02 is that there is *another* thing needed by the phone. ACS sends it, and FreeRADIUS isn't configured to send it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 5 Feb 2018 1:04 pm, "Alan DeKok" <aland@deployingradius.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
Alan Buxey -
Alan DeKok -
Martin, Jeremy -
Matthew Newton -
Nathan Ward -
Vacheslav -
Зухейри Мажет Маруан