VLAN-mapping by DEFAULT Entry fails
Dear all, I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco Catalyst Switch 3750 as authenticator and i want that user hugo will be mapped in VLAN 50 on the switch. This works properly. Every other user should be mapped in VLAN 999, my guest-vlan. I try this with a DEFAULT-entry, but this does not work, the switch does not accept any other user, in my case user nobody is unauthorized for my authenticator. My other configuration files are seen at the end of this text. Thanks in advance... Robert My entire users file: ====================== hugo User-Password == "hugo01" # line 54 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50 DEFAULT Auth-Type := Accept # line 69 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 999 My radiusd output for user nobody, (my authenticator do not accept this): ========================================================================== rad_recv: Access-Request packet from host 10.187.0.15:1645, id=218, length=127 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "nobody" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0203000b016e6f626f6479 Message-Authenticator = 0x48b3cb8e3c0c39e55e33121529f28c7d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 3 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 69 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 218 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 218 with timestamp 4472b042 Nothing to do. Sleeping until we see a request. My radiusd output for user hugo (that works, accepted from authenticator): ========================================================================== rad_recv: Access-Request packet from host 10.187.0.15:1645, id=215, length=123 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "hugo" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02000009016875676f Message-Authenticator = 0xc8b883765bb2789fe6eac6542635ab5c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "hugo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry hugo at line 54 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 215 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc95b59f55ecae07a3f817b60bfa8f6a5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.187.0.15:1645, id=216, length=138 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "hugo" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc95b59f55ecae07a3f817b60bfa8f6a5 EAP-Message = 0x020100060304 Message-Authenticator = 0x802ecba91167f7fc5bec047d099a492b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "hugo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry hugo at line 54 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/md5 rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 216 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x010200160410d9fe422e4ec87bdd6789e712124f70e7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x41f8f0e651189f71392e9acc4206fa15 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.187.0.15:1645, id=217, length=158 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "hugo" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 State = 0x41f8f0e651189f71392e9acc4206fa15 EAP-Message = 0x0202001a0410a130883073b273fecdbbd25be5b1e0796875676f Message-Authenticator = 0x59b3fc40c7b1f1430ffd68be05001e7f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "hugo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 26 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry hugo at line 54 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 2 modcall: leaving group authenticate (returns ok) for request 2 Sending Access-Accept of id 217 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "50" EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "hugo" Finished request 2 Going to the next request Waking up in 6 seconds... My entire eap.conf: ====================== eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } mschapv2 { } } My entire radiusd.conf: ======================== prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer, nur 44,85 inkl. DSL- und ISDN-Grundgebühr! http://www.arcor.de/rd/emf-dsl-2
Hi,
I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco Catalyst Switch 3750 as authenticator and i want that user hugo will be mapped in VLAN 50 on the switch. This works properly.
Every other user should be mapped in VLAN 999, my guest-vlan. I try this with a DEFAULT-entry, but this does not work, the switch does not accept any other user, in my case user nobody is unauthorized for my authenticator.
those who dont have dot1x supplicant wouldnt be able to be put onto this VLAN though as there would be no do1x exchange...surely? surely using the built in guest VLAN facility of the switch itself is the best way to achieve this aim? eg in the interface configuration dot1x guest-vlan 999 ? alan
robiwan@arcor.de wrote:
Dear all,
I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco Catalyst Switch 3750 as authenticator and i want that user hugo will be mapped in VLAN 50 on the switch. This works properly.
Every other user should be mapped in VLAN 999, my guest-vlan. I try this with a DEFAULT-entry, but this does not work, the switch does not accept any other user, in my case user nobody is unauthorized for my authenticator.
My other configuration files are seen at the end of this text.
Thanks in advance... Robert
My entire users file: ======================
hugo User-Password == "hugo01" # line 54 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 50
DEFAULT Auth-Type := Accept # line 69 Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 999
You've overridden Auth-Type. Don't do that. Just this is what you want: DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 999
My radiusd output for user nobody, (my authenticator do not accept this): ==========================================================================
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=218, length=127 NAS-IP-Address = 10.187.0.15 NAS-Port = 50103 NAS-Port-Type = Ethernet User-Name = "nobody" Called-Station-Id = "00-14-69-5B-8B-03" Calling-Station-Id = "00-0B-5D-84-AE-CA" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0203000b016e6f626f6479 Message-Authenticator = 0x48b3cb8e3c0c39e55e33121529f28c7d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 3 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 69 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 218 to 10.187.0.15 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 218 with timestamp 4472b042 Nothing to do. Sleeping until we see a request.
So, having overridden auth-type, the radius server just returns accept instead of an EAP-Challenge, which will probably be confusing the switch or supplicant no end. You will have to put the password for "nobody" in the users file (and any other users). EAP-MD5 is a challenge/response method, and the server will need to know the password to validate the response and send the correct reply.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Phil Mayers -
robiwan@arcor.de