Cisco IOS authentication to Freeradius that is linked to AD
Hello, I am new to freeradius so please go easy on me :) Here is what I am trying to do. I am trying to get my Cisco switches to authenticate a user with full permissions "lvl 15" by using freeradius that is linked to AD. Using AD credentials Below are the configs: Switch Config: aaa group server radius FreeRadius server name ppsauth1 ip radius source-interface GigabitEthernet1/0/50 ! ! ! radius-server attribute 6 mandatory ! radius server ppsauth1 address ipv4 10.15.0.51 auth-port 1812 acct-port 1813 key 7 15060E1F107B7977 ! Switch Debugs: test aaa group FreeRadius username password legacy Attempting authentication test to server-group FreeRadius using radius 000175: Feb 22 10:47:38: AAA: parse name=<no string> idb type=-1 tty=-1 000176: Feb 22 10:47:38: AAA/MEMORY: create_user (0x8C41E4C) user='username' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII servi) 000177: Feb 22 10:47:38: RADIUS: Pick NAS IP for u=0x8C41E4C tableid=0 cfg_addr=0.0.0.0 000178: Feb 22 10:47:38: RADIUS(00000000): Config NAS IPv6: :: 000179: Feb 22 10:4User authentication request was rejected by server. TTC-GREG2#7:38: RADIUS: ustruct sharecount=1 000180: Feb 22 10:47:38: Radius: radius_port_info() success=0 radius_nas_port=1 000181: Feb 22 10:47:38: RADIUS/ENCODE: Best Local IP-Address 192.168.160.47 for Radius-Server 10.15.0.51 000182: Feb 22 10:47:38: RADIUS(00000000): Send Access-Request to 10.15.0.51:1812 onvrf(0) id 1645/8, len 59 000183: Feb 22 10:47:38: RADIUS: authenticator 5F D8 9A 26 5E 67 09 AC - E8 D9 4F 9C F9 36 D5 24 000184: Feb 22 10:47:38: RADIUS: NAS-IP-Address [4] 6 192.168.160.47 TTC-GREG2# 000185: Feb 22 10:47:38: RADIUS: NAS-Port-Type [61] 6 Async [0] 000186: Feb 22 10:47:38: RADIUS: User-Name [1] 9 "username" 000187: Feb 22 10:47:38: RADIUS: User-Password [2] 18 * 000188: Feb 22 10:47:38: RADIUS(00000000): Sending a IPv4 Radius Packet 000189: Feb 22 10:47:38: RADIUS(00000000): Started 5 sec timeout 000190: Feb 22 10:47:39: RADIUS: Received from id 1645/8 10.15.0.51:1812, Access-Reject, len 20 000191: Feb 22 10:47:39: TTC-GREG2# RADIUS: authenticator FC F7 1D 2F 38 08 3A 52 - 80 4D 13 7C 9A E9 C1 B7 000192: Feb 22 10:47:39: RADIUS: saved authorization data for user 8C41E4C at 0 000193: Feb 22 10:47:39: AAA/MEMORY: free_user (0x8C41E4C) user='username' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN) Server Info:FreeRadius server running on Ubuntu 18.04 LTS tcpdump: tcpdump -i ens160 -vvv port 1812 tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes 10:52:36.760284 IP (tos 0x0, ttl 254, id 338, offset 0, flags [none], proto UDP (17), length 87) TTC-GREG.portageps.org.datametrics > ppsauth1.portageps.org.radius: [udp sum ok] RADIUS, length: 59 Access-Request (1), id: 0x0a, Authenticator: d77adf09bca33bbc3c9a22d8e057b5d0 NAS-IP-Address Attribute (4), length: 6, Value: TTC-GREG.portageps.org 0x0000: c0a8 a02f NAS-Port-Type Attribute (61), length: 6, Value: Async 0x0000: 0000 0000 User-Name Attribute (1), length: 9, Value: username 0x0000: 6773 7475 6172 74 User-Password Attribute (2), length: 18, Value: 0x0000: 40ee d3ca 65d6 b7a6 48fe 9f81 3460 b73f 10:52:37.761280 IP (tos 0x0, ttl 64, id 64656, offset 0, flags [none], proto UDP (17), length 48) ppsauth1.portageps.org.radius > TTC-GREG.portageps.org.datametrics: [bad udp cksum 0x6b47 -> 0xf8e3!] RADIUS, length: 20 Access-Reject (3), id: 0x0a, Authenticator: 096e874b36ae47c55b81fa012f1ff749 Tail of Radius Log: tail -f radius.log ri Feb 22 10:49:38 2019 : Auth: (77) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [username/password] (from client LabSwitch por t 0) Fri Feb 22 10:49:54 2019 : Auth: (78) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [username/password] (from client LabSw itch port 0) Fri Feb 22 10:50:02 2019 : Auth: (79) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [username/password] (from client LabSw itch port 0) Fri Feb 22 10:51:58 2019 : Auth: (80) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [username/password] (from client LabSw itch port 0) Fri Feb 22 10:52:36 2019 : Auth: (81) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [username/password] (from client LabSw itch port 0) freeradius -X output: eady to process requests (0) Received Access-Request Id 11 from 192.168.160.47:1645 to 10.15.0.51:1812 length 59 (0) NAS-IP-Address = 192.168.160.47 (0) NAS-Port-Type = Async (0) User-Name = "username" (0) User-Password = "password" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "username", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> username (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [username/password] (from client LabSwitch port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 11 from 10.15.0.51:1812 to 192.168.160.47:1645 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 11 with timestamp +5 Any help would be appreciated. Again what I am trying to do, is log into a cisco switch using my AD credentials. I have a freeradius server that is linked to AD. The link to AD has been confirmed to work. Thank you.
On Feb 22, 2019, at 11:00 AM, Greg Stuart <gstuart@portageps.org> wrote:
I am new to freeradius so please go easy on me :) Here is what I am trying to do. I am trying to get my Cisco switches to authenticate a user with full permissions "lvl 15" by using freeradius that is linked to AD. Using AD credentials
Below are the configs:
We don't need to see the switch config or debug output. The FreeRADIUS debug log shows everything we need.
Server Info:FreeRadius server running on Ubuntu 18.04 LTS
tcpdump: ... Tail of Radius Log:
We don't need those, either. You get a message when you join the list. That message tells you what we *do* need, and what you *should not* post. Please read it.
freeradius -X output: eady to process requests (0) Received Access-Request Id 11 from 192.168.160.47:1645 to
With lots of stuff deleted...
Any help would be appreciated. Again what I am trying to do, is log into a cisco switch using my AD credentials. I have a freeradius server that is linked to AD. The link to AD has been confirmed to work.
What do you mean "linked to AD"? That the FreeRADIUS machine has joined the AD domain? That's nice, but FreeRADIUS doesn't know that. There's no magic in the server (or OS) saying "look users up in AD" The issuer here is that you haven't configured FreeRADIUS to do anything with AD. i.e. it doesn't use LDAP or ntlm_auth to authenticate the users. That's why it's rejecting the users. Please read my documentation on AD integration: http://deployingradius.com/documents/configuration/active_directory.html If you look through the config files for "Active Directory", you will see a number of comments with what to do, and what to configure. Those should help, too. Alan DeKok.
participants (2)
-
Alan DeKok -
Greg Stuart