Dot1x on cisco 3560
Hi i have problems again with authentication , i trying to use freeradius and cisco 802.1x. Windows said authentication error. This is my users file: xxxx Cleartext-Password := "PPPPPl" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" yyy User-Password == "KKKK" DEFAULT Auth-Type := Reject I´m fallowing this doc http://security.fi.infn.it/TRIP/802.1x-wired/802.1x-wired.html This is my freeradius -X -A -d /etc/freeradius Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 User-Name = "omar" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-17-94-97-D9-07" Calling-Station-Id = "00-1A-92-70-A0-59" EAP-Message = 0x02020009016f6d6172 Message-Authenticator = 0x549dffe0deb75cea25112692b8e6091e NAS-Port = 50005 NAS-Port-Type = Ethernet NAS-IP-Address = 172.29.11.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "omar", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry omar at line 219 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 60 to 172.29.11.1:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb307e1b51eedc6cc895b65e64bcd34a3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 Sending duplicate reply to client authenticator-short-name:21645 - ID: 60 Re-sending Access-Challenge of id 60 to 172.29.11.1:21645 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 60 with timestamp 481178e6 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 User-Name = "omar" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-17-94-97-D9-07" Calling-Station-Id = "00-1A-92-70-A0-59" EAP-Message = 0x02020009016f6d6172 Message-Authenticator = 0x549dffe0deb75cea25112692b8e6091e NAS-Port = 50005 NAS-Port-Type = Ethernet NAS-IP-Address = 172.29.11.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "omar", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry omar at line 219 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 60 to 172.29.11.1:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0103001604100d0ce983971e4ed535cc6e85aa3bfb03 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x823bfbd94e10855a70a8868a41ee4805 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 Sending duplicate reply to client authenticator-short-name:21645 - ID: 60 Re-sending Access-Challenge of id 60 to 172.29.11.1:21645 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 60 with timestamp 481178ed Nothing to do. Sleeping until we see a request. -- Xgalaga se disfruta más sobre NetBSD sparc64 Content Rules: ///// \\\/// ///\\\ The Duke of Url. { O--O } / /\ \ \ -- / [||]
Hi,
Hi i have problems again with authentication , i trying to use freeradius and cisco 802.1x. Windows said authentication error. This is my users file:
xxxx Cleartext-Password := "PPPPPl" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
yyy User-Password == "KKKK"
DEFAULT Auth-Type := Reject
this is for users to log into the admin interface of the switch - or are you trying to configure the switch such that end users need to 802.1X to get a network via a switchport access interface on the switch? if its the former, then read the cisco 802.1X docs to ensure your IOS is configured properly. dont quote some random old 3rd party URL if it the latter then clear text passwords dont work with PEAP you need to use NT-hashes alan
On Fri, Apr 25, 2008 at 9:15 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
this is for users to log into the admin interface of the switch - or are you trying to configure the switch such that end users need to 802.1X to get a network via a switchport access interface on the switch?
I´m trying to configure a switchport access interface on the switch.
if its the former, then read the cisco 802.1X docs to ensure your IOS is configured properly. dont quote some random old 3rd party URL
I think it is properly configure i also follow http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1... And i think problem is on radius users file.
if it the latter then clear text passwords dont work with PEAP you need to use NT-hashes
I using MD5 challange on windows autentication, i need put NT-HASH on users file? Anyone has 802.1x configured with free radius? -- Xgalaga se disfruta más sobre NetBSD sparc64 Content Rules: ///// \\\/// ///\\\ The Duke of Url. { O--O } / /\ \ \ -- / [||]
Hi,
I using MD5 challange on windows autentication, i need put NT-HASH on users file?
Anyone has 802.1x configured with free radius?
yes - 2,000 edge ports and 360 APs. dealing with 2,100 concurrent users. how are you doing MD5 challenge on windows authentication, 3rd party supplicant? alan
On Fri, Apr 25, 2008 at 9:45 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I using MD5 challange on windows autentication, i need put NT-HASH on users file?
Anyone has 802.1x configured with free radius?
yes - 2,000 edge ports and 360 APs. dealing with 2,100 concurrent users.
how are you doing MD5 challenge on windows authentication, 3rd party supplicant?
I´m using windows XP SP 2 suplicant. Are you using certificates? or MD5 challenge ? I think that you are using LDAP or MySQL to manage your users. What do you have in your users files. Thanks again :). -- Xgalaga se disfruta más sobre NetBSD sparc64 Content Rules: ///// \\\/// ///\\\ The Duke of Url. { O--O } / /\ \ \ -- / [||]
Hi,
Are you using certificates? or MD5 challenge ?
PEAPv0/EAP-MSCHAPv2
I think that you are using LDAP or MySQL to manage your users.
thanks for guessing. but no, we use Active Directory with ntlm_auth
What do you have in your users files.
very very little. and at this point in time your users file is almost useless because the FreeRADIUS is not getting any responses from the switch. whats your IOS config? do you have the 'pap' module enabled too? that deals with Cleartext-Password conversions. heck, why not break all and set your users config to MD5-Password == "blah" ? alan
Hi, ignore my question about MD5 - too ealry int he day ;-) yes, windows standard OS uspplicant will do MD5 on the wired as an EAP-Type. though why you'd use MD5 is beyond me as its totally broken ;-) alan
Hi,
xxxx Cleartext-Password := "PPPPPl" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
this sort of stuff it for admin access to the switch
Sending Access-Challenge of id 60 to 172.29.11.1:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb307e1b51eedc6cc895b65e64bcd34a3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 Sending duplicate reply to client authenticator-short-name:21645 - ID: 60 Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
lots of these. looks like FR is sending challenges but the switch is not responding. whats your IOS config look like? if you 'debug aaa' on the switch can you see stuff happening at all? alan
On Fri, Apr 25, 2008 at 9:51 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
xxxx Cleartext-Password := "PPPPPl" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
this sort of stuff it for admin access to the switch
Sending Access-Challenge of id 60 to 172.29.11.1:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb307e1b51eedc6cc895b65e64bcd34a3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 Sending duplicate reply to client authenticator-short-name:21645 - ID: 60 Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
lots of these. looks like FR is sending challenges but the switch is not responding. whats your IOS config look like? if you 'debug aaa' on the switch can you see stuff happening at all?
Mmmm is curious: 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.11.7:1812,1813 has returned. 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.29.11.7:1812,1813 is not responding. Using debug in AAA on my switch. I have this radius settings on my cisco switch: #sh run | include radius aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3 radius-server key mecago # Any other line could be necessary ? I´m using MD5 challenge because i´m testing and i don´t want deploy certificates or certificate server. Are you using MS certificate Server with FR? -- Xgalaga se disfruta más sobre NetBSD sparc64 Content Rules: ///// \\\/// ///\\\ The Duke of Url. { O--O } / /\ \ \ -- / [||]
I'd have something like: radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key <shared-secret> radius-server timeout 2 radius-server deadtime 1 radius-server vsa send authentication ! aaa new-model ! ! aaa group server radius RADIUS-SERVERS server 192.168.1.50 auth-port 1812 acct-port 1813 ! aaa authentication dot1x default group RADIUS-SERVERS aaa accounting dot1x default start-stop group RADIUS-SERVERS ! dot1x system-auth-control dot1x guest-vlan supplicant ! int fa0/1 dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x timeout quiet-period 5 dot1x timeout server-timeout 5 dot1x timeout reauth-period server dot1x timeout tx-period 5 dot1x timeout supp-timeout 5 dot1x max-req 1 dot1x max-reauth-req 1 dot1x reauthentication dot1x guest-vlan 100 dot1x auth-fail vlan 100
-----Original Message----- From: freeradius-users- bounces+s.p.armitage=lboro.ac.uk@lists.freeradius.org [mailto:freeradius-users- bounces+s.p.armitage=lboro.ac.uk@lists.freeradius.org] On Behalf Of Omar Lopez Limonta Sent: 25 April 2008 09:36 To: FreeRadius users mailing list Subject: Re: Dot1x on cisco 3560
On Fri, Apr 25, 2008 at 9:51 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
xxxx Cleartext-Password := "PPPPPl" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
this sort of stuff it for admin access to the switch
Sending Access-Challenge of id 60 to 172.29.11.1:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb307e1b51eedc6cc895b65e64bcd34a3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 Sending duplicate reply to client authenticator-short-name:21645 - ID: 60 Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
lots of these. looks like FR is sending challenges but the switch is not responding. whats your IOS config look like? if you 'debug aaa' on the switch can you see stuff happening at all?
Mmmm is curious: 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.11.7:1812,1813 has returned. 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.29.11.7:1812,1813 is not responding. Using debug in AAA on my switch.
I have this radius settings on my cisco switch:
#sh run | include radius aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3 radius-server key mecago #
Any other line could be necessary ?
I´m using MD5 challenge because i´m testing and i don´t want deploy certificates or certificate server. Are you using MS certificate Server with FR?
-- Xgalaga se disfruta más sobre NetBSD sparc64
Content Rules:
///// \\\/// ///\\\ The Duke of Url. { O--O } / /\ \ \ -- / [||]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Mmmm is curious: 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.11.7:1812,1813 has returned. 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.29.11.7:1812,1813 is not responding. Using debug in AAA on my switch.
I have this radius settings on my cisco switch:
#sh run | include radius aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3 radius-server key mecago
very sparse....what about eg radius-server retransmit 2 radius-server timeout 2 radius-server deadtime 10 radius-server vsa send authentication what do you have on the edge port for RADIUS? eg timeouts... interface TenGigabitEthernet0/1 dot1x pae authenticator dot1x port-control auto dot1x timeout quiet-period 5 dot1x timeout tx-period 1 dot1x timeout reauth-period server dot1x timeout supp-timeout 1 dot1x timeout server-timeout 5 dot1x max-req 3 dot1x max-reauth-req 1 dot1x guest-vlan XXX dot1x reauthentication dot1x auth-fail vlan XXX <SNIP> ! alan
On Fri, Apr 25, 2008 at 11:14 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
very sparse....what about eg
radius-server retransmit 2 radius-server timeout 2 radius-server deadtime 10
radius-server vsa send authentication
No with your AAA configs i don´t get %RADIUS-4-RADIUS_DEAD or any other error on debug via syslog.
what do you have on the edge port for RADIUS? eg timeouts...
interface FastEthernet0/5 switchport access vlan 2 switchport mode access dot1x pae authenticator dot1x port-control auto spanning-tree portfast ! Any other ideas? -- Xgalaga se disfruta más sobre NetBSD sparc64 Content Rules: ///// \\\/// ///\\\ The Duke of Url. { O--O } / /\ \ \ -- / [||]
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Omar Lopez Limonta -
Scott Armitage