Help needed configuring MAB on FreeRADIUS and Cisco switch
Hi, I've created a server running CentOS 6.2 and FreeRADIUS 2.1.10-5. I also have installed the latest DaloRADIUS on the system to provide a web UI since ultimately that is where people will be provisioning systems from of which I believe it is installed correctly. I also have a Cisco 3560G switch of which my aim is to create a dynamic way of allocating VLANs similarly to VMPS, only by using modern standards. So far amongst others I have been following these pages: http://wiki.freeradius.org/Cisco http://wiki.freeradius.org/Mac-Auth My configuration in the Cisco switch is attached: In regards to the RADIUS config, I have these tables on MySQL: +------------------------+ | Tables_in_radius | +------------------------+ | batch_history | | billing_history | | billing_merchant | | billing_paypal | | billing_plans | | billing_plans_profiles | | billing_rates | | cui | | dictionary | | hotspots | | invoice | | invoice_items | | invoice_status | | invoice_type | | nas | | node | | operators | | operators_acl | | operators_acl_files | | payment | | payment_type | | proxys | | radacct | | radcheck | | radgroupcheck | | radgroupreply | | radhuntgroup | | radippool | | radpostauth | | radreply | | radusergroup | | realms | | userbillinfo | | userinfo | | wimax | +------------------------+ This is what clients.conf shows: client switch1 { ipaddr = 10.0.0.1 secret = pass } My sql.conf file has these lines in it: sql { # # Set the database to one of: # # mysql, mssql, oracle, postgresql # database = "mysql" # # Which FreeRADIUS driver to use. # driver = "rlm_sql_${database}" # Connection info: server = "localhost" #port = 3306 # login = "radius" # password = "radpass" login = "root" The username for the SQL server is root and no password has been set: this is ok as the server is not connected to any network other then the switch which is also not connected to anything!! In DaloRADIUS I created a user using the MAC address of my test laptop of which I then added the: AUTH-TYPE field as ACCEPT; EGRESS-VLANID field as 10; EGRESS-VLAN NAME as TEST_VLAN Unfortunately this hasn't worked and I am definitely missing something here but what I'm not sure. I am not very familiar with RADIUS (still learning) and through the documentation I have been reading running any of the Cisco debug commands or sh radius stuff didn't really tell me if the switch was even linked to the server. I additionally don't see anything in any of the RADIUS logs either....... This is all I get: # cat radius.log Tue Jul 10 12:11:17 2012 : Info: Loaded virtual server inner-tunnel Tue Jul 10 12:11:17 2012 : Info: Loaded virtual server <default> Tue Jul 10 12:11:17 2012 : Info: Ready to process requests. Wed Jul 11 10:46:02 2012 : Info: Exiting normally. Wed Jul 11 10:46:02 2012 : Info: Loaded virtual server inner-tunnel Wed Jul 11 10:46:02 2012 : Info: Loaded virtual server <default> Wed Jul 11 10:46:02 2012 : Info: Ready to process requests. Wed Jul 11 11:01:47 2012 : Info: Exiting normally. I have even tried running radiusd -sX and radiusd -X which did not print ANY debug output whatsoever :-( Can anybody help me in getting started trying to figure out the problem? Regards, Kaya
Hi, you have defined the usual bits eg aaa new-model ! ! aaa authentication dot1x default group radius aaa accounting dot1x default start-stop group radius aaa accounting dot1x system start-stop group radius and you've got a radius-server entry with your RADIUS IP and some settings... but you are missing something - and i'm sure the switch logs would say so - or at least they would with some debug enabled: aaa group server radius XXXXXX server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 replace XXXXX with your RADIUS group name and xxx.xxx.xxx.xxx with IP of your server alan
On Fri, Jul 13, 2012 at 8:09 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
you have defined the usual bits eg
aaa new-model ! ! aaa authentication dot1x default group radius aaa accounting dot1x default start-stop group radius aaa accounting dot1x system start-stop group radius
and you've got a radius-server entry with your RADIUS IP and some settings... but you are missing something - and i'm sure the switch logs would say so - or at least they would with some debug enabled:
aaa group server radius XXXXXX server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
replace XXXXX with your RADIUS group name and xxx.xxx.xxx.xxx with IP of your server
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks so much Alan for the config posting. I have tried with your config and also changed all my 'aaa' strings to include the radius group 'test' which I renamed things to. Unfortunately there is still no information being propogated to the server??? The server has 4 NICs, only 2 of which are configured and have static IP's. Radius claims to be listening on 'all' ports for the acct and auth. I have rebooted the server and checked for any firewall intervention and all seems good. Issuing 'radius -X' still isn't showing anything :-( I have no idea where the issue lies. If it is a switch issue then I have gone through all the necessary docuementation regarding my switch model: Cisco 3560G with POE: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1... http://daemonkeeper.net/638/configure-mac-based-vlan-assignment-with-freerad... http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configurati... http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_examp... and either the switch simply isn't sending RADIUS information; or the server simply is ignoring the requests or not listening for them???? Radius can't be this hard to get working can it? Regards, Kaya
Hi,
Issuing 'radius -X' still isn't showing anything :-(
radiusd -X ? please ensure you are trying to runt he right command.... if you dont see anything on the output when client connection attempts are made, then you have a problem elsewhere on the network or on the NAS.... you could try running tcpdump -eqntl -i ethX port 1812 (replace ethX with the name of your interface on which packets should be arriving) you can also turn on debuggin on your NAS - cisco kit has quite extensive 802.1X debugging - you should then see it sending traffic.... I suspect you may have an ACL between the management level of the switches and your server.
Radius can't be this hard to get working can it?
the bit you are doing should be easy. the hard part is authentication and policy. alan
On Mon, Jul 16, 2012 at 9:20 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Issuing 'radius -X' still isn't showing anything :-(
radiusd -X ?
please ensure you are trying to runt he right command....
Sorry that was a typo!! This is the output I get when command run: radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
if you dont see anything on the output when client connection attempts are made, then you have a problem elsewhere on the network or on the NAS.... you could try running
tcpdump -eqntl -i ethX port 1812
(replace ethX with the name of your interface on which packets should be arriving)
Unforutnately I can't run this as the server isn't connected to the internet or any other type of network, meaning that I can't install it! I guess using a USB stick I might be able to install the RPM for it and dependencies, actually I will do this...... The setup is as such: RADIUS Server <-> switch <-> laptop The way the system is now I doubt it would show anything anyway??
you can also turn on debuggin on your NAS - cisco kit has quite extensive 802.1X debugging - you should then see it sending traffic.... I suspect you may have an ACL between the management level of the switches and your server.
i tried this, I used 'debug radius verbose' but the log doesn't come up with anything at all; just: The log just shows this: No Inactive Message Discriminator. Console logging: level debugging, 14 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 14 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 17 message lines logged Log Buffer (4096 bytes): *Mar 1 00:01:13.928: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down *Mar 1 00:01:15.757: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan *Mar 1 00:01:19.398: %SYS-5-CONFIG_I: Configured from memory by console *Mar 1 00:01:20.421: %SYS-5-RESTART: System restarted -- Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3) Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Fri 25-Sep-09 08:13 by sasyamal *Mar 1 00:01:20.438: %SSH-5-ENABLED: SSH 1.99 has been enabled *Mar 1 00:01:22.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up *Mar 1 00:01:23.433: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up *Mar 1 00:01:24.506: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to up *Mar 1 00:01:24.800: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up *Mar 1 00:01:25.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up *Mar 1 00:02:36.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to down *Mar 1 00:02:40.591: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to down *Mar 1 00:02:43.141: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to up *Mar 1 00:02:44.148: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, changed state to up which basically tells me that the vlan and interfaces are up and that's all??
Radius can't be this hard to get working can it?
the bit you are doing should be easy. the hard part is authentication and policy.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I did change this on the switch from: aaa authentication dot1x default group radius group test aaa authorization network default group radius group test aaa accounting dot1x default start-stop group radius group test aaa accounting dot1x system start-stop group radius group test aaa accounting network default start-stop group radius group test to: aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting dot1x system start-stop group radius aaa accounting network default start-stop group radius but with no luck as per above :-( Regards, Kaya
Hi,
i tried this, I used 'debug radius verbose' but the log doesn't come up with anything at all; just:
debug mab all debug dot1x all however, you are just doing MAB IIRC - and thats just like PAP - very basic and simple.... and I'm sure you also have to add 'mab' to your interface config eg int gi0/1 switchport mode access authentication order mab webauth mab spanning-tree portfast alan
On Mon, Jul 16, 2012 at 11:03 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
i tried this, I used 'debug radius verbose' but the log doesn't come up with anything at all; just:
debug mab all debug dot1x all
however, you are just doing MAB IIRC - and thats just like PAP - very basic and simple.... and I'm sure you also have to add 'mab' to your interface config eg
int gi0/1 switchport mode access authentication order mab webauth mab spanning-tree portfast
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot Alan!! I think prart of my issue is that in order to have network connectivity with the switch and RADIUS server I was linking the laptop to an uncontrolled RADIUS port..... because of this the switch didn't need to authenticate to the server. I added your extra config and then switched the laptop ports to g0/13 which I was using as my radius test. The output produced from RADIUS was this: Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x64e53078b14461ac3a06055e74f64439 NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 3 to 10.0.0.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 3 with timestamp +12 Ready to process requests. Now I can have a look at seeing if the config in Daloradius is correct between the username and seeing if there is another method of Auth-Type to choose from additionally. Regards, Kaya
On Mon, Jul 16, 2012 at 11:47 AM, Kaya Saman <kayasaman@gmail.com> wrote:
On Mon, Jul 16, 2012 at 11:03 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
i tried this, I used 'debug radius verbose' but the log doesn't come up with anything at all; just:
debug mab all debug dot1x all
however, you are just doing MAB IIRC - and thats just like PAP - very basic and simple.... and I'm sure you also have to add 'mab' to your interface config eg
int gi0/1 switchport mode access authentication order mab webauth mab spanning-tree portfast
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot Alan!!
I think prart of my issue is that in order to have network connectivity with the switch and RADIUS server I was linking the laptop to an uncontrolled RADIUS port..... because of this the switch didn't need to authenticate to the server.
I added your extra config and then switched the laptop ports to g0/13 which I was using as my radius test. The output produced from RADIUS was this:
Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x64e53078b14461ac3a06055e74f64439 NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 3 to 10.0.0.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 3 with timestamp +12 Ready to process requests.
Now I can have a look at seeing if the config in Daloradius is correct between the username and seeing if there is another method of Auth-Type to choose from additionally.
Regards,
Kaya
I have changed the attributes from Egress VLAN-ID et el... to these:
Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000
under RFC2868! The response from the server is as follows: FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19 2011 at 10:21:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.0.0.1 { ipaddr = 10.0.0.1 require_message_authenticator = no secret = "pass" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=50, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0xc4b3d13e2a258dbe8bdf4baa153c7a5c NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 50 to 10.0.0.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 50 with timestamp +51 Ready to process requests. For some reason it still isn't authenticating and am not quite sure what am missing or need to change? Regards, Kaya
Hi,
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa"
note those 2 lines - the USer-Name is the MAC address in that format. the passwors is the same.
[eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request:
so, you havent got any module configured for this request - either in users file, or SQL et (in fact, you arent even calling SQL - so if the SQL is all set up, then its not being used....edit your default virtual server to enable SQL functionality..and the dialup.conf with appropriate settings). quick test put this at the top of the 'users' file and restart the server 0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000 alan
On Mon, Jul 16, 2012 at 2:33 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa"
note those 2 lines - the USer-Name is the MAC address in that format. the passwors is the same.
[eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request:
so, you havent got any module configured for this request - either in users file, or SQL et (in fact, you arent even calling SQL - so if the SQL is all set up, then its not being used....edit your default virtual server to enable SQL functionality..and the dialup.conf with appropriate settings).
quick test
put this at the top of the 'users' file and restart the server
0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Poking around in the radiusd.conf file I checked the section modules which looks like this: [...] # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # for an example. # # # As of 2.0.5, most of the module configurations are in a # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ # are loaded. The modules are initialized ONLY if they are # referenced in a processing section, such as authorize, # authenticate, accounting, pre/post-proxy, etc. # $INCLUDE ${confdir}/modules/ # Extensible Authentication Protocol # # For all EAP related authentications. # Now in another file, because it is very large. # $INCLUDE eap.conf # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # $INCLUDE sql.conf # # This module is an SQL enabled version of the counter module. # # Rather than maintaining seperate (GDBM) databases of # accounting info for each counter, this module uses the data # stored in the raddacct table by the sql modules. This # module NEVER does any database INSERTs or UPDATEs. It is # totally dependent on the SQL module to process Accounting # packets. # # $INCLUDE sql/mysql/counter.conf # # IP addresses managed in an SQL table. # # $INCLUDE sqlippool.conf } [...] The modules look like so: raddb]# ls modules/ acct_unique counter dynamic_clients files mac2vlan pap realm unix always cui echo inner-eap mschap passwd smbpasswd wimax attr_filter detail etc_group ippool ntlm_auth perl smsotp attr_rewrite detail.example.com exec linelog opendirectory policy sqlcounter_expire_on_login chap detail.log expiration logintime otp preprocess sql_log checkval digest expr mac2ip pam radutmp sradutmp I don't see a mysql module in there. By placing the entry you suggested at the top of the /etc/raddb/users file and restarting the server I got this: Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x8a054d90202217a1e4d81aa3e5e61f2f NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 104 to 10.0.0.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 104 with timestamp +13 Ready to process requests. I am assuming that "Tunnel-Private-Group-Id:0 = "3"," means VLAN 3?? If so I should change it to 20 as that's what has been configured on the switch! Regards, Kaya
Hi,
Poking around in the radiusd.conf file I checked the section modules which looks like this:
yes...thats just for the module config - you then need to call that module - ensure that sql is not commented out in sites-enabled/default
The modules look like so:
raddb]# ls modules/ acct_unique counter dynamic_clients files mac2vlan pap realm unix always cui echo inner-eap mschap passwd smbpasswd wimax attr_filter detail etc_group ippool ntlm_auth perl smsotp attr_rewrite detail.example.com exec linelog opendirectory policy sqlcounter_expire_on_login chap detail.log expiration logintime otp preprocess sql_log checkval digest expr mac2ip pam radutmp sradutmp
I don't see a mysql module in there.
correct. the sql module in 2.x is in the top directory (in 3.x its in the modules directory to make it common). the sql.conf file tells you all you need to know - including which dialup.conf file to edit
By placing the entry you suggested at the top of the /etc/raddb/users file and restarting the server I got this:
well, no you didnt...or rather, if you did stick that in the users file then its certainly not the users file that the server is reading. you are editing the live server config and not some extracted archive file?
I am assuming that
"Tunnel-Private-Group-Id:0 = "3","
means VLAN 3??
in Cisco speak , yes
If so I should change it to 20 as that's what has been configured on the switch!
well, yes - that would be what you'd need - except I just used the bit of config that you were already using - and my examples are just examples...i dont know your site requirements or what you are doing. if i didm then this would be consultancy and you'd be paying me lots of money ;-) alan
Hi Alan, sorry for the mishaps yesterday...... On Mon, Jul 16, 2012 at 4:20 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote: [...]
By placing the entry you suggested at the top of the /etc/raddb/users file and restarting the server I got this:
well, no you didnt...or rather, if you did stick that in the users file then its certainly not the users file that the server is reading. you are editing the live server config and not some extracted archive file?
Let's just try to focus on this issue and get a basic system up and running before continuing on - as that is inevitably what you were trying to do :-) Ok so first let's get back to real basics and check where we are in the file system: # cd /etc/raddb # ls acct_users clients.conf policy.conf sql attrs dictionary policy.txt sql.conf attrs.access_challenge eap.conf preproxy_users sqlippool.conf attrs.access_reject example.pl proxy.conf templates.conf attrs.accounting_response hints radiusd.conf users attrs.pre-proxy huntgroups sites-available certs modules sites-enabled # cat users | more 0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000 # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by I have additionally attached the full file just incase! Let's see in the file system if there are any other files called users which maybe the 'source' of the Radius service: # find / -name users /usr/bin/users /etc/selinux/targeted/contexts/users /etc/raddb/users /var/www/daloradius/contrib/configs/freeradius-1.1.7/cfg1/freeradius/users Will disabling SElinux help, could that be blocking things as it usually does with TFTP??? Regards, Kaya
[...]
# cat users | more 0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000
[...] I managed to figure the issue of **authentication** and it's really embarrassing!
From copy/pasting the config there was a 'space' between the <username> attribute and getting rid of it just now the server started accepting the user :-)
Running the suggested debug commands on the switch it is claiming: "authorization failed" "accounting failed" mab failure due to 'dead server' I took the liberty of changing the Tunnel-Private-Group-Id to 20 since I have vlan 1 and 20 configured on the switch I am using in the hope that the laptop would get a DHCP address from the DHCP server configured on the switch, however I think due to the above errors there is something additional which needs to be done. Regards, Kaya
On Tue, Jul 17, 2012 at 2:55 PM, Kaya Saman <kayasaman@gmail.com> wrote:
[...]
# cat users | more 0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000
[...]
I managed to figure the issue of **authentication** and it's really embarrassing!
From copy/pasting the config there was a 'space' between the <username> attribute and getting rid of it just now the server started accepting the user :-)
Running the suggested debug commands on the switch it is claiming:
"authorization failed"
"accounting failed"
mab failure due to 'dead server'
I took the liberty of changing the Tunnel-Private-Group-Id to 20 since I have vlan 1 and 20 configured on the switch I am using in the hope that the laptop would get a DHCP address from the DHCP server configured on the switch, however I think due to the above errors there is something additional which needs to be done.
Regards,
Kaya
Finally I managed to get some debug output going and from my highly limited knowledge and experience regarding FreeRADIUS looks like the Server is sending an ACCESS=ACCEPT response however, the switch is either unable to understand (decode??) it or doesn't recieve it at all?? Anyway here is the output: Cisco debug: *Mar 1 04:26:40.472: mab-ev(Gi0/13): Reauthenticating client 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: mab-sm(Gi0/13): Received event 'MAB_REAUTHENTICATE' on handle 0x31000001 *Mar 1 04:26:40.472: mab : during state mab_terminate, got event 2(mabReauthenticate) *Mar 1 04:26:40.472: @@@ mab : mab_terminate -> mab_authorizing *Mar 1 04:26:40.472: mab-ev(Gi0/13): Sending create new context event to EAP from MAB for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: mab-ev(Gi0/13): Starting MAC-AUTH-BYPASS for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: mab-ev(Gi0/13): Attribute (NAS-Identifier) value 1 received for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.472: RADIUS/ENCODE(00000009):Orig. component type = DOT1X *Mar 1 04:26:40.472: RADIUS(00000009): Config NAS IP: 10.0.0.1 *Mar 1 04:26:40.472: RADIUS(00000009): Started 10 sec timeout *Mar 1 04:26:40.489: RADIUS: Received from id 1645/252 10.0.0.90:1812, Access-Accept, len 42 *Mar 1 04:26:40.489: RADIUS/DECODE: Ascend auth type; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: decoder; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: parse response op decode; FAIL *Mar 1 04:26:40.489: RADIUS/DECODE: parse response; FAIL *Mar 1 04:26:40.489: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.0.0.90:1812,1813 is not responding. *Mar 1 04:26:40.489: mab-ev(Gi0/13): MAB received an Access-Reject for 0x31000001 (0015.c553.7baa) *Mar 1 04:26:40.489: %MAB-5-FAIL: Authentication failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:26:40.489: mab-sm(Gi0/13): Received event 'MAB_RESULT' on handle 0x31000001 *Mar 1 04:26:40.489: mab : during state mab_authorizing, got event 5(mabResult) *Mar 1 04:26:40.489: @@@ mab : mab_authorizing -> mab_terminate *Mar 1 04:26:40.489: mab-ev(Gi0/13): Deleted credentials profile for 0x31000001 (dot1x_mac_auth_0015c5537baa) *Mar 1 04:26:40.489: mab-ev(Gi0/13): Sending event (2) to AuthMGR for 0015.c553.7baa *Mar 1 04:26:40.489: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:26:40.489: %AUTHMGR-5-FAIL: Authorization failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:26:40.547: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.0.0.90:1812,1813 is being marked alive. *Mar 1 04:27:41.197: mab-ev(Gi0/13): Reauthenticating client 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: mab-sm(Gi0/13): Received event 'MAB_REAUTHENTICATE' on handle 0x31000001 *Mar 1 04:27:41.197: mab : during state mab_terminate, got event 2(mabReauthenticate) *Mar 1 04:27:41.197: @@@ mab : mab_terminate -> mab_authorizing *Mar 1 04:27:41.197: mab-ev(Gi0/13): Sending create new context event to EAP from MAB for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: mab-ev(Gi0/13): Starting MAC-AUTH-BYPASS for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: mab-ev(Gi0/13): Attribute (NAS-Identifier) value 1 received for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.197: RADIUS/ENCODE(00000009):Orig. component type = DOT1X *Mar 1 04:27:41.197: RADIUS(00000009): Config NAS IP: 10.0.0.1 *Mar 1 04:27:41.197: RADIUS(00000009): Started 10 sec timeout *Mar 1 04:27:41.214: RADIUS: Received from id 1645/253 10.0.0.90:1812, Access-Accept, len 42 *Mar 1 04:27:41.214: RADIUS/DECODE: Ascend auth type; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: decoder; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: parse response op decode; FAIL *Mar 1 04:27:41.214: RADIUS/DECODE: parse response; FAIL *Mar 1 04:27:41.214: mab-ev(Gi0/13): MAB received an Access-Reject for 0x31000001 (0015.c553.7baa) *Mar 1 04:27:41.214: %MAB-5-FAIL: Authentication failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:27:41.214: mab-sm(Gi0/13): Received event 'MAB_RESULT' on handle 0x31000001 *Mar 1 04:27:41.214: mab : during state mab_authorizing, got event 5(mabResult) *Mar 1 04:27:41.214: @@@ mab : mab_authorizing -> mab_terminate *Mar 1 04:27:41.214: mab-ev(Gi0/13): Deleted credentials profile for 0x31000001 (dot1x_mac_auth_0015c5537baa) *Mar 1 04:27:41.214: mab-ev(Gi0/13): Sending event (2) to AuthMGR for 0015.c553.7baa *Mar 1 04:27:41.214: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 *Mar 1 04:27:41.214: %AUTHMGR-5-FAIL: Authorization failed for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 FreeRADIUS radiusd -X output: rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=223, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x47ebb33764e906b2adedb9e599083ff1 Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 223 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 223 with timestamp +92 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=224, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0xf7b91a130b97cdd1d414383ca7bc92e6 Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 224 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 224 with timestamp +153 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=225, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0xe5a0a2da63073867e6e104d09a51e28e Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 225 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 225 with timestamp +213 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=226, length=211 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x96f6df8c1e73330407cb7c9408ba8851 Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352" NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "0015c5537baa" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 0015c5537baa at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "0015c5537baa" [pap] Using clear text password "0015c5537baa" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 226 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 226 with timestamp +274 Ready to process requests. The configuration hasn't changed as I was apprehensive about altering it, though I have attempted to adjust the switch timers after Google'ing the: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID 0A0000010000000100DEC072 line which showed up prior to me running the debug commands...... So now for my Cisco lines I have this: radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast According to what I read I tried different values in addition: http://routerdiscussions.com/viewtopic.php?f=8&t=13364 http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1... http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/1... http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/1... At present I don't understand if the issue is with the RADIUS server config or the switch config, from here: [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 226 to 10.0.0.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Tunnel-Preference:0 = 0 Finished request 4. I see that the server is authenticating (finally) and sending the information after the Access-Accept line, however, I do notice that there is no 'tunnel' being created between the switch and Radius server..... should there even be? Regards, Kaya
So now for my Cisco lines I have this:
radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication
interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast
Though resetting them to the config I had originally doesn't seem to make any difference either??
Hi,
radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication
interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast
no dot1x system-auth-control ?? i'd recommend reading the cisco 802.1X guides - the RADIUS server is doing its job. the switch isnt. alan
On Thu, Jul 19, 2012 at 10:20 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication
interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast
no
dot1x system-auth-control
??
i'd recommend reading the cisco 802.1X guides - the RADIUS server is doing its job. the switch isnt.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan for the response and patience with me :-) I have gone through quite a bit of dot1x guides, mainly: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1... which is relevant to my switch model and IOS image. This is my Cisco config: ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! logging file flash:mab.txt 256000 debugging enable password admin ! username admin privilege 15 password 0 admin ! ! aaa new-model ! ! aaa group server radius test server 10.0.0.90 auth-port 1812 acct-port 1813 ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting delay-start aaa accounting dot1x default start-stop group radius aaa accounting dot1x system start-stop group radius aaa accounting network default start-stop group radius ! ! ! aaa session-id common system mtu routing 1500 authentication mac-move permit mab request format attribute 32 vlan access-vlan ip subnet-zero ! ip dhcp pool dpool1 network 10.0.0.0 255.255.255.0 ! ip dhcp pool dpool20 network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 ! ! ! ! crypto pki trustpoint TP-self-signed-2405477248 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2405477248 revocation-check none rsakeypair TP-self-signed-2405477248 ! ! crypto pki certificate chain TP-self-signed-2405477248 certificate self-signed 01 nvram:IOS-Self-Sig#3838.cer dot1x system-auth-control ! ! ! archive log config logging enable spanning-tree mode pvst spanning-tree etherchannel guard misconfig spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet0/1 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface GigabitEthernet0/13 switchport mode access authentication event server alive action reinitialize authentication open authentication order mab authentication priority mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 1200 mab dot1x pae authenticator dot1x timeout tx-period 6 spanning-tree portfast ! interface GigabitEthernet0/14 ! interface GigabitEthernet0/15 ! interface GigabitEthernet0/16 ! interface GigabitEthernet0/17 ! interface GigabitEthernet0/18 ! interface GigabitEthernet0/19 ! interface GigabitEthernet0/20 ! interface GigabitEthernet0/21 ! interface GigabitEthernet0/22 ! interface GigabitEthernet0/23 ! interface GigabitEthernet0/24 ! interface GigabitEthernet0/25 ! interface GigabitEthernet0/26 ! interface GigabitEthernet0/27 ! interface GigabitEthernet0/28 ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 ! interface Vlan20 ip address 10.10.10.1 255.255.255.0 ! ip classless ip http server ip http secure-server ! ! ip radius source-interface Vlan1 ip sla enable reaction-alerts ! radius-server dead-criteria time 30 tries 3 radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass radius-server retransmit 6 radius-server timeout 10 radius-server vsa send accounting radius-server vsa send authentication ! ! line con 0 logging synchronous line vty 0 4 transport input telnet line vty 5 15 transport input telnet ! end As can bee seen it does include the dot1x system-auth-control..... I am even considering an upgrade of IOS to version 15.0 (if my switch will run it) as older IOS images tend to occassionally have issues with certain things I have found?? Regards, Kaya
Hi,
I am even considering an upgrade of IOS to version 15.0 (if my switch will run it) as older IOS images tend to occassionally have issues with certain things I have found??
havr been happily doing MAB and 802.1x on cisco switches running 12.1 and 12.2 as well as 15. FreeRADIUS , from your logs, is doing its job - sending back an Access Accept if you have made some other random changes then perhaps a required attribute is being filtered out - out of the box, the config works. this isnt a RADIUS issue as far as i can see - its a cisco issu e- so please go to some cisco mailing lists...this list isnt a cisco support list alan
On Thu, Jul 19, 2012 at 11:02 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I am even considering an upgrade of IOS to version 15.0 (if my switch will run it) as older IOS images tend to occassionally have issues with certain things I have found??
havr been happily doing MAB and 802.1x on cisco switches running 12.1 and 12.2 as well as 15.
FreeRADIUS , from your logs, is doing its job - sending back an Access Accept
if you have made some other random changes then perhaps a required attribute is being filtered out - out of the box, the config works.
this isnt a RADIUS issue as far as i can see - its a cisco issu e- so please go to some cisco mailing lists...this list isnt a cisco support list
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan. I know this isn't a Cisco list or support area but I got told off for not following instructions so I just wanted to follow suite and follow up with the fact that I have been listening to your suggestions. I apologies if I tested your patience however, for whatever reason I seem to be finding RADIUS extremely difficult to understand - in terms of the config from the site FAQ/Wiki etc.... I just wish it was easier so that I didn't need to look as bad as I do already :-( Regards, Kaya
On Thu, Jul 19, 2012 at 11:28 AM, Kaya Saman <kayasaman@gmail.com> wrote:
On Thu, Jul 19, 2012 at 11:02 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I am even considering an upgrade of IOS to version 15.0 (if my switch will run it) as older IOS images tend to occassionally have issues with certain things I have found??
havr been happily doing MAB and 802.1x on cisco switches running 12.1 and 12.2 as well as 15.
FreeRADIUS , from your logs, is doing its job - sending back an Access Accept
if you have made some other random changes then perhaps a required attribute is being filtered out - out of the box, the config works.
this isnt a RADIUS issue as far as i can see - its a cisco issu e- so please go to some cisco mailing lists...this list isnt a cisco support list
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan.
I know this isn't a Cisco list or support area but I got told off for not following instructions so I just wanted to follow suite and follow up with the fact that I have been listening to your suggestions.
I apologies if I tested your patience however, for whatever reason I seem to be finding RADIUS extremely difficult to understand - in terms of the config from the site FAQ/Wiki etc.... I just wish it was easier so that I didn't need to look as bad as I do already :-(
Regards,
Kaya
Finally I got everything working..... Thanks so much Alan for all your help in this :-) I overconfig'ed the switch and managed to figure out the issue from scratch. Hopefully if I need help with FreeRADIUS next time I won't be this bad and annoy everybody on the list! Finally: Case-Closed! Regards, Kaya
Kaya Saman wrote:
On Mon, Jul 16, 2012 at 2:33 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote: ...
put this at the top of the 'users' file and restart the server ... Poking around in the radiusd.conf file I checked the section modules
Follow instructions or you will be unsubscribed and banned from the list. There is a file in the "raddb" directory named "users".
I don't see a mysql module in there.
Were you told to do things with mysql? No. The ONLY reason to ask questions on this list is to READ the answers, and to FOLLOW the instructions. Alan DeKok.
Hi Alan, I really do apologize for things not working and thank you for your patience so far! On 07/16/2012 05:31 PM, Alan DeKok wrote:
Kaya Saman wrote:
On Mon, Jul 16, 2012 at 2:33 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote: ...
put this at the top of the 'users' file and restart the server ... Poking around in the radiusd.conf file I checked the section modules Follow instructions or you will be unsubscribed and banned from the list.
There is a file in the "raddb" directory named "users".
I **DID** do this....... !! I have been using *NIX based machines long enough to understand how-to add things to flies and **follow** instructions...... - though I maybe junior in other ways and lack the experience of senior admins I **really AM** trying hard! I will post back tomorrow with a breakdown of this file since I am not in front of the system now: /etc/raddb/users - correct??? I entered **EXACTLY** what you suggested right at the top of the file before even the # 'out - commented information that resides at the top of that file. There's no need to be so severe as the ban me! As stated I am not trying to be difficult or ignore instructions here!!!!! I have been using mailing lists for many years without issues such as this. Yes I am almost working blind with no internet or network connection on the server or switch at hand which does add a level of difficulty. I am even willing to do a screen record from the **only** system I have that can connect to both that switch + server and our GUEST Wifi if it will prove what I am saying and hence show you that I **really** am following instructions properly. Outside of sincerely apologizing for the issues I am having I really don't know what else to do or say to make you understand that I am not ignoring things and/or doing things at will without regard for those who **ARE** trying to help!
I don't see a mysql module in there. Were you told to do things with mysql? No.
The ONLY reason to ask questions on this list is to READ the answers, and to FOLLOW the instructions.
Which I am doing.... again sincere apologies!
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regards, Kaya
Kaya Saman wrote:
There is a file in the "raddb" directory named "users".
I **DID** do this....... !!
You didn't SAY that. You were told to edit the "users" file. Instead, you went on a long round-about adventure, looking at other files.
There's no need to be so severe as the ban me!
After 13 years of running this list, I've discovered it's the ONLY way to make some people follow instructions. I can be nice, and explain the same thing until I get frustrated. Or, I can threaten to ban people, and have them *immediately* start following instructions. Alan DeKok.
participants (3)
-
alan buxey -
Alan DeKok -
Kaya Saman