Dot1x on cisco 3560

Omar Lopez Limonta pollo.es.pollo at gmail.com
Fri Apr 25 10:35:47 CEST 2008 

On Fri, Apr 25, 2008 at 9:51 AM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>
>  > xxxx   Cleartext-Password := "PPPPPl"
>  >            Service-Type = NAS-Prompt-User,
>  >            cisco-avpair = "shell:priv-lvl=15"
>              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>  this sort of stuff it for admin access to the switch
>
>
>  > Sending Access-Challenge of id 60 to 172.29.11.1:21645
>  >         Framed-IP-Address = 255.255.255.254
>  >         Framed-MTU = 576
>  >         Service-Type = Framed-User
>  >         EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77
>  >         Message-Authenticator = 0x00000000000000000000000000000000
>  >         State = 0xb307e1b51eedc6cc895b65e64bcd34a3
>  > Finished request 0
>  > Going to the next request
>  > --- Walking the entire request list ---
>  > Waking up in 6 seconds...
>  > rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123
>  > Sending duplicate reply to client authenticator-short-name:21645 - ID: 60
>  > Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
>
>  lots of these. looks like FR is sending challenges but the switch is not
>  responding.  whats your IOS config look like? if you 'debug aaa' on the switch
>  can you see stuff happening at all?

Mmmm is curious:
04-25-2008         10:27:16               Local7.Warning 172.29.11.1
      67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS
server 172.29.11.7:1812,1813 has returned.
04-25-2008         10:27:16               Local7.Warning 172.29.11.1
      67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS
server 172.29.11.7:1812,1813 is not responding.
Using debug in AAA on my switch.

I have this radius settings on my cisco switch:

#sh run | include radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3
radius-server key mecago
#

Any other line could be necessary ?

I´m using MD5 challenge because i´m testing and i don´t want deploy
certificates or certificate server.
Are you using MS certificate Server with FR?

-- 
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

    /////
   \\\///
   ///\\\  The Duke of Url.
 { O--O }
   / /\ \
   \ -- /
    [||]

More information about the Freeradius-Users mailing list