Dot1x on cisco 3560

Scott Armitage S.P.Armitage at lboro.ac.uk
Fri Apr 25 10:50:51 CEST 2008 

I'd have something like:

radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key <shared-secret>
radius-server timeout 2
radius-server deadtime 1
radius-server vsa send authentication
!
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
 server 192.168.1.50 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group RADIUS-SERVERS
aaa accounting dot1x default start-stop group RADIUS-SERVERS
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
int fa0/1
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-host
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 5
 dot1x timeout reauth-period server
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 dot1x max-req 1
 dot1x max-reauth-req 1
 dot1x reauthentication
 dot1x guest-vlan 100
 dot1x auth-fail vlan 100



> -----Original Message-----
> From: freeradius-users-
> bounces+s.p.armitage=lboro.ac.uk at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+s.p.armitage=lboro.ac.uk at lists.freeradius.org] On Behalf Of
> Omar Lopez Limonta
> Sent: 25 April 2008 09:36
> To: FreeRadius users mailing list
> Subject: Re: Dot1x on cisco 3560
> 
> On Fri, Apr 25, 2008 at 9:51 AM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> > Hi,
> >
> >
> >  > xxxx   Cleartext-Password := "PPPPPl"
> >  >            Service-Type = NAS-Prompt-User,
> >  >            cisco-avpair = "shell:priv-lvl=15"
> >              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >  this sort of stuff it for admin access to the switch
> >
> >
> >  > Sending Access-Challenge of id 60 to 172.29.11.1:21645
> >  >         Framed-IP-Address = 255.255.255.254
> >  >         Framed-MTU = 576
> >  >         Service-Type = Framed-User
> >  >         EAP-Message =
> 0x010300160410245db5b7205b11398ead15f567f6ed77
> >  >         Message-Authenticator = 0x00000000000000000000000000000000
> >  >         State = 0xb307e1b51eedc6cc895b65e64bcd34a3
> >  > Finished request 0
> >  > Going to the next request
> >  > --- Walking the entire request list ---
> >  > Waking up in 6 seconds...
> >  > rad_recv: Access-Request packet from host 172.29.11.1:21645,
> id=60, length=123
> >  > Sending duplicate reply to client authenticator-short-name:21645 -
> ID: 60
> >  > Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
> >
> >  lots of these. looks like FR is sending challenges but the switch is
> not
> >  responding.  whats your IOS config look like? if you 'debug aaa' on
> the switch
> >  can you see stuff happening at all?
> 
> Mmmm is curious:
> 04-25-2008         10:27:16               Local7.Warning 172.29.11.1
>       67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS
> server 172.29.11.7:1812,1813 has returned.
> 04-25-2008         10:27:16               Local7.Warning 172.29.11.1
>       67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS
> server 172.29.11.7:1812,1813 is not responding.
> Using debug in AAA on my switch.
> 
> I have this radius settings on my cisco switch:
> 
> #sh run | include radius
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3
> radius-server key mecago
> #
> 
> Any other line could be necessary ?
> 
> I´m using MD5 challenge because i´m testing and i don´t want deploy
> certificates or certificate server.
> Are you using MS certificate Server with FR?
> 
> --
> Xgalaga se disfruta más sobre NetBSD sparc64
> 
> Content Rules:
> 
>     /////
>    \\\///
>    ///\\\  The Duke of Url.
>  { O--O }
>    / /\ \
>    \ -- /
>     [||]
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list