Help with FreeRadius + Switch + Mac Based Auth - question

Daniel Machado Grilo daniel.grilo at pdmfc.com
Tue Jun 3 13:26:30 CEST 2008


Hi,

I'm hopping that you can help me,
because i'm trying this for a lot of time

I'm testing an SMC6248M switch to check if radius support
is fine, so I configured a freeradius server in one fedora 8.

I've made some tests adding clients to clients.conf and making
requests via radtest to ensure that the radius is well configured,

ex:

[root at black ~]# radtest 003084-87faf2 ********* 192.168.1.13 1812 oincoinc
Sending Access-Request of id 116 to 192.168.1.13 port 1812
        User-Name = "003084-87faf2"
        User-Password = "*************"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1812
Re-sending Access-Request of id 116 to 192.168.1.13 port 1812
        User-Name = "003084-87faf2"
        User-Password = "omGtkKyB"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1812
rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=116, length=20
rad_verify: Received Access-Reject packet from client 192.168.1.13 port
1812 with invalid signature (err=2)!  (Shared secret is incorrect.)


If i change switch configuration to Auth by Local,RADIUS
and then try to access the administration interface with a
password that i only have in RADIUS config i get:

Username: dmgrilo
Password:

      CLI session with the Tiger Stack 10/100 is opened.
      To end the CLI session, enter [Exit].


logs show:
rad_recv: Access-Request packet from host 192.168.1.251:1815, id=204,
length=55
        User-Name = "dmgrilo"
        User-Password = "12345"
        NAS-IP-Address = 192.168.1.251
        NAS-Identifier = ""
Sending Access-Accept of id 204 to 192.168.1.251 port 1815


which is ok.

But now i have a computer in ethernet 1/35 that i want to
auth via RADIUS, so i changed the port to "dot1x port-control auto"
and make the interface re-auth, i loose connection to that machine
and switch claims that it is not authenticated.

So, my question is, in the users from FreeRadius I have
the mac-address for the machine and passowrd:
# Green
000244-09a361     Auth-Type := Local, User-Password == "****"
                Tunnel-Medium-Type      = IEEE-802,
                Tunnel-Type             = VLAN,
                Tunnel-Private-Group-ID = 1

So why does the switch don't ask the RADIUS to get access?
(nothing appears in logs)

I don't want to have supplicants installed in client, because
i want to connect phones too, but i guess with auth via MAC-Address
it wouldn't need supplicants, right?

One important thing is that when i check the show dot1x in
the switch it doesn't determine the supplicant mac-address..
i guess it should right?

802.1X is enabled on port 1/35
 reauth-enabled: Enable
 reauth-period:  3600
 quiet-period:   60
 tx-period:      30
 supplicant-timeout:   30
 server-timeout: 10
 reauth-max:     2
 max-req:        2
Status              Unauthorized
Operation mode      Single-Host
Max count           5
Port-control        Auto
Supplicant          00-00-00-00-00-00
Current Identifier  1

Authenticator State Machine
State               Connecting
Reauth Count        2

Backend State Machine
State               Idle
Request Count       0
Identifier(Server)  0

Reauthentication State Machine
State               Initialize

So My real (resumed) question:
Do I need to have supplicants even so i want to authenticate
with the mac-address, or could it be that this switch doesn't
support this, and the normal behaviour should be that the switch
asks RADIUS to have access showing the machine credentials (MAC Address)!?

Tks in Adv.
Daniel






More information about the Freeradius-Users mailing list