Help needed configuring MAB on FreeRADIUS and Cisco switch

Kaya Saman kayasaman at
Mon Jul 16 12:47:44 CEST 2012

On Mon, Jul 16, 2012 at 11:03 AM, alan buxey <A.L.M.Buxey at> wrote:
> Hi,
>> i tried this, I used 'debug radius verbose' but the log doesn't come
>> up with anything at all; just:
> debug mab all
> debug dot1x all
> however, you are just doing MAB IIRC - and thats just like PAP - very basic and
> simple.... and I'm sure you also have to add 'mab' to your interface config eg
> int gi0/1
> switchport mode access
> authentication order mab webauth
> mab
> spanning-tree portfast
> alan
> -
> List info/subscribe/unsubscribe? See

Thanks a lot Alan!!

I think prart of my issue is that in order to have network
connectivity with the switch and RADIUS server I was linking the
laptop to an uncontrolled RADIUS port..... because of this the switch
didn't need to authenticate to the server.

I added your extra config and then switched the laptop ports to g0/13
which I was using as my radius test. The output produced from RADIUS
was this:

Ready to process requests.
rad_recv: Access-Request packet from host port 1645, id=3, length=162
	User-Name = "0015c5537baa"
	User-Password = "0015c5537baa"
	Service-Type = Call-Check
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-8F-60-AB-8D"
	Calling-Station-Id = "00-15-C5-53-7B-AA"
	Message-Authenticator = 0x64e53078b14461ac3a06055e74f64439
	NAS-Identifier = "1"
	NAS-Port-Type = Ethernet
	NAS-Port = 50013
	NAS-Port-Id = "GigabitEthernet0/13"
	NAS-IP-Address =
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 0015c5537baa
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 3 to port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +12
Ready to process requests.

Now I can have a look at seeing if the config in Daloradius is correct
between the username and seeing if there is another method of
Auth-Type to choose from additionally.



More information about the Freeradius-Users mailing list