Help needed configuring MAB on FreeRADIUS and Cisco switch
Kaya Saman
kayasaman at gmail.com
Mon Jul 16 12:47:44 CEST 2012
On Mon, Jul 16, 2012 at 11:03 AM, alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> i tried this, I used 'debug radius verbose' but the log doesn't come
>> up with anything at all; just:
>
> debug mab all
> debug dot1x all
>
>
> however, you are just doing MAB IIRC - and thats just like PAP - very basic and
> simple.... and I'm sure you also have to add 'mab' to your interface config eg
>
> int gi0/1
> switchport mode access
> authentication order mab webauth
> mab
> spanning-tree portfast
>
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot Alan!!
I think prart of my issue is that in order to have network
connectivity with the switch and RADIUS server I was linking the
laptop to an uncontrolled RADIUS port..... because of this the switch
didn't need to authenticate to the server.
I added your extra config and then switched the laptop ports to g0/13
which I was using as my radius test. The output produced from RADIUS
was this:
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162
User-Name = "0015c5537baa"
User-Password = "0015c5537baa"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1B-8F-60-AB-8D"
Calling-Station-Id = "00-15-C5-53-7B-AA"
Message-Authenticator = 0x64e53078b14461ac3a06055e74f64439
NAS-Identifier = "1"
NAS-Port-Type = Ethernet
NAS-Port = 50013
NAS-Port-Id = "GigabitEthernet0/13"
NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 3 to 10.0.0.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +12
Ready to process requests.
Now I can have a look at seeing if the config in Daloradius is correct
between the username and seeing if there is another method of
Auth-Type to choose from additionally.
Regards,
Kaya
More information about the Freeradius-Users
mailing list