Help needed configuring MAB on FreeRADIUS and Cisco switch
Kaya Saman
kayasaman at gmail.com
Thu Jul 19 11:05:21 CEST 2012
On Tue, Jul 17, 2012 at 2:55 PM, Kaya Saman <kayasaman at gmail.com> wrote:
> [...]
>> # cat users | more
>> 0015c5537baa Cleartext-Password := "0015c5537baa"
>> Tunnel-Type:0 = VLAN,
>> Tunnel-Medium-Type:0 = IEEE-802,
>> Tunnel-Private-Group-Id:0 = "3",
>> Tunnel-Preference = 0x000000
>>
> [...]
>
>
> I managed to figure the issue of **authentication** and it's really
> embarrassing!
>
> From copy/pasting the config there was a 'space' between the
> <username> attribute and getting rid of it just now the server started
> accepting the user :-)
>
>
> Running the suggested debug commands on the switch it is claiming:
>
>
> "authorization failed"
>
> "accounting failed"
>
> mab failure due to 'dead server'
>
>
> I took the liberty of changing the Tunnel-Private-Group-Id to 20 since
> I have vlan 1 and 20 configured on the switch I am using in the hope
> that the laptop would get a DHCP address from the DHCP server
> configured on the switch, however I think due to the above errors
> there is something additional which needs to be done.
>
>
> Regards,
>
>
> Kaya
Finally I managed to get some debug output going and from my highly
limited knowledge and experience regarding FreeRADIUS looks like the
Server is sending an ACCESS=ACCEPT response however, the switch is
either unable to understand (decode??) it or doesn't recieve it at
all??
Anyway here is the output:
Cisco debug:
*Mar 1 04:26:40.472: mab-ev(Gi0/13): Reauthenticating client
0x31000001 (0015.c553.7baa)
*Mar 1 04:26:40.472: mab-sm(Gi0/13): Received event
'MAB_REAUTHENTICATE' on handle 0x31000001
*Mar 1 04:26:40.472: mab : during state mab_terminate, got event
2(mabReauthenticate)
*Mar 1 04:26:40.472: @@@ mab : mab_terminate -> mab_authorizing
*Mar 1 04:26:40.472: mab-ev(Gi0/13): Sending create new context event
to EAP from MAB for 0x31000001 (0015.c553.7baa)
*Mar 1 04:26:40.472: mab-ev(Gi0/13): Starting MAC-AUTH-BYPASS for
0x31000001 (0015.c553.7baa)
*Mar 1 04:26:40.472: mab-ev(Gi0/13): Attribute (NAS-Identifier) value
1 received for 0x31000001 (0015.c553.7baa)
*Mar 1 04:26:40.472: RADIUS/ENCODE(00000009):Orig. component type = DOT1X
*Mar 1 04:26:40.472: RADIUS(00000009): Config NAS IP: 10.0.0.1
*Mar 1 04:26:40.472: RADIUS(00000009): Started 10 sec timeout
*Mar 1 04:26:40.489: RADIUS: Received from id 1645/252
10.0.0.90:1812, Access-Accept, len 42
*Mar 1 04:26:40.489: RADIUS/DECODE: Ascend auth type; FAIL
*Mar 1 04:26:40.489: RADIUS/DECODE: decoder; FAIL
*Mar 1 04:26:40.489: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL
*Mar 1 04:26:40.489: RADIUS/DECODE: parse response op decode; FAIL
*Mar 1 04:26:40.489: RADIUS/DECODE: parse response; FAIL
*Mar 1 04:26:40.489: %RADIUS-4-RADIUS_DEAD: RADIUS server
10.0.0.90:1812,1813 is not responding.
*Mar 1 04:26:40.489: mab-ev(Gi0/13): MAB received an Access-Reject
for 0x31000001 (0015.c553.7baa)
*Mar 1 04:26:40.489: %MAB-5-FAIL: Authentication failed for client
(0015.c553.7baa) on Interface Gi0/13 AuditSessionID
0A0000010000000100DEC072
*Mar 1 04:26:40.489: mab-sm(Gi0/13): Received event 'MAB_RESULT' on
handle 0x31000001
*Mar 1 04:26:40.489: mab : during state mab_authorizing, got
event 5(mabResult)
*Mar 1 04:26:40.489: @@@ mab : mab_authorizing -> mab_terminate
*Mar 1 04:26:40.489: mab-ev(Gi0/13): Deleted credentials profile for
0x31000001 (dot1x_mac_auth_0015c5537baa)
*Mar 1 04:26:40.489: mab-ev(Gi0/13): Sending event (2) to AuthMGR for
0015.c553.7baa
*Mar 1 04:26:40.489: %AUTHMGR-7-RESULT: Authentication result 'server
dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13
AuditSessionID 0A0000010000000100DEC072
*Mar 1 04:26:40.489: %AUTHMGR-5-FAIL: Authorization failed for client
(0015.c553.7baa) on Interface Gi0/13 AuditSessionID
0A0000010000000100DEC072
*Mar 1 04:26:40.547: %RADIUS-4-RADIUS_ALIVE: RADIUS server
10.0.0.90:1812,1813 is being marked alive.
*Mar 1 04:27:41.197: mab-ev(Gi0/13): Reauthenticating client
0x31000001 (0015.c553.7baa)
*Mar 1 04:27:41.197: mab-sm(Gi0/13): Received event
'MAB_REAUTHENTICATE' on handle 0x31000001
*Mar 1 04:27:41.197: mab : during state mab_terminate, got event
2(mabReauthenticate)
*Mar 1 04:27:41.197: @@@ mab : mab_terminate -> mab_authorizing
*Mar 1 04:27:41.197: mab-ev(Gi0/13): Sending create new context event
to EAP from MAB for 0x31000001 (0015.c553.7baa)
*Mar 1 04:27:41.197: mab-ev(Gi0/13): Starting MAC-AUTH-BYPASS for
0x31000001 (0015.c553.7baa)
*Mar 1 04:27:41.197: mab-ev(Gi0/13): Attribute (NAS-Identifier) value
1 received for 0x31000001 (0015.c553.7baa)
*Mar 1 04:27:41.197: RADIUS/ENCODE(00000009):Orig. component type = DOT1X
*Mar 1 04:27:41.197: RADIUS(00000009): Config NAS IP: 10.0.0.1
*Mar 1 04:27:41.197: RADIUS(00000009): Started 10 sec timeout
*Mar 1 04:27:41.214: RADIUS: Received from id 1645/253
10.0.0.90:1812, Access-Accept, len 42
*Mar 1 04:27:41.214: RADIUS/DECODE: Ascend auth type; FAIL
*Mar 1 04:27:41.214: RADIUS/DECODE: decoder; FAIL
*Mar 1 04:27:41.214: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL
*Mar 1 04:27:41.214: RADIUS/DECODE: parse response op decode; FAIL
*Mar 1 04:27:41.214: RADIUS/DECODE: parse response; FAIL
*Mar 1 04:27:41.214: mab-ev(Gi0/13): MAB received an Access-Reject
for 0x31000001 (0015.c553.7baa)
*Mar 1 04:27:41.214: %MAB-5-FAIL: Authentication failed for client
(0015.c553.7baa) on Interface Gi0/13 AuditSessionID
0A0000010000000100DEC072
*Mar 1 04:27:41.214: mab-sm(Gi0/13): Received event 'MAB_RESULT' on
handle 0x31000001
*Mar 1 04:27:41.214: mab : during state mab_authorizing, got
event 5(mabResult)
*Mar 1 04:27:41.214: @@@ mab : mab_authorizing -> mab_terminate
*Mar 1 04:27:41.214: mab-ev(Gi0/13): Deleted credentials profile for
0x31000001 (dot1x_mac_auth_0015c5537baa)
*Mar 1 04:27:41.214: mab-ev(Gi0/13): Sending event (2) to AuthMGR for
0015.c553.7baa
*Mar 1 04:27:41.214: %AUTHMGR-7-RESULT: Authentication result 'server
dead' from 'mab' for client (0015.c553.7baa) on Interface Gi0/13
AuditSessionID 0A0000010000000100DEC072
*Mar 1 04:27:41.214: %AUTHMGR-5-FAIL: Authorization failed for client
(0015.c553.7baa) on Interface Gi0/13 AuditSessionID
0A0000010000000100DEC072
FreeRADIUS radiusd -X output:
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=223, length=211
User-Name = "0015c5537baa"
User-Password = "0015c5537baa"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1B-8F-60-AB-8D"
Calling-Station-Id = "00-15-C5-53-7B-AA"
Message-Authenticator = 0x47ebb33764e906b2adedb9e599083ff1
Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352"
NAS-Identifier = "1"
NAS-Port-Type = Ethernet
NAS-Port = 50013
NAS-Port-Id = "GigabitEthernet0/13"
NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "0015c5537baa"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry 0015c5537baa at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "0015c5537baa"
[pap] Using clear text password "0015c5537baa"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 223 to 10.0.0.1 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Tunnel-Preference:0 = 0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 223 with timestamp +92
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=224, length=211
User-Name = "0015c5537baa"
User-Password = "0015c5537baa"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1B-8F-60-AB-8D"
Calling-Station-Id = "00-15-C5-53-7B-AA"
Message-Authenticator = 0xf7b91a130b97cdd1d414383ca7bc92e6
Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352"
NAS-Identifier = "1"
NAS-Port-Type = Ethernet
NAS-Port = 50013
NAS-Port-Id = "GigabitEthernet0/13"
NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "0015c5537baa"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry 0015c5537baa at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "0015c5537baa"
[pap] Using clear text password "0015c5537baa"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 224 to 10.0.0.1 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Tunnel-Preference:0 = 0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 224 with timestamp +153
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=225, length=211
User-Name = "0015c5537baa"
User-Password = "0015c5537baa"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1B-8F-60-AB-8D"
Calling-Station-Id = "00-15-C5-53-7B-AA"
Message-Authenticator = 0xe5a0a2da63073867e6e104d09a51e28e
Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352"
NAS-Identifier = "1"
NAS-Port-Type = Ethernet
NAS-Port = 50013
NAS-Port-Id = "GigabitEthernet0/13"
NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "0015c5537baa"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry 0015c5537baa at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "0015c5537baa"
[pap] Using clear text password "0015c5537baa"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 225 to 10.0.0.1 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Tunnel-Preference:0 = 0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 225 with timestamp +213
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=226, length=211
User-Name = "0015c5537baa"
User-Password = "0015c5537baa"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1B-8F-60-AB-8D"
Calling-Station-Id = "00-15-C5-53-7B-AA"
Message-Authenticator = 0x96f6df8c1e73330407cb7c9408ba8851
Cisco-AVPair = "audit-session-id=0A0A0A010000000000014352"
NAS-Identifier = "1"
NAS-Port-Type = Ethernet
NAS-Port = 50013
NAS-Port-Id = "GigabitEthernet0/13"
NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "0015c5537baa"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry 0015c5537baa at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "0015c5537baa"
[pap] Using clear text password "0015c5537baa"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 226 to 10.0.0.1 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Tunnel-Preference:0 = 0
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 4 ID 226 with timestamp +274
Ready to process requests.
The configuration hasn't changed as I was apprehensive about altering
it, though I have attempted to adjust the switch timers after
Google'ing the:
%AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for
client (0015.c553.7baa) on Interface Gi0/13 AuditSessionID
0A0000010000000100DEC072
line which showed up prior to me running the debug commands......
So now for my Cisco lines I have this:
radius-server dead-criteria time 30 tries 3
radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass
radius-server retransmit 6
radius-server timeout 10
radius-server vsa send accounting
radius-server vsa send authentication
interface GigabitEthernet0/13
switchport mode access
authentication event server alive action reinitialize
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication timer reauthenticate 10
authentication timer inactivity 1200
mab
dot1x pae authenticator
dot1x timeout tx-period 6
spanning-tree portfast
According to what I read I tried different values in addition:
http://routerdiscussions.com/viewtopic.php?f=8&t=13364
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1196845
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swlog.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/system/message/msg_desc.html
At present I don't understand if the issue is with the RADIUS server
config or the switch config, from here:
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 226 to 10.0.0.1 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Tunnel-Preference:0 = 0
Finished request 4.
I see that the server is authenticating (finally) and sending the
information after the Access-Accept line, however, I do notice that
there is no 'tunnel' being created between the switch and Radius
server..... should there even be?
Regards,
Kaya
More information about the Freeradius-Users
mailing list