Help needed configuring MAB on FreeRADIUS and Cisco switch

Kaya Saman kayasaman at gmail.com
Thu Jul 19 11:32:11 CEST 2012 

On Thu, Jul 19, 2012 at 10:20 AM, alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> radius-server dead-criteria time 30 tries 3
>> radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass
>> radius-server retransmit 6
>> radius-server timeout 10
>> radius-server vsa send accounting
>> radius-server vsa send authentication
>>
>>
>> interface GigabitEthernet0/13
>>  switchport mode access
>>  authentication event server alive action reinitialize
>>  authentication open
>>  authentication order mab
>>  authentication priority mab
>>  authentication port-control auto
>>  authentication timer reauthenticate 10
>>  authentication timer inactivity 1200
>>  mab
>>  dot1x pae authenticator
>>  dot1x timeout tx-period 6
>>  spanning-tree portfast
>
> no
>
> dot1x system-auth-control
>
> ??
>
>
> i'd recommend reading the cisco 802.1X guides - the RADIUS server is doing its job. the switch isnt.
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Thanks Alan for the response and patience with me :-)


I have gone through quite a bit of dot1x guides, mainly:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1196845

which is relevant to my switch model and IOS image.


This is my Cisco config:


!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
logging file flash:mab.txt 256000 debugging
enable password admin
!
username admin privilege 15 password 0 admin
!
!
aaa new-model
!
!
aaa group server radius test
 server 10.0.0.90 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting dot1x default start-stop group radius
aaa accounting dot1x system start-stop group radius
aaa accounting network default start-stop group radius
!
!
!
aaa session-id common
system mtu routing 1500
authentication mac-move permit
mab request format attribute 32 vlan access-vlan
ip subnet-zero
!
ip dhcp pool dpool1
   network 10.0.0.0 255.255.255.0
!
ip dhcp pool dpool20
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!
!
!
!
crypto pki trustpoint TP-self-signed-2405477248
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2405477248
 revocation-check none
 rsakeypair TP-self-signed-2405477248
!
!
crypto pki certificate chain TP-self-signed-2405477248
 certificate self-signed 01 nvram:IOS-Self-Sig#3838.cer
dot1x system-auth-control
!
!
!
archive
 log config
  logging enable
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet0/1
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
 switchport mode access
 authentication event server alive action reinitialize
 authentication open
 authentication order mab
 authentication priority mab
 authentication port-control auto
 authentication timer reauthenticate 10
 authentication timer inactivity 1200
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 6
 spanning-tree portfast
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
 ip address 10.10.10.1 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
ip radius source-interface Vlan1
ip sla enable reaction-alerts
!
radius-server dead-criteria time 30 tries 3
radius-server host 10.0.0.90 auth-port 1812 acct-port 1813 non-standard key pass
radius-server retransmit 6
radius-server timeout 10
radius-server vsa send accounting
radius-server vsa send authentication
!
!
line con 0
 logging synchronous
line vty 0 4
 transport input telnet
line vty 5 15
 transport input telnet
!
end


As can bee seen it does include the dot1x system-auth-control.....


I am even considering an upgrade of IOS to version 15.0 (if my switch
will run it) as older IOS images tend to occassionally have issues
with certain things I have found??



Regards,


Kaya

More information about the Freeradius-Users mailing list