Switch sends EAP-Fail after Radius Access-Accept
Preyas Kamath
p.kamath at cornet.com
Wed Aug 5 19:40:47 CEST 2015
Here is the freeradius log and version info.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=86,
length=158
User-Name = "anonymous"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message = 0x0201000e01616e6f6e796d6f7573
Message-Authenticator = 0xbce8ecc14aba0c65d1cce1b7fe2641ec
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/small.conf
+- entering group authorize {...}
++[control] returns notfound
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [anonymous/<via Auth-Type = Accept>] (from client 10.1.2.12 port
50112 cli 5C-B9-01-B2-4A-15)
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 86 to 10.1.2.12 port 1645
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 86 with timestamp +5840
Ready to process requests.
[preyask at localhost ~]$ radiusd -v
radiusd: FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on
Oct 15 2014 at 04:58:23
Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Regards
Preyas
-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+p.kamath=cornet.com at lists.freeradius.org]
On Behalf Of Preyas Kamath
Sent: Wednesday, August 05, 2015 1:31 PM
To: freeradius-users at lists.freeradius.org
Subject: Switch sends EAP-Fail after Radius Access-Accept
When client connects to 802.1x enabled Cisco switch the EAP request, reply
are fine, Radius server request, response seems ok. However even though
Radius server response with Accept, the Cisco 2960-S send EAP fail to
client. I'm using a fairly simple Radius conf file (see below).
Setup
Windows XP client 10.1.2.100 <--> (port 12) Catalyst switch 2960-S 10.1.2.12
(port 1) <--> Radius server 10.1.2.1 (freeRadius running on Centos 6.4).
[preyask at localhost controller-ned]$ cat /etc/raddb/small.conf listen {
type = auth
ipaddr = *
port = 1812
}
client 10.1.2.0/24 { # allow packets from 10.1.2.0/24
secret = testing123
shortname = 10.1.2.12
}
modules { # We don't use any modules
}
authorize { # return Access-Accept for PAP and CHAP
update control {
Auth-Type := Accept
}
}
Wireshark shows Radius Access-Accept with code 2, see packet below, I have a
feeling that the switch is looking for something else in the Radius
Accept-Accept packet, it's not finding it so it sends EAP Fail to client.
Packet No 17 is the Radius Access-Request, No 18 is the Radius Access-Accept
No. Time Source Destination Protocol
Length Info
17 5.943203000 10.1.2.12 10.1.2.1 RADIUS
200 Access-Request(1) (id=80, l=158)
Frame 17: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) on
interface 0
Interface id: 0
WTAP_ENCAP: 1
Arrival Time: Aug 5, 2015 12:18:53.509276000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1438791533.509276000 seconds
[Time delta from previous captured frame: 0.708854000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 5.943203000 seconds]
Frame Number: 17
Frame Length: 200 bytes (1600 bits)
Capture Length: 200 bytes (1600 bits)
[Frame is marked: True]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:radius:eap]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0), Dst: HewlettP_74:43:55
(10:60:4b:74:43:55)
Destination: HewlettP_74:43:55 (10:60:4b:74:43:55)
Address: HewlettP_74:43:55 (10:60:4b:74:43:55)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
Address: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.1.2.12 (10.1.2.12), Dst: 10.1.2.1
(10.1.2.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
Total Length: 186
Identification: 0x0884 (2180)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0x9aa0 [correct]
[Good: True]
[Bad: False]
Source: 10.1.2.12 (10.1.2.12)
Destination: 10.1.2.1 (10.1.2.1)
User Datagram Protocol, Src Port: sightline (1645), Dst Port: radius (1812)
Source port: sightline (1645)
Destination port: radius (1812)
Length: 166
Checksum: 0x52d4 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x50 (80)
Length: 158
Authenticator: 974ac85da269d81595fd54db7effa738
[The response to this request is in frame 18]
Attribute Value Pairs
AVP: l=11 t=User-Name(1): anonymous
User-Name: anonymous
AVP: l=6 t=Service-Type(6): Framed(2)
Service-Type: Framed (2)
AVP: l=6 t=Framed-MTU(12): 1500
Framed-MTU: 1500
AVP: l=19 t=Called-Station-Id(30): 24-B6-57-D3-2C-8C
Called-Station-Id: 24-B6-57-D3-2C-8C
AVP: l=19 t=Calling-Station-Id(31): 5C-B9-01-B2-4A-15
Calling-Station-Id: 5C-B9-01-B2-4A-15
AVP: l=16 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 14
Type: Identity (1)
Identity: anonymous
AVP: l=18 t=Message-Authenticator(80):
538bc16f555647f1d590468a82da13dc
Message-Authenticator: 538bc16f555647f1d590468a82da13dc
AVP: l=2 t=EAP-Key-Name(102):
EAP-Key-Name:
AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
NAS-Port-Type: Ethernet (15)
AVP: l=6 t=NAS-Port(5): 50112
NAS-Port: 50112
AVP: l=23 t=NAS-Port-Id(87): GigabitEthernet1/0/12
NAS-Port-Id: GigabitEthernet1/0/12
AVP: l=6 t=NAS-IP-Address(4): 10.1.2.12
NAS-IP-Address: 10.1.2.12 (10.1.2.12)
No. Time Source Destination Protocol
Length Info
18 5.943345000 10.1.2.1 10.1.2.12 RADIUS
62 Access-Accept(2) (id=80, l=20)
Frame 18: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on
interface 0
Interface id: 0
WTAP_ENCAP: 1
Arrival Time: Aug 5, 2015 12:18:53.509418000 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1438791533.509418000 seconds
[Time delta from previous captured frame: 0.000142000 seconds]
[Time delta from previous displayed frame: 0.000142000 seconds]
[Time since reference or first frame: 5.943345000 seconds]
Frame Number: 18
Frame Length: 62 bytes (496 bits)
Capture Length: 62 bytes (496 bits)
[Frame is marked: True]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HewlettP_74:43:55 (10:60:4b:74:43:55), Dst: Cisco_d3:2c:c0
(24:b6:57:d3:2c:c0)
Destination: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
Address: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: HewlettP_74:43:55 (10:60:4b:74:43:55)
Address: HewlettP_74:43:55 (10:60:4b:74:43:55)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.1.2.1 (10.1.2.1), Dst: 10.1.2.12
(10.1.2.12)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
Total Length: 48
Identification: 0xdc2b (56363)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x8683 [correct]
[Good: True]
[Bad: False]
Source: 10.1.2.1 (10.1.2.1)
Destination: 10.1.2.12 (10.1.2.12)
User Datagram Protocol, Src Port: radius (1812), Dst Port: sightline (1645)
Source port: radius (1812)
Destination port: sightline (1645)
Length: 28
Checksum: 0x183c [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Accept (2)
Packet identifier: 0x50 (80)
Length: 20
Authenticator: 17e05e8768080f89322124ad63a1eb63
[This is a response to a request in frame 17]
[Time from request: 0.000142000 seconds]
No. Time Source Destination Protocol
Length Info
536 229.314304000 10.1.2.12 10.1.2.1 RADIUS
97 Access-Request(1) (id=81, l=55)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list