Switch sends EAP-Fail after Radius Access-Accept
Stefan Winter
stefan.winter at restena.lu
Thu Aug 6 20:00:48 CEST 2015
Hi,
> Setup
>
> Windows XP client 10.1.2.100 <--> (port 12) Catalyst switch 2960-S 10.1.2.12
> (port 1) <--> Radius server 10.1.2.1 (freeRadius running on Centos 6.4).
And a long-dead and unpatched client that knows nothing about current
standards to test with? How did you even find an XP host these days ;-)
Greetings,
Stefan Winter
>
> [preyask at localhost controller-ned]$ cat /etc/raddb/small.conf
> listen {
> type = auth
> ipaddr = *
> port = 1812
> }
> client 10.1.2.0/24 { # allow packets from 10.1.2.0/24
> secret = testing123
> shortname = 10.1.2.12
> }
> modules { # We don't use any modules
> }
> authorize { # return Access-Accept for PAP and CHAP
> update control {
> Auth-Type := Accept
> }
> }
>
> Wireshark shows Radius Access-Accept with code 2, see packet below, I have a
> feeling that the switch is looking for something else in the Radius
> Accept-Accept packet, it's not finding it so it sends EAP Fail to client.
> Packet No 17 is the Radius Access-Request, No 18 is the Radius Access-Accept
>
> No. Time Source Destination Protocol
> Length Info
> 17 5.943203000 10.1.2.12 10.1.2.1 RADIUS
> 200 Access-Request(1) (id=80, l=158)
>
> Frame 17: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) on
> interface 0
> Interface id: 0
> WTAP_ENCAP: 1
> Arrival Time: Aug 5, 2015 12:18:53.509276000 EDT
> [Time shift for this packet: 0.000000000 seconds]
> Epoch Time: 1438791533.509276000 seconds
> [Time delta from previous captured frame: 0.708854000 seconds]
> [Time delta from previous displayed frame: 0.000000000 seconds]
> [Time since reference or first frame: 5.943203000 seconds]
> Frame Number: 17
> Frame Length: 200 bytes (1600 bits)
> Capture Length: 200 bytes (1600 bits)
> [Frame is marked: True]
> [Frame is ignored: False]
> [Protocols in frame: eth:ip:udp:radius:eap]
> [Coloring Rule Name: UDP]
> [Coloring Rule String: udp]
> Ethernet II, Src: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0), Dst: HewlettP_74:43:55
> (10:60:4b:74:43:55)
> Destination: HewlettP_74:43:55 (10:60:4b:74:43:55)
> Address: HewlettP_74:43:55 (10:60:4b:74:43:55)
> .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Source: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
> Address: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
> .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.2.12 (10.1.2.12), Dst: 10.1.2.1
> (10.1.2.1)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
> Total Length: 186
> Identification: 0x0884 (2180)
> Flags: 0x00
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..0. .... = More fragments: Not set
> Fragment offset: 0
> Time to live: 255
> Protocol: UDP (17)
> Header checksum: 0x9aa0 [correct]
> [Good: True]
> [Bad: False]
> Source: 10.1.2.12 (10.1.2.12)
> Destination: 10.1.2.1 (10.1.2.1)
> User Datagram Protocol, Src Port: sightline (1645), Dst Port: radius (1812)
> Source port: sightline (1645)
> Destination port: radius (1812)
> Length: 166
> Checksum: 0x52d4 [validation disabled]
> [Good Checksum: False]
> [Bad Checksum: False]
> Radius Protocol
> Code: Access-Request (1)
> Packet identifier: 0x50 (80)
> Length: 158
> Authenticator: 974ac85da269d81595fd54db7effa738
> [The response to this request is in frame 18]
> Attribute Value Pairs
> AVP: l=11 t=User-Name(1): anonymous
> User-Name: anonymous
> AVP: l=6 t=Service-Type(6): Framed(2)
> Service-Type: Framed (2)
> AVP: l=6 t=Framed-MTU(12): 1500
> Framed-MTU: 1500
> AVP: l=19 t=Called-Station-Id(30): 24-B6-57-D3-2C-8C
> Called-Station-Id: 24-B6-57-D3-2C-8C
> AVP: l=19 t=Calling-Station-Id(31): 5C-B9-01-B2-4A-15
> Calling-Station-Id: 5C-B9-01-B2-4A-15
> AVP: l=16 t=EAP-Message(79) Last Segment[1]
> EAP fragment
> Extensible Authentication Protocol
> Code: Response (2)
> Id: 1
> Length: 14
> Type: Identity (1)
> Identity: anonymous
> AVP: l=18 t=Message-Authenticator(80):
> 538bc16f555647f1d590468a82da13dc
> Message-Authenticator: 538bc16f555647f1d590468a82da13dc
> AVP: l=2 t=EAP-Key-Name(102):
> EAP-Key-Name:
> AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
> NAS-Port-Type: Ethernet (15)
> AVP: l=6 t=NAS-Port(5): 50112
> NAS-Port: 50112
> AVP: l=23 t=NAS-Port-Id(87): GigabitEthernet1/0/12
> NAS-Port-Id: GigabitEthernet1/0/12
> AVP: l=6 t=NAS-IP-Address(4): 10.1.2.12
> NAS-IP-Address: 10.1.2.12 (10.1.2.12)
>
> No. Time Source Destination Protocol
> Length Info
> 18 5.943345000 10.1.2.1 10.1.2.12 RADIUS
> 62 Access-Accept(2) (id=80, l=20)
>
> Frame 18: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on
> interface 0
> Interface id: 0
> WTAP_ENCAP: 1
> Arrival Time: Aug 5, 2015 12:18:53.509418000 EDT
> [Time shift for this packet: 0.000000000 seconds]
> Epoch Time: 1438791533.509418000 seconds
> [Time delta from previous captured frame: 0.000142000 seconds]
> [Time delta from previous displayed frame: 0.000142000 seconds]
> [Time since reference or first frame: 5.943345000 seconds]
> Frame Number: 18
> Frame Length: 62 bytes (496 bits)
> Capture Length: 62 bytes (496 bits)
> [Frame is marked: True]
> [Frame is ignored: False]
> [Protocols in frame: eth:ip:udp:radius]
> [Coloring Rule Name: UDP]
> [Coloring Rule String: udp]
> Ethernet II, Src: HewlettP_74:43:55 (10:60:4b:74:43:55), Dst: Cisco_d3:2c:c0
> (24:b6:57:d3:2c:c0)
> Destination: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
> Address: Cisco_d3:2c:c0 (24:b6:57:d3:2c:c0)
> .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Source: HewlettP_74:43:55 (10:60:4b:74:43:55)
> Address: HewlettP_74:43:55 (10:60:4b:74:43:55)
> .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
> Type: IP (0x0800)
> Internet Protocol Version 4, Src: 10.1.2.1 (10.1.2.1), Dst: 10.1.2.12
> (10.1.2.12)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..00 = Explicit Congestion Notification: Not-ECT (Not
> ECN-Capable Transport) (0x00)
> Total Length: 48
> Identification: 0xdc2b (56363)
> Flags: 0x00
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..0. .... = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: UDP (17)
> Header checksum: 0x8683 [correct]
> [Good: True]
> [Bad: False]
> Source: 10.1.2.1 (10.1.2.1)
> Destination: 10.1.2.12 (10.1.2.12)
> User Datagram Protocol, Src Port: radius (1812), Dst Port: sightline (1645)
> Source port: radius (1812)
> Destination port: sightline (1645)
> Length: 28
> Checksum: 0x183c [validation disabled]
> [Good Checksum: False]
> [Bad Checksum: False]
> Radius Protocol
> Code: Access-Accept (2)
> Packet identifier: 0x50 (80)
> Length: 20
> Authenticator: 17e05e8768080f89322124ad63a1eb63
> [This is a response to a request in frame 17]
> [Time from request: 0.000142000 seconds]
>
> No. Time Source Destination Protocol
> Length Info
> 536 229.314304000 10.1.2.12 10.1.2.1 RADIUS
> 97 Access-Request(1) (id=81, l=55)
>
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150806/5f083ab1/attachment.sig>
More information about the Freeradius-Users
mailing list