cisco phones

Vacheslav m_zouhairy at skno.by
Fri Feb 2 09:33:59 CET 2018


Here is what Buxley lied that he doesn't care about:

%LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to down
387716: Feb  2 11:20:40.392: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/29, changed state to down
Switch(config-if)#
387717: Feb  2 11:20:41.262: %AUTHMGR-5-START: Starting 'dot1x' for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3
387718: Feb  2 11:20:41.297: %DOT1X-5-SUCCESS: Authentication successful for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3
387719: Feb  2 11:20:41.297: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3
Switch(config-if)#
387720: Feb  2 11:20:41.297: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 23 on port GigabitEthernet1/0/29 cannot be equivalent to the Voice VLAN AuditSessionID 0A7000FC2201C28740F37DF3
387721: Feb  2 11:20:41.297: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3
387722: Feb  2 11:20:41.297: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (ip phone mac) on Interface Gi1/0/29 AuditSessionID 0A7000FC2201C28740F37DF3
Switch(config-if)#
387723: Feb  2 11:20:41.619: %AUTHMGR-5-START: Starting 'dot1x' for client (pc mac) on Interface Gi1/0/29 AuditSessionID 0A8001FC0001E08420F28F66
Switch(config-if)#
387724: Feb  2 11:20:43.241: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to up
Switch(config-if)#
387725: Feb  2 11:20:44.240: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/29, changed state to up

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org] On Behalf Of Vacheslav
Sent: Friday, February 2, 2018 11:16 AM
To: 'FreeRadius users mailing list' <freeradius-users at lists.freeradius.org>
Subject: RE: cisco phones



-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org] On Behalf Of Nathan Ward
Sent: Thursday, February 1, 2018 2:43 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: cisco phones


> On 1/02/2018, at 7:14 PM, Vacheslav <m_zouhairy at skno.by> wrote:
> 
> SELECT * FROM radreply;
> 
> | id | username                | attribute               | op | value    |
> +----+-------------------------+-------------------------+----+----------+
> |  7 | CP-3905-SEP2C0BA7291783| Tunnel-Type             | := | VLAN     |
> |  8 | CP-3905-SEP2C0BA7291783| Tunnel-Medium-Type      | := | IEEE-802 |
> |  9 | CP-3905-SEP2C0BA7291783| Tunnel-Private-Group-Id | := | 23       |
> +----+-------------------------+-------------------------+----+—————+

> (2) sql: ERROR: Failed to create the pair: Invalid character ' ' in 
> attribute


>It’s not possible to tell from what you have given, but, does one of your attributes in the radreply table have a space at the start or end? >I.e. do you perhaps have "Tunnel-Medium-Type<space>”?
>I finally had time to test.
>I deleted the attributes one at a time and test and it turns out the Tunnel-Type:=VLAN was that menace. I first added it again, this time as >check attribute, without using the auto saved entry in the browser, and the login was ok. You got happy ahead of time. Without the >attribute it authenticated on  the data vlan. With the attribute, the switch reported the phone as dropped. Then I added the mentioned >attribute as a reply keeping it as check also, and again the login was ok but the switch dropped the packets. Then I deleted the mentioned >attribute from checking and no change. I final tried putting it 1:VLAN and 23:VLAN but that just makes freeradius spout:
>Auth: (56) Invalid user (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [CP-3905->SEP2C0BE9042892/<via Auth-Type = eap>] (from client Skorini_Switch port 50145 cli 2C-0B-E9-04-28-92) Fri Feb  2 11:01:35 2018 : Auth: >(56) Login incorrect (sql: Error parsing value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type): [ip phone name via Auth-Type >= eap>] (from client Switch port 50145 cli mac) Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (35): Hit idle_timeout, was >idle for 61 seconds Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (36): Hit idle_timeout, was idle for 61 seconds Fri Feb  >2 11:02:36 2018 : Info: rlm_sql (sql): Closing connection (34): Hit idle_timeout, was idle for 61 seconds Fri Feb  2 11:02:36 2018 : Info: >rlm_sql (sql): Opening additional connection (37), 1 of 32 pending slots used Fri Feb  2 11:02:36 2018 : Info: Need 2 more connections to >reach min connections (3) Fri Feb  2 11:02:36 2018 : Info: rlm_sql (sql): Opening additional connection (38), 1 of 31 pending slots used Fri >Feb  2 11:02:36 2018 : Auth: (58) Login OK: [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri Feb  2 >11:03:35 2018 : Info: Need 1 more connections to reach min connections (3) Fri Feb  2 11:03:35 2018 : Info: rlm_sql (sql): Opening ?>additional connection (39), 1 of 30 pending slots used Fri Feb  2 11:03:35 2018 : Auth: (60) Invalid user (sql: Error parsing value: Unknown >or invalid value "30:VLAN" for attribute Tunnel-Type): [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac) Fri >Feb  2 11:03:35 2018 : Auth: (60) Login incorrect (sql: Error parsing value: Unknown or invalid value "23:VLAN" for attribute Tunnel-Type): >[ip phone name/<via Auth-Type = eap>] (from client Switch port 50145 cli mac)

>I can think of two options: Either the switch needs additional configuration or the attribute configuration is not for cisco. 
>I am bewildered that no one here uses freeradius for cisco md5 phones, and am I the only one working for a money loving government >who won't is too stingy even to  consider getting the latest acs?

--
>Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list