cisco phones
Vacheslav
m_zouhairy at skno.by
Wed Jan 31 09:10:03 CET 2018
Did you mean a radius debug?... I thought of a cisco debug. I am sure about freeradius like you most likely haven't heard of Dr. Bob Beck's purifier.
I changed the following to reply attributes:
Tunnel-Type:=VLAN
Tunnel-Medium-Type:= IEEE-802
Tunnel-Private-Group-Id:=23
Got:
Auth: (192) Invalid user (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83)
Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to create the pair: Invalid character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83)
Cisco output:
381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating client 0x36000F6B (2c0b.e904.2892)
381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already authenticating client 0x36000F6B (2c0b.e904.2892)
381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting QUIET_WHILE_EXPIRE on Client 0x36000F6B
381358: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_held, got event 5(quietWhile_expire)
381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held -> auth_restart
381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_exit called
381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_enter called
381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new context event to EAP for 0x36000F6B (2c0b.e904.2892)
381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_restart_action called
381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART on Client 0x36000F6B
381365: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_restart, got event 6(no_eapRestart)
381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart -> auth_connecting
381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_connecting_enter called
381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_connecting_action called
381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on Client 0x36000F6B
381370: Jan 30 17:44:11.045: dot1x_auth Gi1/0/45: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting -> auth_authenticating
381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_enter called
381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_connecting_authenticating_action called
381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START for 0x36000F6B
381375: Jan 30 17:44:11.045: dot1x_auth_bend Gi1/0/45: during state auth_bend_idle, got event 4(eapReq_authStart)
381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_idle -> auth_bend_request
381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_enter called
381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892
381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination not required
381380: Jan 30 17:44:11.049: dot1x-registry:registry:dot1x_ether_macaddr called
381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
381382: Jan 30 17:44:11.049: EAPOL pak dump Tx
381383: Jan 30 17:44:11.049: EAPOL Version: 0x3 type: 0x0 length: 0x0005
381384: Jan 30 17:44:11.049: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892)
381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_request_action called
381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination not required
381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt on Authenticator Q
381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
381390: Jan 30 17:44:11.052: EAPOL pak dump rx
381391: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C
381392: Jan 30 17:44:11.052: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28
381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL frame
381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001c
381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet
381396: Jan 30 17:44:11.052: EAPOL pak dump rx
381397: Jan 30 17:44:11.052: EAPOL Version: 0x1 type: 0x0 length: 0x001C
381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet from 2c0b.e904.2892
381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for 0x36000F6B
381400: Jan 30 17:44:11.052: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 6(eapolEap)
381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_response
381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_enter called
381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: Response sent to the server from 0x36000F6B (2c0b.e904.2892)
381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_response_action called
381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for 0x36000F6B
381406: Jan 30 17:44:11.063: dot1x_auth_bend Gi1/0/45: during state auth_bend_response, got event 7(eapReq)
381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_response -> auth_bend_request
381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_exit called
381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_enter called
381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892
381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination not required
381412: Jan 30 17:44:11.063: dot1x-registry:registry:dot1x_ether_macaddr called
381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
381414: Jan 30 17:44:11.063: EAPOL pak dump Tx
381415: Jan 30 17:44:11.063: EAPOL Version: 0x3 type: 0x0 length: 0x0016
381416: Jan 30 17:44:11.063: EAP code: 0x1 id: 0x4 length: 0x0016 type: 0x4
381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892)
381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_request_action called
381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination not required
381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt on Authenticator Q
381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
381422: Jan 30 17:44:11.066: EAPOL pak dump rx
381423: Jan 30 17:44:11.066: EAPOL Version: 0x1 type: 0x0 length: 0x0016
381424: Jan 30 17:44:11.066: dot1x-ev:
dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22
381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL frame
381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0016
381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet
381428: Jan 30 17:44:11.070: EAPOL pak dump rx
381429: Jan 30 17:44:11.070: EAPOL Version: 0x1 type: 0x0 length: 0x0016
381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet from 2c0b.e904.2892
381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for 0x36000F6B
381432: Jan 30 17:44:11.070: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 6(eapolEap)
381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_response
381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_enter called
Switch#
381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer: Response sent to the server from 0x36000F6B (2c0b.e904.2892)
381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_request_response_action called
381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for 0x31000F6C
381438: Jan 30 17:44:11.489: dot1x_auth_bend Gi1/0/45: during state auth_bend_request, got event 7(eapReq)
381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_request -> auth_bend_request
381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): 0x31000F6C:auth_bend_request_request_action called
381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): 0x31000F6C:auth_bend_request_enter called
381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet to c46e.1f05.8999
381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination not required
381444: Jan 30 17:44:11.489: dot1x-registry:registry:dot1x_ether_macaddr called
381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
381446: Jan 30 17:44:11.489: EAPOL pak dump Tx
381447: Jan 30 17:44:11.489: EAPOL Version: 0x3 type: 0x0 length: 0x0005
381448: Jan 30 17:44:11.489: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x31000F6C (c46e.1f05.8999)
381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail
381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for 0x36000F6B
381452: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: during state auth_bend_response, got event 10(eapFail)
381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_response -> auth_bend_fail
381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_exit called
381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_fail_enter called
381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_response_fail_action called
381457: Jan 30 17:44:12.087: dot1x_auth_bend Gi1/0/45: idle during state auth_bend_fail
381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_fail -> auth_bend_idle
381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_enter called
381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on Client 0x36000F6B
381461: Jan 30 17:44:12.087: dot1x_auth Gi1/0/45: during state auth_authenticating, got event 15(authFail)
381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45: auth_authenticating -> auth_authc_result
381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_exit called
381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authc_result_enter called
381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387
381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to Auth Mgr for 2c0b.e904.2892
381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387
381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID 0A6000FC0001DEAA32DDD387
381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client 2c0b.e904.2892 successfully retrieved
381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail for the client 0x36000F6B (2c0b.e904.2892)
381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on Client 0x36000F6B
381472: Jan 30 17:44:12.091: dot1x_auth Gi1/0/45: during state auth_authc_result, got event 22(authzFail)
381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45: auth_authc_result -> auth_held
381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_enter called
381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet to 2c0b.e904.2892
Switch#
381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination not required
381477: Jan 30 17:44:12.091: dot1x-registry:registry:dot1x_ether_macaddr called
381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
381479: Jan 30 17:44:12.091: EAPOL pak dump Tx
381480: Jan 30 17:44:12.091: EAPOL Version: 0x3 type: 0x0 length: 0x0004
381481: Jan 30 17:44:12.091: EAP code: 0x4 id: 0x4 length: 0x0004
381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent to client 0x36000F6B (2c0b.e904.2892)
Actual values have been substituted from ill hackers especially those communists
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Tuesday, January 30, 2018 3:58 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: RE: cisco phones
>Are you sure that you don't want these to be reply attributes? Show debug to see what's coming through.
alan
On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy at skno.by> wrote:
> Thanks for the tip.
> According to https://supportforums.cisco.com/t5/other-security-
> subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-ph
> one/
> td-p/1652836
> These need to be added
> cisco-avpair="device-traffic-class=voice"
> Tunnel-Type=1:VLAN
> Tunnel-Medium-Type=1:802
> Tunnel-Private-Group-ID=1:VOICE-LAN
>
> So I added them as check attributes, with := but I got:
> Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid
> value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via
> Auth-Type =
> eap>] (from client Switch port 50145 cli mac)
> Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error
> parsing
> value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
> [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does
> not matter if I set it as a reply attribute, same error) I get:
> Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid
> value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via
> Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30
> 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing
> value: Unknown or invalid value "1:802" for attribute Tunnel-Medium-Type):
> [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> cli
> mac)
> The progress is that the ip phone now shows dropping packets on the
> voice vlan which means it accepted:
> Tunnel-Private-Group-ID:=1:VOICE-LAN
> After reading an email here: I'm inclined to replace ":=" with = but I
> have a limited lunch break to test these settings each day so perhaps
> someone who has dealt with this can save me some wasted time?
>
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> skno.by at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Friday, January 26, 2018 4:07 PM
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: cisco phones
>
> On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy at skno.by> wrote:
> >
> > I still can't authenticate the ip phones using md5 on the voice
> > vlan,
> they keep getting authenticated on the data vlan. I ducked ducked the
> internet and found that:
> > "device-traffic-class=voice:= Cisco-AVPair"
> > Must be added. So I added it username of the ip phone in daloradius
> > but
> the behavior has not changed. Perhaps, that must be added manually to
> the users file for it work. I only found documentation on how to do
> that in cisco ACS.
>
> > That documentation tells you what attributes to return, and what
> > values
> to use for those attributes. Do the same thing in FreeRADIUS.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list