cisco phones

Alan Buxey alan.buxey at gmail.com
Wed Jan 31 11:13:00 CET 2018


hi,

freeradius debug

radiusd -X

from the very start to the final packet sent back to the NAS.   i dont care
about cisco debug.


alan

On 31 January 2018 at 08:10, Vacheslav <m_zouhairy at skno.by> wrote:

> Did  you mean a radius debug?... I thought of a cisco debug. I am sure
> about freeradius like you most likely haven't heard of Dr. Bob Beck's
> purifier.
> I changed the following to reply attributes:
>   Tunnel-Type:=VLAN
>   Tunnel-Medium-Type:= IEEE-802
>   Tunnel-Private-Group-Id:=23
>
> Got:
>
> Auth: (192) Invalid user (sql: Failed to create the pair: Invalid
> character ' ' in attribute): [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type
> = eap>] (from client Switch port 50145 cli 2D1B-E9-04-29-83)
> Tue Jan 30 17:45:12 2018 : Auth: (192) Login incorrect (sql: Failed to
> create the pair: Invalid character ' ' in attribute):
> [CP-3905-SEP2D1B-E9-04-29-83/<via Auth-Type = eap>] (from client Switch
> port 50145 cli 2D1B-E9-04-29-83)
>
> Cisco output:
>
> 381355: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Reauthenticating client
> 0x36000F6B (2c0b.e904.2892)
> 381356: Jan 30 17:44:10.857: dot1x-ev(Gi1/0/45): Already authenticating
> client 0x36000F6B (2c0b.e904.2892)
> 381357: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting
> QUIET_WHILE_EXPIRE on Client 0x36000F6B
> 381358: Jan 30 17:44:11.045:     dot1x_auth Gi1/0/45: during state
> auth_held, got event 5(quietWhile_expire)
> 381359: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_held ->
> auth_restart
> 381360: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_held_exit
> called
> 381361: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_restart_enter called
> 381362: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending create new
> context event to EAP for 0x36000F6B (2c0b.e904.2892)
> 381363: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_restart_action called
> 381364: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting !EAP_RESTART on
> Client 0x36000F6B
> 381365: Jan 30 17:44:11.045:     dot1x_auth Gi1/0/45: during state
> auth_restart, got event 6(no_eapRestart)
> 381366: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_restart ->
> auth_connecting
> 381367: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_connecting_enter called
> 381368: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_restart_connecting_action
> called
> 381369: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting RX_REQ on Client
> 0x36000F6B
> 381370: Jan 30 17:44:11.045:     dot1x_auth Gi1/0/45: during state
> auth_connecting, got event 10(eapReq_no_reAuthMax)
> 381371: Jan 30 17:44:11.045: @@@ dot1x_auth Gi1/0/45: auth_connecting ->
> auth_authenticating
> 381372: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_enter
> called
> 381373: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_connecting_authenticating_action called
> 381374: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45): Posting AUTH_START for
> 0x36000F6B
> 381375: Jan 30 17:44:11.045:     dot1x_auth_bend Gi1/0/45: during state
> auth_bend_idle, got event 4(eapReq_authStart)
> 381376: Jan 30 17:44:11.045: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_idle
> -> auth_bend_request
> 381377: Jan 30 17:44:11.045: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_enter called
> 381378: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Sending EAPOL packet to
> 2c0b.e904.2892
> 381379: Jan 30 17:44:11.045: dot1x-ev(Gi1/0/45): Role determination not
> required
> 381380: Jan 30 17:44:11.049: dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381381: Jan 30 17:44:11.049: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
> 381382: Jan 30 17:44:11.049: EAPOL pak dump Tx
> 381383: Jan 30 17:44:11.049: EAPOL Version: 0x3  type: 0x0  length: 0x0005
> 381384: Jan 30 17:44:11.049: EAP code: 0x1  id: 0x3  length: 0x0005 type:
> 0x1
> 381385: Jan 30 17:44:11.049: dot1x-packet(Gi1/0/45): EAPOL packet sent to
> client 0x36000F6B (2c0b.e904.2892)
> 381386: Jan 30 17:44:11.049: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_request_action
> called
> 381387: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Role determination not
> required
> 381388: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt
> on Authenticator Q
> 381389: Jan 30 17:44:11.052: dot1x-ev:Enqueued the eapol packet to the
> global authenticator queue
> 381390: Jan 30 17:44:11.052: EAPOL pak dump rx
> 381391: Jan 30 17:44:11.052: EAPOL Version: 0x1  type: 0x0  length: 0x001C
> 381392: Jan 30 17:44:11.052: dot1x-ev:
> dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 1,LEN= 28
>
> 381393: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAPOL
> frame
> 381394: Jan 30 17:44:11.052: dot1x-ev(Gi1/0/45): Received pkt saddr
> =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001c
> 381395: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP packet
> 381396: Jan 30 17:44:11.052: EAPOL pak dump rx
> 381397: Jan 30 17:44:11.052: EAPOL Version: 0x1  type: 0x0  length: 0x001C
> 381398: Jan 30 17:44:11.052: dot1x-packet(Gi1/0/45): Received an EAP
> packet from 2c0b.e904.2892
> 381399: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for
> 0x36000F6B
> 381400: Jan 30 17:44:11.052:     dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 6(eapolEap)
> 381401: Jan 30 17:44:11.052: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_response
> 381402: Jan 30 17:44:11.052: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_enter called
> 381403: Jan 30 17:44:11.056: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer:
> Response sent to the server from 0x36000F6B (2c0b.e904.2892)
> 381404: Jan 30 17:44:11.056: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_response_action called
> 381405: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45): Posting EAP_REQ for
> 0x36000F6B
> 381406: Jan 30 17:44:11.063:     dot1x_auth_bend Gi1/0/45: during state
> auth_bend_response, got event 7(eapReq)
> 381407: Jan 30 17:44:11.063: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_response -> auth_bend_request
> 381408: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_exit called
> 381409: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_enter called
> 381410: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending EAPOL packet to
> 2c0b.e904.2892
> 381411: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Role determination not
> required
> 381412: Jan 30 17:44:11.063: dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381413: Jan 30 17:44:11.063: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
> 381414: Jan 30 17:44:11.063: EAPOL pak dump Tx
> 381415: Jan 30 17:44:11.063: EAPOL Version: 0x3  type: 0x0  length: 0x0016
> 381416: Jan 30 17:44:11.063: EAP code: 0x1  id: 0x4  length: 0x0016 type:
> 0x4
> 381417: Jan 30 17:44:11.063: dot1x-packet(Gi1/0/45): EAPOL packet sent to
> client 0x36000F6B (2c0b.e904.2892)
> 381418: Jan 30 17:44:11.063: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_request_action called
> 381419: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Role determination not
> required
> 381420: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Queuing an EAPOL pkt
> on Authenticator Q
> 381421: Jan 30 17:44:11.066: dot1x-ev:Enqueued the eapol packet to the
> global authenticator queue
> 381422: Jan 30 17:44:11.066: EAPOL pak dump rx
> 381423: Jan 30 17:44:11.066: EAPOL Version: 0x1  type: 0x0  length: 0x0016
> 381424: Jan 30 17:44:11.066: dot1x-ev:
> dot1x_auth_queue_event: Int Gi1/0/45 CODE= 2,TYPE= 4,LEN= 22
>
> 381425: Jan 30 17:44:11.066: dot1x-packet(Gi1/0/45): Received an EAPOL
> frame
> 381426: Jan 30 17:44:11.066: dot1x-ev(Gi1/0/45): Received pkt saddr
> =2c0b.e904.2892 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0016
> 381427: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP packet
> 381428: Jan 30 17:44:11.070: EAPOL pak dump rx
> 381429: Jan 30 17:44:11.070: EAPOL Version: 0x1  type: 0x0  length: 0x0016
> 381430: Jan 30 17:44:11.070: dot1x-packet(Gi1/0/45): Received an EAP
> packet from 2c0b.e904.2892
> 381431: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45): Posting EAPOL_EAP for
> 0x36000F6B
> 381432: Jan 30 17:44:11.070:     dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 6(eapolEap)
> 381433: Jan 30 17:44:11.070: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_response
> 381434: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_enter called
> Switch#
> 381435: Jan 30 17:44:11.070: dot1x-ev(Gi1/0/45): dot1x_sendRespToServer:
> Response sent to the server from 0x36000F6B (2c0b.e904.2892)
> 381436: Jan 30 17:44:11.070: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_request_response_action called
> 381437: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45): Posting EAP_REQ for
> 0x31000F6C
> 381438: Jan 30 17:44:11.489:     dot1x_auth_bend Gi1/0/45: during state
> auth_bend_request, got event 7(eapReq)
> 381439: Jan 30 17:44:11.489: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_request -> auth_bend_request
> 381440: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45):
> 0x31000F6C:auth_bend_request_request_action called
> 381441: Jan 30 17:44:11.489: dot1x-sm(Gi1/0/45):
> 0x31000F6C:auth_bend_request_enter called
> 381442: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending EAPOL packet to
> c46e.1f05.8999
> 381443: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Role determination not
> required
> 381444: Jan 30 17:44:11.489: dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381445: Jan 30 17:44:11.489: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
> 381446: Jan 30 17:44:11.489: EAPOL pak dump Tx
> 381447: Jan 30 17:44:11.489: EAPOL Version: 0x3  type: 0x0  length: 0x0005
> 381448: Jan 30 17:44:11.489: EAP code: 0x1  id: 0x1  length: 0x0005 type:
> 0x1
> 381449: Jan 30 17:44:11.489: dot1x-packet(Gi1/0/45): EAPOL packet sent to
> client 0x31000F6C (c46e.1f05.8999)
> 381450: Jan 30 17:44:12.087: dot1x-ev(Gi1/0/45): Received an EAP Fail
> 381451: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting EAP_FAIL for
> 0x36000F6B
> 381452: Jan 30 17:44:12.087:     dot1x_auth_bend Gi1/0/45: during state
> auth_bend_response, got event 10(eapFail)
> 381453: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45:
> auth_bend_response -> auth_bend_fail
> 381454: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_exit called
> 381455: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_fail_enter
> called
> 381456: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_bend_response_fail_action called
> 381457: Jan 30 17:44:12.087:     dot1x_auth_bend Gi1/0/45: idle during
> state auth_bend_fail
> 381458: Jan 30 17:44:12.087: @@@ dot1x_auth_bend Gi1/0/45: auth_bend_fail
> -> auth_bend_idle
> 381459: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_bend_idle_enter
> called
> 381460: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): Posting AUTH_FAIL on
> Client 0x36000F6B
> 381461: Jan 30 17:44:12.087:     dot1x_auth Gi1/0/45: during state
> auth_authenticating, got event 15(authFail)
> 381462: Jan 30 17:44:12.087: @@@ dot1x_auth Gi1/0/45: auth_authenticating
> -> auth_authc_result
> 381463: Jan 30 17:44:12.087: dot1x-sm(Gi1/0/45): 0x36000F6B:auth_authenticating_exit
> called
> 381464: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_authc_result_enter called
> 381465: Jan 30 17:44:12.091: %DOT1X-5-FAIL: Authentication failed for
> client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID
> 0A6000FC0001DEAA32DDD387
> 381466: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending event (2) to Auth
> Mgr for 2c0b.e904.2892
> 381467: Jan 30 17:44:12.091: %AUTHMGR-7-RESULT: Authentication result
> 'fail' from 'dot1x' for client (2c0b.e904.2892) on Interface Gi1/0/45
> AuditSessionID 0A6000FC0001DEAA32DDD387
> 381468: Jan 30 17:44:12.091: %AUTHMGR-5-FAIL: Authorization failed or
> unapplied for client (2c0b.e904.2892) on Interface Gi1/0/45 AuditSessionID
> 0A6000FC0001DEAA32DDD387
> 381469: Jan 30 17:44:12.091: dot1x-redundancy: State for client
> 2c0b.e904.2892 successfully retrieved
> 381470: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Received Authz fail for
> the client  0x36000F6B (2c0b.e904.2892)
> 381471: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45): Posting_AUTHZ_FAIL on
> Client 0x36000F6B
> 381472: Jan 30 17:44:12.091:     dot1x_auth Gi1/0/45: during state
> auth_authc_result, got event 22(authzFail)
> 381473: Jan 30 17:44:12.091: @@@ dot1x_auth Gi1/0/45: auth_authc_result ->
> auth_held
> 381474: Jan 30 17:44:12.091: dot1x-sm(Gi1/0/45):
> 0x36000F6B:auth_held_enter called
> 381475: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending EAPOL packet to
> 2c0b.e904.2892
> Switch#
> 381476: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Role determination not
> required
> 381477: Jan 30 17:44:12.091: dot1x-registry:registry:dot1x_ether_macaddr
> called
> 381478: Jan 30 17:44:12.091: dot1x-ev(Gi1/0/45): Sending out EAPOL packet
> 381479: Jan 30 17:44:12.091: EAPOL pak dump Tx
> 381480: Jan 30 17:44:12.091: EAPOL Version: 0x3  type: 0x0  length: 0x0004
> 381481: Jan 30 17:44:12.091: EAP code: 0x4  id: 0x4  length: 0x0004
> 381482: Jan 30 17:44:12.091: dot1x-packet(Gi1/0/45): EAPOL packet sent to
> client 0x36000F6B (2c0b.e904.2892)
>
> Actual values have been substituted from ill hackers especially those
> communists
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> skno.by at lists.freeradius.org] On Behalf Of Alan Buxey
> Sent: Tuesday, January 30, 2018 3:58 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: RE: cisco phones
>
> >Are you sure that you don't want these to be reply attributes? Show debug
> to see what's coming through.
>
> alan
>
> On 30 Jan 2018 11:10 am, "Vacheslav" <m_zouhairy at skno.by> wrote:
>
> > Thanks for the tip.
> > According to https://supportforums.cisco.com/t5/other-security-
> > subjects/802-1x-authentication-not-happening-in-voice-domain-for-ip-ph
> > one/
> > td-p/1652836
> > These need to be added
> > cisco-avpair="device-traffic-class=voice"
> > Tunnel-Type=1:VLAN
> > Tunnel-Medium-Type=1:802
> > Tunnel-Private-Group-ID=1:VOICE-LAN
> >
> > So I added them as check attributes, with := but I got:
> > Auth: (163) Invalid user (sql: Error parsing value: Unknown or invalid
> > value "1:VLAN" for attribute Tunnel-Type): [ip phone name/<via
> > Auth-Type =
> > eap>] (from client Switch port 50145 cli mac)
> > Tue Jan 30 13:36:34 2018 : Auth: (163) Login incorrect (sql: Error
> > parsing
> > value: Unknown or invalid value "1:VLAN" for attribute Tunnel-Type):
> > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> > cli mac) If I delete the attribute Tunnel-Type:=1:VLAN (and it does
> > not matter if I set it as a reply attribute, same error) I get:
> > Auth: (159) Invalid user (sql: Error parsing value: Unknown or invalid
> > value "1:802" for attribute Tunnel-Medium-Type): [ip phone name<via
> > Auth-Type = eap>] (from client Switch port 50145 cli mac) Tue Jan 30
> > 13:34:30 2018 : Auth: (159) Login incorrect (sql: Error parsing
> > value: Unknown or invalid value "1:802" for attribute
> Tunnel-Medium-Type):
> > [ip phone name/<via Auth-Type = eap>] (from client Switch port 50145
> > cli
> > mac)
> > The progress is that the ip phone now shows dropping packets on the
> > voice vlan which means it accepted:
> > Tunnel-Private-Group-ID:=1:VOICE-LAN
> > After reading an email here: I'm inclined to replace ":=" with = but I
> > have a limited lunch break to test these settings each day so perhaps
> > someone who has dealt with this can save me some wasted time?
> >
> >
> > -----Original Message-----
> > From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=
> > skno.by at lists.freeradius.org] On Behalf Of Alan DeKok
> > Sent: Friday, January 26, 2018 4:07 PM
> > To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > Subject: Re: cisco phones
> >
> > On Jan 26, 2018, at 6:49 AM, Vacheslav <m_zouhairy at skno.by> wrote:
> > >
> > > I still can't authenticate the ip phones using md5 on the voice
> > > vlan,
> > they keep getting authenticated on the data vlan. I ducked ducked the
> > internet and found that:
> > > "device-traffic-class=voice:= Cisco-AVPair"
> > > Must be added. So I added it username of the ip phone in daloradius
> > > but
> > the behavior has not changed. Perhaps, that must be added manually to
> > the users file for it work. I only found documentation on how to do
> > that in cisco ACS.
> >
> > >  That documentation tells you what attributes to return, and what
> > > values
> > to use for those attributes.  Do the same thing in FreeRADIUS.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list