[RADIATOR] Cisco 3750 (and others) 802.1x Wired Port Authentication
Hugh Irvine
hugh at open.com.au
Wed Mar 3 20:39:18 CST 2010
Hello Dave -
Again, it looks like a client supplicant problem.
Radiator can't do much if it doesn't receive requests.
You should look at what debugging you have available on both the client supplicant and on the NAS.
BTW - your configuration file is only set up for PEAP - is this what your supplicant is expecting?
regards
Hugh
On 4 Mar 2010, at 13:10, David Heinz wrote:
> Hugh,
>
> Sorry haven't posted here in around 10 years :)
>
> Configuration
> --------------------------
> Foreground
> LogStdout
>
> Trace 3
>
> PidFile /tmp/radiusd.pid
>
> AuthPort 1645
> AcctPort 1646
>
> LogDir /var/log/radius
>
> DbDir /etc/radiator
>
> SnmpgetProg /usr/local/bin/snmpget
>
> <Client xxxxxxxxx>
> IgnoreAcctSignature
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> EAPType MSCHAP-V2
> EAP_PEAP_MSCHAP_Convert 1
> </AuthBy>
> </Handler>
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbinformation
> DBUsername dbuser
> DBAuth dbpassword
>
> AuthSelect select password from CorpUser where username=%0 AND expires > CURDATE()
> AuthColumnDef 0,User-Password,check
>
> AccountingTable Accounting
> AcctColumnDef username,User-Name
> AcctColumnDef timestamp,Timestamp,integer
> AcctColumnDef acctstatustype,Acct-Status-Type
> AcctColumnDef acctdelaytime,Acct-Delay-Time,integer
> AcctColumnDef acctinputoctets,Acct-Input-Octets,integer
> AcctColumnDef acctoutputoctets,Acct-Output-Octets,integer
> AcctColumnDef acctsessionid,Acct-Session-Id
> AcctColumnDef acctsessiontime,Acct-Session-Time,integer
> AcctColumnDef acctterminatecause,Acct-Terminate-Cause
> AcctColumnDef nasidentifier,NAS-Identifier
> AcctColumnDef nasport,NAS-Port,integer
> AcctColumnDef framedip,Framed-IP-Address
>
> SQLRecoveryFile %D/missedaccounting
> </AuthBy>
> <AuthBy LDAP2>
> Host localhost
> Port someport
> AuthDN somedn
> AuthPassword ldappassword
>
> BaseDN somebasedn
> SearchFilter somefilter
> UsernameAttr uid
> NoCheckPassword
> NoDefault
> NoDefaultIfFound
> Timeout 20
> </AuthBy>
> </AuthBy>
> </Handler>
>
> <Handler>
> RewriteUsername s/^([^@]+).*/$1/
>
> AcctLogFileName %L/detail
> WtmpFileName %L/wtmp
>
> RejectHasReason
>
> <AuthBy FILE>
> Filename %D/users
>
> EAPType PEAP
> EAPTLS_CAFile /etc/radiator/corp-ca-chain
> EAPTLS_CertificateFile /etc/radiator/mycert.cert
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/mycert.key
> EAPAnonymous anonymous
> AutoMPPEKeys
> EAPTLS_PEAPBrokenV1Label
> EAPTLS_PEAPVersion 1
> </AuthBy>
> </Handler>
>
> Trace 4 details:
> ----------------------------
> *** Received from 10.30.36.251 port 1645 ....
> Code: Access-Request
> Identifier: 16
> Authentic: <177>Y<24><139><6><211>.9<134><151><214>.@<161><15><183>
> Attributes:
> User-Name = "acaldwell"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = "00-0F-23-9A-2A-83"
> Calling-Station-Id = "00-15-C5-15-FB-2A"
> EAP-Message = <2><2><0><14><1>acaldwell
> Message-Authenticator = <18>a<231>c<194>m<239><200><196><138><244>& <253><218><188>
> NAS-Port = 50103
> NAS-Port-Type = Ethernet
> NAS-IP-Address = 10.30.36.251
>
> Wed Mar 3 22:26:33 2010: DEBUG: Handling request with Handler ''
> Wed Mar 3 22:26:33 2010: DEBUG: Rewrote user name to acaldwell
> Wed Mar 3 22:26:33 2010: DEBUG: Deleting session for acaldwell, 10.30.36.251, 50103
> Wed Mar 3 22:26:33 2010: DEBUG: Handling with Radius::AuthFILE:
> Wed Mar 3 22:26:33 2010: DEBUG: Handling with EAP: code 2, 2, 14, 1
> Wed Mar 3 22:26:33 2010: DEBUG: Response type 1
> Wed Mar 3 22:26:33 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Mar 3 22:26:33 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
> Wed Mar 3 22:26:33 2010: DEBUG: Access challenged for acaldwell: EAP PEAP Challenge
> Wed Mar 3 22:26:33 2010: DEBUG: Packet dump:
> *** Sending to 10.30.36.251 port 1645 ....
> Code: Access-Challenge
> Identifier: 16
> Authentic: m<253>#<226><131><19>eS(<254><13><217><222><185><9>'
> Attributes:
> EAP-Message = <1><3><0><6><25>!
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
> and thats it...nothing else is ever seen! This same config works just fine with the Windows wireless PEAP users.
>
> -dave
>
>
>
> On Mar 3, 2010, at 8:45 PM, Hugh Irvine wrote:
>
>>
>> Hello David -
>>
>> It sounds like your supplicant is not happy.
>>
>> When asking quesitons, please include a copy of the Radiator configuration file and a trace 4 debug showing what is happening.
>>
>> There are also some useful pointers in the FAQ (which is also included in the Radiator distribution in the "doc" directory):
>>
>> http://www.open.com.au/radiator/faq.html
>>
>> regards
>>
>> Hugh
>>
>>
>> On 4 Mar 2010, at 12:04, David Heinz wrote:
>>
>>> I'm attempting to get a 3750 to authenticate and assign a VLAN ID to the port.
>>>
>>> Since I have to use the native Windows client (and all of them have PEAP) I'm using PEAP as my EAP type.
>>>
>>> When the radius server sends back the access-challenge...there is no response from the authenticator.
>>>
>>> Anyone have any thoughts? I've verified time and again the Cisco configuration for this to work.
>>>
>>> -Dave
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list