[RADIATOR] Cisco IP Phones 802.1x Authentication?
Hugh Irvine
hugh at open.com.au
Thu Jun 24 04:52:43 CDT 2010
Hello Greg -
All attributes that you use, including "cisco-avpair" must match the way they are spelled and defined in the Radiator dictionary.
Ie. from the Radiator dictionary file:
VENDORATTR 9 cisco-avpair 1 string
If in doubt, check the dictionary - it is a simple text file that you can look at with any text editor.
regards
Hugh
On 23 Jun 2010, at 19:50, Gregory Fuller wrote:
> Hugh,
>
> I was able to get this working the other day. Here's my radius config:
>
> <Client 129.3.244.100>
> # Configure 802.1x switch authentication for LANIGAN-SWITCHES
> #
> Identifier LANIGAN-SWITCHES
> Secret xxxxxx
> DupInterval 0
> IgnoreAcctSignature
> </Client>
> <Handler Client-Identifier=LANIGAN-SWITCHES, User-Name =
> /(.+)SEP([0-9a-fA-F]{12})$/>
> <AuthBy FILE>
> Filename %D/voip-phones
> EAPType MD5
> </AuthBy>
> AuthLog VOIP-AuthLogger
> AcctLogFileName /var/log/radius/VOIP-detail
> </Handler>
>
> Then within the voip-phones userfile I added the following:
>
> CP-7942G-SEP2893FE127C54 User-Password = oswego
> cisco-avpair="device-traffic-class=voice",
> Tunnel-Type=1:VLAN,
> Tunnel-Medium-Type=1:Ether_802,
> Tunnel-Private-Group-ID=1:VOICE-LAN
>
>
> It appeared that the "cisco-avpair" was case sensitive on my CIsco
> 3750V2-48PS switches for some reason. I didn't try it with any other
> switches yet, but changing that attribute to all lowercase appeared to
> actually assign the voice vlan name properly as part of the voice
> domain. I also have multi-domain 802.1x authentication enabled on the
> switch to allow multiple 802.1x authentications on the same port.
> When doing that you need to specifically tell the switch that the
> phone needs to be in the voice-vlan and not the data vlan, that's what
> the cisco-avpair is assigning.
>
> Here's my interface configuration from the switch:
>
> interface FastEthernet2/0/3
> description 26-9 Y
> switchport mode access
> switchport voice vlan 2089
> srr-queue bandwidth share 10 10 60 20
> priority-queue out
> authentication host-mode multi-domain
> authentication port-control auto
> authentication periodic
> authentication timer reauthenticate 1800
> mls qos trust device cisco-phone
> mls qos trust cos
> auto qos voip cisco-phone
> dot1x pae authenticator
> spanning-tree portfast
> service-policy input AutoQoS-Police-CiscoPhone
> end
>
>
> If I take out the static voice-vlan assignment from the interface the
> RADIUS reply puts the phone into the correct VLAN. I did read
> somewhere that "dynamic" vlan assignment for the voice-vlan wasn't
> supported by Cisco, but it does appear to work on the 3750V2's running
> IOS 12.2(53)SE.
>
> Thanks for your assistance.
>
> --greg
>
>
>
> On Thu, Jun 17, 2010 at 5:57 PM, Hugh Irvine <hugh at open.com.au> wrote:
>>
>> Hello Greg -
>>
>> As it happens I am doing exactly this at the moment.
>>
>> The Cisco phones I have been working with do indeed use MD5 authentication.
>>
>> The debug below shows Radiator sending an EAP-MD5 challenge, but then getting nothing further.
>>
>> I think you will need to check the debug on the Cisco switch to see what is happening there.
>>
>> Here is a copy of the relevant Radiator configuration file I have been using:
>>
>> ….
>>
>> <Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
>> <AuthBy LDAP2>
>> RewriteUsername s/(.+)SEP([0-9a-fA-F]{12})$/$2/
>> NoDefault
>> Host localhost
>> Port 3268
>> AuthDN radiator
>> AuthPassword Passw0rd
>> BaseDN CN=Users, DC=comms, DC=local
>> UsernameAttr sAMaccountName
>> PasswordAttr Description
>> SearchFilter (%0=%1)
>> Debug 255
>> EAPType MD5
>> EAPTLS_CAFile C:\Radiator\Radiator-Locked-4.5.1\certificates\demoCA\cacert.pem
>> EAPTLS_CertificateFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>> EAPTLS_MaxFragmentSize 1000
>> AutoMPPEKeys
>> EAPAnonymous %0
>> EAPTLS_PEAPVersion 0
>> AddToReply cisco-avpair="device-traffic-class=voice"
>> </AuthBy>
>> </Handler>
>>
>> …..
>>
>> I can get you Cisco configuration details, etc. tomorrow.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 17 Jun 2010, at 17:36, Gregory Fuller wrote:
>>
>>> We're getting ready to a Cisco VOIP rollout here and I'd like to
>>> enable 802.1x authentication on all of our phones (7942G and 7975G's).
>>>
>>>> From the Cisco docs it looks like they support EAP-MD5:
>>>
>>> http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html
>>>
>>> But I've seen some conflicting reports that MD5 support has been
>>> removed from newer firmware versions.
>>>
>>> Here's my radius config:
>>>
>>> <Client xxx.xxx.xxx.xxx>
>>> # Configure 802.1x switch authentication for LANIGAN-SWITCHES
>>> #
>>> Identifier LANIGAN-SWITCHES
>>> Secret xxxxxxx
>>> DupInterval 0
>>> IgnoreAcctSignature
>>> </Client>
>>> <Handler Client-Identifier=LANIGAN-SWITCHES>
>>> <AuthBy FILE>
>>> Filename %D/voip-phones
>>> EAPType MD5
>>> </AuthBy>
>>> AuthLog VOIP-AuthLogger
>>> AcctLogFileName /var/log/radius/VOIP-detail
>>> </Handler>
>>>
>>> Contents of my "voip-phone" authfile:
>>>
>>> CP-7942G-SEP2893FE127C54 User-Password = test1234
>>> Cisco-avpair = "device-traffic-class=voice"
>>>
>>>
>>> And my switch config (I'm using a Cisco 3750v2-48PS running
>>> 12.2(53)SE) as the authenticator:
>>>
>>> aaa new-model
>>> aaa authentication dot1x default group radius
>>> aaa authorization network default group radius
>>> aaa session-id common
>>> aaa authentication dot1x default group radius
>>> aaa authorization network default group radius
>>> radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7
>>> xxxxxxxxxxxxxxxxxxxxx
>>> dot1x system-auth-control
>>> !
>>> interface FastEthernet2/0/3
>>> description 26-9 Y
>>> switchport access vlan 28
>>> switchport mode access
>>> switchport voice vlan 2089
>>> shutdown
>>> authentication host-mode multi-domain
>>> authentication port-control auto
>>> authentication periodic
>>> authentication timer reauthenticate 30
>>> dot1x pae authenticator
>>> spanning-tree portfast
>>>
>>>
>>>
>>> All I get from the radiator log with trace level 5 enabled is:
>>>
>>> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
>>> *** Received from 129.3.244.100 port 1645 ....
>>>
>>> Packet length = 184
>>> 01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b
>>> 7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53
>>> 45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06
>>> 00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31
>>> 36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32
>>> 38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34
>>> 4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d
>>> 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50
>>> 12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0
>>> e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57
>>> 13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30
>>> 2f 33 04 06 81 03 f4 64
>>> Code: Access-Request
>>> Identifier: 68
>>> Authentic: <155><147><30><167><177>PUS<181>#<173>{<127>_<248>:
>>> Attributes:
>>> User-Name = "CP-7942G-SEP2893FE127C54"
>>> Service-Type = Framed-User
>>> Framed-MTU = 1500
>>> Called-Station-Id = "64-16-8D-F5-09-05"
>>> Calling-Station-Id = "28-93-FE-12-7C-54"
>>> EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54
>>> Message-Authenticator = cv
>>> <181><231>V<196><202>S<228><224><223><242>g<208><231>
>>> EAP-Key-Name =
>>> NAS-Port-Type = Ethernet
>>> NAS-Port = 50203
>>> NAS-Port-Id = "FastEthernet2/0/3"
>>> NAS-IP-Address = xxxx.xxxx.xxxx.xxxx
>>>
>>> Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler
>>> 'Client-Identifier=LANIGAN-SWITCHES'
>>> Thu Jun 17 15:02:14 2010: DEBUG: Deleting session for
>>> CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203
>>> Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE:
>>> Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
>>> Thu Jun 17 15:02:14 2010: DEBUG: Response type 1
>>> Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge
>>> Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>>> MD5-Challenge
>>> Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for
>>> CP-7942G-SEP2893FE127C54: EAP MD5-Challenge
>>> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
>>> *** Sending to 129.3.244.100 port 1645 ....
>>>
>>> Packet length = 82
>>> 0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f
>>> 29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02
>>> 09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69
>>> 75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75
>>> 50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d
>>> 0f 65
>>> Code: Access-Challenge
>>> Identifier: 68
>>> Authentic: <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19>
>>> Attributes:
>>> EAP-Message =
>>> <1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>>
>>>
>>> I'm running Radiator v4.5.1 under CentOS 5.4.
>>>
>>> Anyone have any experience with configuring Cisco IP phones to
>>> authenticate via EAP-MD5 (or another means!) against Radiator? I've
>>> also opened a TAC case with Cisco to see if there's a bug in the
>>> firmware -- but I'm not finding anything googling around or looking on
>>> the Cisco site.
>>>
>>> Any help or suggestions are appreciated!
>>>
>>> --greg
>>>
>>>
>>> Gregory A. Fuller - CCNA
>>> Network Manager
>>> State University of New York at Oswego
>>> Phone: (315) 312-5750
>>> http://www.oswego.edu/~gfuller
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list