[RADIATOR] Cisco IP Phones 802.1x Authentication?

Hugh Irvine hugh at open.com.au
Thu Jun 24 04:52:43 CDT 2010


Hello Greg -

All attributes that you use, including "cisco-avpair" must match the way they are spelled and defined in the Radiator dictionary.

Ie. from the Radiator dictionary file:


VENDORATTR      9       cisco-avpair                    1       string


If in doubt, check the dictionary - it is a simple text file that you can look at with any text editor.

regards

Hugh


On 23 Jun 2010, at 19:50, Gregory Fuller wrote:

> Hugh,
> 
> I was able to get this working the other day.  Here's my radius config:
> 
> <Client 129.3.244.100>
>        # Configure 802.1x switch authentication for LANIGAN-SWITCHES
>        #
>        Identifier              LANIGAN-SWITCHES
>        Secret                  xxxxxx
>        DupInterval             0
>        IgnoreAcctSignature
> </Client>
> <Handler Client-Identifier=LANIGAN-SWITCHES, User-Name =
> /(.+)SEP([0-9a-fA-F]{12})$/>
>        <AuthBy FILE>
>                Filename %D/voip-phones
>                EAPType MD5
>        </AuthBy>
>        AuthLog VOIP-AuthLogger
>        AcctLogFileName /var/log/radius/VOIP-detail
> </Handler>
> 
> Then within the voip-phones userfile I added the following:
> 
> CP-7942G-SEP2893FE127C54        User-Password = oswego
>                                cisco-avpair="device-traffic-class=voice",
>                                Tunnel-Type=1:VLAN,
>                                Tunnel-Medium-Type=1:Ether_802,
>                                Tunnel-Private-Group-ID=1:VOICE-LAN
> 
> 
> It appeared that the "cisco-avpair" was case sensitive on my CIsco
> 3750V2-48PS switches for some reason.  I didn't try it with any other
> switches yet, but changing that attribute to all lowercase appeared to
> actually assign the voice vlan name properly as part of the voice
> domain.  I also have multi-domain 802.1x authentication enabled on the
> switch to allow multiple 802.1x authentications on the same port.
> When doing that you need to specifically tell the switch that the
> phone needs to be in the voice-vlan and not the data vlan, that's what
> the cisco-avpair is assigning.
> 
> Here's my interface configuration from the switch:
> 
> interface FastEthernet2/0/3
> description 26-9 Y
> switchport mode access
> switchport voice vlan 2089
> srr-queue bandwidth share 10 10 60 20
> priority-queue out
> authentication host-mode multi-domain
> authentication port-control auto
> authentication periodic
> authentication timer reauthenticate 1800
> mls qos trust device cisco-phone
> mls qos trust cos
> auto qos voip cisco-phone
> dot1x pae authenticator
> spanning-tree portfast
> service-policy input AutoQoS-Police-CiscoPhone
> end
> 
> 
> If I take out the static voice-vlan assignment from the interface the
> RADIUS reply puts the phone into the correct VLAN.  I did read
> somewhere that "dynamic" vlan assignment for the voice-vlan wasn't
> supported by Cisco, but it does appear to work on the 3750V2's running
> IOS 12.2(53)SE.
> 
> Thanks for your assistance.
> 
> --greg
> 
> 
> 
> On Thu, Jun 17, 2010 at 5:57 PM, Hugh Irvine <hugh at open.com.au> wrote:
>> 
>> Hello Greg -
>> 
>> As it happens I am doing exactly this at the moment.
>> 
>> The Cisco phones I have been working with do indeed use MD5 authentication.
>> 
>> The debug below shows Radiator sending an EAP-MD5 challenge, but then getting nothing further.
>> 
>> I think you will need to check the debug on the Cisco switch to see what is happening there.
>> 
>> Here is a copy of the relevant Radiator configuration file I have been using:
>> 
>> ….
>> 
>> <Handler EAP-Message = /.+/, User-Name = /(.+)SEP([0-9a-fA-F]{12})$/>
>>        <AuthBy LDAP2>
>>                RewriteUsername s/(.+)SEP([0-9a-fA-F]{12})$/$2/
>>                NoDefault
>>                Host localhost
>>                Port 3268
>>                AuthDN          radiator
>>                AuthPassword    Passw0rd
>>                BaseDN CN=Users, DC=comms, DC=local
>>                UsernameAttr sAMaccountName
>>                PasswordAttr Description
>>                SearchFilter (%0=%1)
>>                Debug 255
>>                EAPType MD5
>>                EAPTLS_CAFile C:\Radiator\Radiator-Locked-4.5.1\certificates\demoCA\cacert.pem
>>                EAPTLS_CertificateFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
>>                EAPTLS_CertificateType PEM
>>                EAPTLS_PrivateKeyFile C:\Radiator\Radiator-Locked-4.5.1\certificates\cert-srv.pem
>>                EAPTLS_PrivateKeyPassword whatever
>>                EAPTLS_MaxFragmentSize 1000
>>                AutoMPPEKeys
>>                EAPAnonymous %0
>>                EAPTLS_PEAPVersion 0
>>                AddToReply cisco-avpair="device-traffic-class=voice"
>>        </AuthBy>
>> </Handler>
>> 
>> …..
>> 
>> I can get you Cisco configuration details, etc. tomorrow.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> 
>> On 17 Jun 2010, at 17:36, Gregory Fuller wrote:
>> 
>>> We're getting ready to a Cisco VOIP rollout here and I'd like to
>>> enable 802.1x authentication on all of our phones (7942G and 7975G's).
>>> 
>>>> From the Cisco docs it looks like they support EAP-MD5:
>>> 
>>> http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps8535/product_data_sheet0900aecd8069bb68.html
>>> 
>>> But I've seen some conflicting reports that MD5 support has been
>>> removed from newer firmware versions.
>>> 
>>> Here's my radius config:
>>> 
>>> <Client xxx.xxx.xxx.xxx>
>>>        # Configure 802.1x switch authentication for LANIGAN-SWITCHES
>>>        #
>>>        Identifier              LANIGAN-SWITCHES
>>>        Secret                  xxxxxxx
>>>        DupInterval             0
>>>        IgnoreAcctSignature
>>> </Client>
>>> <Handler Client-Identifier=LANIGAN-SWITCHES>
>>>        <AuthBy FILE>
>>>                Filename %D/voip-phones
>>>                EAPType MD5
>>>        </AuthBy>
>>>        AuthLog VOIP-AuthLogger
>>>        AcctLogFileName /var/log/radius/VOIP-detail
>>> </Handler>
>>> 
>>> Contents of my "voip-phone" authfile:
>>> 
>>> CP-7942G-SEP2893FE127C54        User-Password = test1234
>>>                                Cisco-avpair = "device-traffic-class=voice"
>>> 
>>> 
>>> And my switch config (I'm using a Cisco 3750v2-48PS running
>>> 12.2(53)SE) as the authenticator:
>>> 
>>> aaa new-model
>>> aaa authentication dot1x default group radius
>>> aaa authorization network default group radius
>>> aaa session-id common
>>> aaa authentication dot1x default group radius
>>> aaa authorization network default group radius
>>> radius-server host 129.3.22.134 auth-port 1812 acct-port 1813 key 7
>>> xxxxxxxxxxxxxxxxxxxxx
>>> dot1x system-auth-control
>>> !
>>> interface FastEthernet2/0/3
>>> description 26-9 Y
>>> switchport access vlan 28
>>> switchport mode access
>>> switchport voice vlan 2089
>>> shutdown
>>> authentication host-mode multi-domain
>>> authentication port-control auto
>>> authentication periodic
>>> authentication timer reauthenticate 30
>>> dot1x pae authenticator
>>> spanning-tree portfast
>>> 
>>> 
>>> 
>>> All I get from the radiator log with trace level 5 enabled is:
>>> 
>>> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
>>> *** Received from 129.3.244.100 port 1645 ....
>>> 
>>> Packet length = 184
>>> 01 44 00 b8 9b 93 1e a7 b1 50 55 53 b5 23 ad 7b
>>> 7f 5f f8 3a 01 1a 43 50 2d 37 39 34 32 47 2d 53
>>> 45 50 32 38 39 33 46 45 31 32 37 43 35 34 06 06
>>> 00 00 00 02 0c 06 00 00 05 dc 1e 13 36 34 2d 31
>>> 36 2d 38 44 2d 46 35 2d 30 39 2d 30 35 1f 13 32
>>> 38 2d 39 33 2d 46 45 2d 31 32 2d 37 43 2d 35 34
>>> 4f 1f 02 01 00 1d 01 43 50 2d 37 39 34 32 47 2d
>>> 53 45 50 32 38 39 33 46 45 31 32 37 43 35 34 50
>>> 12 63 76 20 b5 e7 56 c4 ca 53 e4 e0 df f2 67 d0
>>> e7 66 02 3d 06 00 00 00 0f 05 06 00 00 c4 1b 57
>>> 13 46 61 73 74 45 74 68 65 72 6e 65 74 32 2f 30
>>> 2f 33 04 06 81 03 f4 64
>>> Code:       Access-Request
>>> Identifier: 68
>>> Authentic:  <155><147><30><167><177>PUS<181>#<173>{<127>_<248>:
>>> Attributes:
>>>        User-Name = "CP-7942G-SEP2893FE127C54"
>>>        Service-Type = Framed-User
>>>        Framed-MTU = 1500
>>>        Called-Station-Id = "64-16-8D-F5-09-05"
>>>        Calling-Station-Id = "28-93-FE-12-7C-54"
>>>        EAP-Message = <2><1><0><29><1>CP-7942G-SEP2893FE127C54
>>>        Message-Authenticator = cv
>>> <181><231>V<196><202>S<228><224><223><242>g<208><231>
>>>        EAP-Key-Name =
>>>        NAS-Port-Type = Ethernet
>>>        NAS-Port = 50203
>>>        NAS-Port-Id = "FastEthernet2/0/3"
>>>        NAS-IP-Address = xxxx.xxxx.xxxx.xxxx
>>> 
>>> Thu Jun 17 15:02:14 2010: DEBUG: Handling request with Handler
>>> 'Client-Identifier=LANIGAN-SWITCHES'
>>> Thu Jun 17 15:02:14 2010: DEBUG:  Deleting session for
>>> CP-7942G-SEP2893FE127C54, 129.3.244.100, 50203
>>> Thu Jun 17 15:02:14 2010: DEBUG: Handling with Radius::AuthFILE:
>>> Thu Jun 17 15:02:14 2010: DEBUG: Handling with EAP: code 2, 1, 29, 1
>>> Thu Jun 17 15:02:14 2010: DEBUG: Response type 1
>>> Thu Jun 17 15:02:14 2010: DEBUG: EAP result: 3, EAP MD5-Challenge
>>> Thu Jun 17 15:02:14 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>>> MD5-Challenge
>>> Thu Jun 17 15:02:14 2010: DEBUG: Access challenged for
>>> CP-7942G-SEP2893FE127C54: EAP MD5-Challenge
>>> Thu Jun 17 15:02:14 2010: DEBUG: Packet dump:
>>> *** Sending to 129.3.244.100 port 1645 ....
>>> 
>>> Packet length = 82
>>> 0b 44 00 52 19 6d cc 6f 3a fa a6 fc 18 50 a8 1f
>>> 29 71 f9 13 4f 2c 01 02 00 2a 04 10 5d 68 89 02
>>> 09 5f 48 5d aa f2 d7 7d 62 a0 e2 95 72 61 64 69
>>> 75 73 2d 30 31 2e 6f 73 77 65 67 6f 2e 65 64 75
>>> 50 12 5f cb 5d 3e 32 22 33 d4 68 42 2e 71 d0 2d
>>> 0f 65
>>> Code:       Access-Challenge
>>> Identifier: 68
>>> Authentic:  <25>m<204>o:<250><166><252><24>P<168><31>)q<249><19>
>>> Attributes:
>>>        EAP-Message =
>>> <1><2><0>*<4><16>]h<137><2><9>_H]<170><242><215>}b<160><226><149>radius-01.oswego.edu
>>>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> 
>>> 
>>> 
>>> I'm running Radiator v4.5.1 under CentOS 5.4.
>>> 
>>> Anyone have any experience with configuring Cisco IP phones to
>>> authenticate via EAP-MD5 (or another means!) against Radiator?  I've
>>> also opened a TAC case with Cisco to see if there's a bug in the
>>> firmware -- but I'm not finding anything googling around or looking on
>>> the Cisco site.
>>> 
>>> Any help or suggestions are appreciated!
>>> 
>>> --greg
>>> 
>>> 
>>> Gregory A. Fuller - CCNA
>>> Network Manager
>>> State University of New York at Oswego
>>> Phone: (315) 312-5750
>>> http://www.oswego.edu/~gfuller
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
>> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list