[RADIATOR] Cisco 3750 (and others) 802.1x Wired Port Authentication

David Heinz heinzdb at corp.earthlink.net
Wed Mar 3 20:10:00 CST 2010


Hugh, 

Sorry haven't posted here in around 10 years :)

Configuration
--------------------------
Foreground
LogStdout

Trace   3

PidFile /tmp/radiusd.pid

AuthPort        1645
AcctPort        1646

LogDir          /var/log/radius

DbDir           /etc/radiator

SnmpgetProg     /usr/local/bin/snmpget

<Client xxxxxxxxx>
        IgnoreAcctSignature
        Secret mysecret
        DupInterval 0
</Client>

<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
                EAPType MSCHAP-V2
                EAP_PEAP_MSCHAP_Convert 1
        </AuthBy>
</Handler>

<Handler ConvertedFromEAPMSCHAPV2=1>
        <AuthBy GROUP>
                AuthByPolicy ContinueWhileAccept
                <AuthBy SQL>
                        # Adjust DBSource, DBUsername, DBAuth to suit your DB
                        DBSource        dbinformation
                        DBUsername      dbuser
                        DBAuth          dbpassword

                        AuthSelect select password from CorpUser where username=%0 AND expires > CURDATE()
                        AuthColumnDef   0,User-Password,check
                        
                        AccountingTable Accounting
                        AcctColumnDef   username,User-Name
                        AcctColumnDef   timestamp,Timestamp,integer
                        AcctColumnDef   acctstatustype,Acct-Status-Type
                        AcctColumnDef   acctdelaytime,Acct-Delay-Time,integer
                        AcctColumnDef   acctinputoctets,Acct-Input-Octets,integer
                        AcctColumnDef   acctoutputoctets,Acct-Output-Octets,integer
                        AcctColumnDef   acctsessionid,Acct-Session-Id
                        AcctColumnDef   acctsessiontime,Acct-Session-Time,integer
                        AcctColumnDef   acctterminatecause,Acct-Terminate-Cause
                        AcctColumnDef   nasidentifier,NAS-Identifier
                        AcctColumnDef   nasport,NAS-Port,integer
                        AcctColumnDef   framedip,Framed-IP-Address

                        SQLRecoveryFile %D/missedaccounting
                </AuthBy>
                <AuthBy LDAP2>
                        Host localhost
                        Port someport
                        AuthDN somedn
                        AuthPassword ldappassword

                        BaseDN somebasedn
                        SearchFilter somefilter
                        UsernameAttr uid
                        NoCheckPassword
                        NoDefault
                        NoDefaultIfFound
                        Timeout 20
                </AuthBy>
        </AuthBy>
</Handler>

<Handler>
        RewriteUsername s/^([^@]+).*/$1/

        AcctLogFileName %L/detail
        WtmpFileName %L/wtmp

        RejectHasReason

        <AuthBy FILE>
                Filename %D/users

                EAPType PEAP
                EAPTLS_CAFile /etc/radiator/corp-ca-chain
                EAPTLS_CertificateFile /etc/radiator/mycert.cert
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile /etc/radiator/mycert.key
                EAPAnonymous anonymous
                AutoMPPEKeys
                EAPTLS_PEAPBrokenV1Label
                EAPTLS_PEAPVersion 1
        </AuthBy>
</Handler>

Trace 4 details:
----------------------------
*** Received from 10.30.36.251 port 1645 ....
Code:       Access-Request
Identifier: 16
Authentic:  <177>Y<24><139><6><211>.9<134><151><214>.@<161><15><183>
Attributes:
        User-Name = "acaldwell"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-0F-23-9A-2A-83"
        Calling-Station-Id = "00-15-C5-15-FB-2A"
        EAP-Message = <2><2><0><14><1>acaldwell
        Message-Authenticator = <18>a<231>c<194>m<239><200><196><138><244>& <253><218><188>
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        NAS-IP-Address = 10.30.36.251

Wed Mar  3 22:26:33 2010: DEBUG: Handling request with Handler ''
Wed Mar  3 22:26:33 2010: DEBUG: Rewrote user name to acaldwell
Wed Mar  3 22:26:33 2010: DEBUG:  Deleting session for acaldwell, 10.30.36.251, 50103
Wed Mar  3 22:26:33 2010: DEBUG: Handling with Radius::AuthFILE: 
Wed Mar  3 22:26:33 2010: DEBUG: Handling with EAP: code 2, 2, 14, 1
Wed Mar  3 22:26:33 2010: DEBUG: Response type 1
Wed Mar  3 22:26:33 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar  3 22:26:33 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Wed Mar  3 22:26:33 2010: DEBUG: Access challenged for acaldwell: EAP PEAP Challenge
Wed Mar  3 22:26:33 2010: DEBUG: Packet dump:
*** Sending to 10.30.36.251 port 1645 ....
Code:       Access-Challenge
Identifier: 16
Authentic:  m<253>#<226><131><19>eS(<254><13><217><222><185><9>'
Attributes:
        EAP-Message = <1><3><0><6><25>!
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


and thats it...nothing else is ever seen! This same config works just fine with the Windows wireless PEAP users.

-dave



On Mar 3, 2010, at 8:45 PM, Hugh Irvine wrote:

> 
> Hello David -
> 
> It sounds like your supplicant is not happy.
> 
> When asking quesitons, please include a copy of the Radiator configuration file and a trace 4 debug showing what is happening.
> 
> There are also some useful pointers in the FAQ (which is also included in the Radiator distribution in the "doc" directory):
> 
> 	http://www.open.com.au/radiator/faq.html
> 
> regards
> 
> Hugh
> 
> 
> On 4 Mar 2010, at 12:04, David Heinz wrote:
> 
>> I'm attempting to get a 3750 to authenticate and assign a VLAN ID to the port. 
>> 
>> Since I have to use the native Windows client (and all of them have PEAP) I'm using PEAP as my EAP type. 
>> 
>> When the radius server sends back the access-challenge...there is no response from the authenticator. 
>> 
>> Anyone have any thoughts? I've verified time and again the Cisco configuration for this to work.
>> 
>> -Dave
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 



More information about the radiator mailing list