[RADIATOR] Cisco 3750 (and others) 802.1x Wired Port Authentication
David Heinz
heinzdb at corp.earthlink.net
Wed Mar 3 20:10:00 CST 2010
Hugh,
Sorry haven't posted here in around 10 years :)
Configuration
--------------------------
Foreground
LogStdout
Trace 3
PidFile /tmp/radiusd.pid
AuthPort 1645
AcctPort 1646
LogDir /var/log/radius
DbDir /etc/radiator
SnmpgetProg /usr/local/bin/snmpget
<Client xxxxxxxxx>
IgnoreAcctSignature
Secret mysecret
DupInterval 0
</Client>
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
EAPType MSCHAP-V2
EAP_PEAP_MSCHAP_Convert 1
</AuthBy>
</Handler>
<Handler ConvertedFromEAPMSCHAPV2=1>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbinformation
DBUsername dbuser
DBAuth dbpassword
AuthSelect select password from CorpUser where username=%0 AND expires > CURDATE()
AuthColumnDef 0,User-Password,check
AccountingTable Accounting
AcctColumnDef username,User-Name
AcctColumnDef timestamp,Timestamp,integer
AcctColumnDef acctstatustype,Acct-Status-Type
AcctColumnDef acctdelaytime,Acct-Delay-Time,integer
AcctColumnDef acctinputoctets,Acct-Input-Octets,integer
AcctColumnDef acctoutputoctets,Acct-Output-Octets,integer
AcctColumnDef acctsessionid,Acct-Session-Id
AcctColumnDef acctsessiontime,Acct-Session-Time,integer
AcctColumnDef acctterminatecause,Acct-Terminate-Cause
AcctColumnDef nasidentifier,NAS-Identifier
AcctColumnDef nasport,NAS-Port,integer
AcctColumnDef framedip,Framed-IP-Address
SQLRecoveryFile %D/missedaccounting
</AuthBy>
<AuthBy LDAP2>
Host localhost
Port someport
AuthDN somedn
AuthPassword ldappassword
BaseDN somebasedn
SearchFilter somefilter
UsernameAttr uid
NoCheckPassword
NoDefault
NoDefaultIfFound
Timeout 20
</AuthBy>
</AuthBy>
</Handler>
<Handler>
RewriteUsername s/^([^@]+).*/$1/
AcctLogFileName %L/detail
WtmpFileName %L/wtmp
RejectHasReason
<AuthBy FILE>
Filename %D/users
EAPType PEAP
EAPTLS_CAFile /etc/radiator/corp-ca-chain
EAPTLS_CertificateFile /etc/radiator/mycert.cert
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/mycert.key
EAPAnonymous anonymous
AutoMPPEKeys
EAPTLS_PEAPBrokenV1Label
EAPTLS_PEAPVersion 1
</AuthBy>
</Handler>
Trace 4 details:
----------------------------
*** Received from 10.30.36.251 port 1645 ....
Code: Access-Request
Identifier: 16
Authentic: <177>Y<24><139><6><211>.9<134><151><214>.@<161><15><183>
Attributes:
User-Name = "acaldwell"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-0F-23-9A-2A-83"
Calling-Station-Id = "00-15-C5-15-FB-2A"
EAP-Message = <2><2><0><14><1>acaldwell
Message-Authenticator = <18>a<231>c<194>m<239><200><196><138><244>& <253><218><188>
NAS-Port = 50103
NAS-Port-Type = Ethernet
NAS-IP-Address = 10.30.36.251
Wed Mar 3 22:26:33 2010: DEBUG: Handling request with Handler ''
Wed Mar 3 22:26:33 2010: DEBUG: Rewrote user name to acaldwell
Wed Mar 3 22:26:33 2010: DEBUG: Deleting session for acaldwell, 10.30.36.251, 50103
Wed Mar 3 22:26:33 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 3 22:26:33 2010: DEBUG: Handling with EAP: code 2, 2, 14, 1
Wed Mar 3 22:26:33 2010: DEBUG: Response type 1
Wed Mar 3 22:26:33 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Mar 3 22:26:33 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Wed Mar 3 22:26:33 2010: DEBUG: Access challenged for acaldwell: EAP PEAP Challenge
Wed Mar 3 22:26:33 2010: DEBUG: Packet dump:
*** Sending to 10.30.36.251 port 1645 ....
Code: Access-Challenge
Identifier: 16
Authentic: m<253>#<226><131><19>eS(<254><13><217><222><185><9>'
Attributes:
EAP-Message = <1><3><0><6><25>!
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
and thats it...nothing else is ever seen! This same config works just fine with the Windows wireless PEAP users.
-dave
On Mar 3, 2010, at 8:45 PM, Hugh Irvine wrote:
>
> Hello David -
>
> It sounds like your supplicant is not happy.
>
> When asking quesitons, please include a copy of the Radiator configuration file and a trace 4 debug showing what is happening.
>
> There are also some useful pointers in the FAQ (which is also included in the Radiator distribution in the "doc" directory):
>
> http://www.open.com.au/radiator/faq.html
>
> regards
>
> Hugh
>
>
> On 4 Mar 2010, at 12:04, David Heinz wrote:
>
>> I'm attempting to get a 3750 to authenticate and assign a VLAN ID to the port.
>>
>> Since I have to use the native Windows client (and all of them have PEAP) I'm using PEAP as my EAP type.
>>
>> When the radius server sends back the access-challenge...there is no response from the authenticator.
>>
>> Anyone have any thoughts? I've verified time and again the Cisco configuration for this to work.
>>
>> -Dave
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
More information about the radiator
mailing list