[RADIATOR] Cisco 3750 (and others) 802.1x Wired Port Authentication

David Heinz heinzdb at corp.earthlink.net
Fri Mar 5 09:00:22 CST 2010 

Figured out the problem, I needed to add:

EAPTLS_MaxFragmentSize 1000

to my configuration. Apparently the clients I am using didn't like the default size.

-dave

On Mar 3, 2010, at 9:10 PM, David Heinz wrote:

> Hugh, 
> 
> Sorry haven't posted here in around 10 years :)
> 
> Configuration
> --------------------------
> Foreground
> LogStdout
> 
> Trace   3
> 
> PidFile /tmp/radiusd.pid
> 
> AuthPort        1645
> AcctPort        1646
> 
> LogDir          /var/log/radius
> 
> DbDir           /etc/radiator
> 
> SnmpgetProg     /usr/local/bin/snmpget
> 
> <Client xxxxxxxxx>
>        IgnoreAcctSignature
>        Secret mysecret
>        DupInterval 0
> </Client>
> 
> <Handler TunnelledByPEAP=1>
>        <AuthBy FILE>
>                EAPType MSCHAP-V2
>                EAP_PEAP_MSCHAP_Convert 1
>        </AuthBy>
> </Handler>
> 
> <Handler ConvertedFromEAPMSCHAPV2=1>
>        <AuthBy GROUP>
>                AuthByPolicy ContinueWhileAccept
>                <AuthBy SQL>
>                        # Adjust DBSource, DBUsername, DBAuth to suit your DB
>                        DBSource        dbinformation
>                        DBUsername      dbuser
>                        DBAuth          dbpassword
> 
>                        AuthSelect select password from CorpUser where username=%0 AND expires > CURDATE()
>                        AuthColumnDef   0,User-Password,check
> 
>                        AccountingTable Accounting
>                        AcctColumnDef   username,User-Name
>                        AcctColumnDef   timestamp,Timestamp,integer
>                        AcctColumnDef   acctstatustype,Acct-Status-Type
>                        AcctColumnDef   acctdelaytime,Acct-Delay-Time,integer
>                        AcctColumnDef   acctinputoctets,Acct-Input-Octets,integer
>                        AcctColumnDef   acctoutputoctets,Acct-Output-Octets,integer
>                        AcctColumnDef   acctsessionid,Acct-Session-Id
>                        AcctColumnDef   acctsessiontime,Acct-Session-Time,integer
>                        AcctColumnDef   acctterminatecause,Acct-Terminate-Cause
>                        AcctColumnDef   nasidentifier,NAS-Identifier
>                        AcctColumnDef   nasport,NAS-Port,integer
>                        AcctColumnDef   framedip,Framed-IP-Address
> 
>                        SQLRecoveryFile %D/missedaccounting
>                </AuthBy>
>                <AuthBy LDAP2>
>                        Host localhost
>                        Port someport
>                        AuthDN somedn
>                        AuthPassword ldappassword
> 
>                        BaseDN somebasedn
>                        SearchFilter somefilter
>                        UsernameAttr uid
>                        NoCheckPassword
>                        NoDefault
>                        NoDefaultIfFound
>                        Timeout 20
>                </AuthBy>
>        </AuthBy>
> </Handler>
> 
> <Handler>
>        RewriteUsername s/^([^@]+).*/$1/
> 
>        AcctLogFileName %L/detail
>        WtmpFileName %L/wtmp
> 
>        RejectHasReason
> 
>        <AuthBy FILE>
>                Filename %D/users
> 
>                EAPType PEAP
>                EAPTLS_CAFile /etc/radiator/corp-ca-chain
>                EAPTLS_CertificateFile /etc/radiator/mycert.cert
>                EAPTLS_CertificateType PEM
>                EAPTLS_PrivateKeyFile /etc/radiator/mycert.key
>                EAPAnonymous anonymous
>                AutoMPPEKeys
>                EAPTLS_PEAPBrokenV1Label
>                EAPTLS_PEAPVersion 1
>        </AuthBy>
> </Handler>
> 
> Trace 4 details:
> ----------------------------
> *** Received from 10.30.36.251 port 1645 ....
> Code:       Access-Request
> Identifier: 16
> Authentic:  <177>Y<24><139><6><211>.9<134><151><214>.@<161><15><183>
> Attributes:
>        User-Name = "acaldwell"
>        Service-Type = Framed-User
>        Framed-MTU = 1500
>        Called-Station-Id = "00-0F-23-9A-2A-83"
>        Calling-Station-Id = "00-15-C5-15-FB-2A"
>        EAP-Message = <2><2><0><14><1>acaldwell
>        Message-Authenticator = <18>a<231>c<194>m<239><200><196><138><244>& <253><218><188>
>        NAS-Port = 50103
>        NAS-Port-Type = Ethernet
>        NAS-IP-Address = 10.30.36.251
> 
> Wed Mar  3 22:26:33 2010: DEBUG: Handling request with Handler ''
> Wed Mar  3 22:26:33 2010: DEBUG: Rewrote user name to acaldwell
> Wed Mar  3 22:26:33 2010: DEBUG:  Deleting session for acaldwell, 10.30.36.251, 50103
> Wed Mar  3 22:26:33 2010: DEBUG: Handling with Radius::AuthFILE: 
> Wed Mar  3 22:26:33 2010: DEBUG: Handling with EAP: code 2, 2, 14, 1
> Wed Mar  3 22:26:33 2010: DEBUG: Response type 1
> Wed Mar  3 22:26:33 2010: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Mar  3 22:26:33 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
> Wed Mar  3 22:26:33 2010: DEBUG: Access challenged for acaldwell: EAP PEAP Challenge
> Wed Mar  3 22:26:33 2010: DEBUG: Packet dump:
> *** Sending to 10.30.36.251 port 1645 ....
> Code:       Access-Challenge
> Identifier: 16
> Authentic:  m<253>#<226><131><19>eS(<254><13><217><222><185><9>'
> Attributes:
>        EAP-Message = <1><3><0><6><25>!
>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> and thats it...nothing else is ever seen! This same config works just fine with the Windows wireless PEAP users.
> 
> -dave
> 
> 
> 
> On Mar 3, 2010, at 8:45 PM, Hugh Irvine wrote:
> 
>> 
>> Hello David -
>> 
>> It sounds like your supplicant is not happy.
>> 
>> When asking quesitons, please include a copy of the Radiator configuration file and a trace 4 debug showing what is happening.
>> 
>> There are also some useful pointers in the FAQ (which is also included in the Radiator distribution in the "doc" directory):
>> 
>> 	http://www.open.com.au/radiator/faq.html
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 4 Mar 2010, at 12:04, David Heinz wrote:
>> 
>>> I'm attempting to get a 3750 to authenticate and assign a VLAN ID to the port. 
>>> 
>>> Since I have to use the native Windows client (and all of them have PEAP) I'm using PEAP as my EAP type. 
>>> 
>>> When the radius server sends back the access-challenge...there is no response from the authenticator. 
>>> 
>>> Anyone have any thoughts? I've verified time and again the Cisco configuration for this to work.
>>> 
>>> -Dave
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list