Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

MilanLeszkow

6 Posts

6403

September 5th, 2018 08:00

Port mac-based authorization via freeradius

Hello,

 

i have switches N1124P-ON and i want use freeradius for mac authorization of ports. But does not work it.

 

Here is switch configuration:

 

#show running-config
-----
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius-server host auth 192.168.200.14
name "radius1"
usage 802.1x
key 7 "4c41ffe0d54353f9a0e85494708aa623dc69f84b4d0ff9d34ffcc769c19edb10902ec553be657a915a3e157a3267e981fe0369427a84b87e776433c8e004dbf9eddc666e08bbcc2f5052a2df058f203a68f6545b90b0878ce2938c1fd919f9b73d920be6220beece7c713764173af026bcc4313581f1611e58d520155fe7f4a6"
-----

Here is port conf:

 

 

#show running-config interface Gi2/0/26  

description "teacher"
spanning-tree portfast
switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order mab

 

Here is dot1x :

 

#show dot1x interface Gi2/0/26         

Administrative Mode............... Enabled
Dynamic VLAN Creation Mode........ Disabled
VLAN Assignment Mode.............. Enabled
Monitor Mode...................... Disabled

Port      Admin Mode         Oper Mode               Reauth   Reauth
                                                     Control  Period
--------- ------------------ ----------------------- -------- ----------
Gi2/0/26  mac-based          Unauthorized            TRUE     3600

Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 32
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Enabled
MAB mode (operational)......................... Enabled

Logical Supplicant     AuthPAE            Backend    VLAN Username      Filter
Port    MAC-Address    State              State       Id                 Id
------- -------------- ------------------ ---------- ---- ------------- ------
2464    A4BA.DB02.829E Connecting         Idle            A4BADB02829E

and 

 

 

#show dot1x interface Gi2/0/26         

Administrative Mode............... Enabled
Dynamic VLAN Creation Mode........ Disabled
VLAN Assignment Mode.............. Enabled
Monitor Mode...................... Disabled

Port      Admin Mode         Oper Mode               Reauth   Reauth
                                                     Control  Period
--------- ------------------ ----------------------- -------- ----------
Gi2/0/26  mac-based          Unauthorized            TRUE     3600

Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 32
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Enabled
MAB mode (operational)......................... Enabled

Logical Supplicant     AuthPAE            Backend    VLAN Username      Filter
Port    MAC-Address    State              State       Id                 Id
------- -------------- ------------------ ---------- ---- ------------- ------
2464    A4BA.DB02.829E Connecting         Idle            A4BADB02829E
_

 

 

 

 

Here is output from freeradius:

 

#freeradius -Xx
----
Wed Sep  5 17:14:15 2018 : Auth: (100) Login OK: [A4BADB02829E/
 
  ] (from client 201-network port 78 cli a4:ba:db:02:82:9e)
Wed Sep  5 17:14:15 2018 : Debug: (100) Sent Access-Accept Id 17 from 192.168.200.14:1812 to 192.168.201.11:52653 length 0
Wed Sep  5 17:14:15 2018 : Debug: (100)   Tunnel-Type = VLAN
Wed Sep  5 17:14:15 2018 : Debug: (100)   Tunnel-Medium-Type = IEEE-802
Wed Sep  5 17:14:15 2018 : Debug: (100)   Tunnel-Private-Group-Id = "203"
Wed Sep  5 17:14:15 2018 : Debug: (100) Finished request
Wed Sep  5 17:14:15 2018 : Debug: Waking up in 4.9 seconds.
Wed Sep  5 17:14:20 2018 : Debug: (99) Cleaning up request packet ID 16 with timestamp +9746
Wed Sep  5 17:14:20 2018 : Debug: (100) Cleaning up request packet ID 17 with timestamp +9746
Wed Sep  5 17:14:20 2018 : Info: Ready to process requests

 

Can you please check anyone, where is the failure ?

Many thanks

 

MilanLeszkow

6 Posts

September 12th, 2018 05:00

SOLVED !!!

in radcheck i have bad record :

username (mac) -> Auth-Type := Accept

is changed to : 

username (mac) -> Cleartext-Password := username (mac)

MilanLeszkow

6 Posts

September 5th, 2018 23:00

Hello Daniel,

 

 

 thank you for your reply. 

 

#show dot1x interface gigabitethernet 2/0/26 statistics

Port........................................... Gi2/0/26
EAPOL Frames Received.......................... 0
EAPOL Frames Transmitted....................... 2773
EAPOL Start Frames Received.................... 0
EAPOL Logoff Frames Received................... 0
Last EAPOL Frame Version....................... 0
Last EAPOL Frame Source........................ 0000.0000.0000
EAP Response/Id Frames Received................ 0
EAP Response Frames Received................... 0
EAP Request/Id Frames Transmitted.............. 1408
EAP Request Frames Transmitted................. 0
Invalid EAPOL Frames Received.................. 0
EAPOL Length Error Frames Received............. 0

 

 

and 

 

 

#show dot1x interface Gi2/0/26                         

Administrative Mode............... Enabled
Dynamic VLAN Creation Mode........ Disabled
VLAN Assignment Mode.............. Enabled
Monitor Mode...................... Disabled

Port      Admin Mode         Oper Mode               Reauth   Reauth
                                                     Control  Period
--------- ------------------ ----------------------- -------- ----------
Gi2/0/26  mac-based          Unauthorized            TRUE     3600

Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 32
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Enabled
MAB mode (operational)......................... Enabled

Logical Supplicant     AuthPAE            Backend    VLAN Username      Filter
Port    MAC-Address    State              State       Id                 Id
------- -------------- ------------------ ---------- ---- ------------- ------
2464    A4BA.DB02.829E Held               Idle            A4BADB02829E

 

 

 

Log of switch:

 

<189> Sep  6 06:18:02 sw11-1 DOT1X[dot1xTask]: dot1x_radius.c(673) 14436 %% EAP message not received from server.RADIUS server did not send required EAP message.
<189> Sep  6 06:18:01 sw11-1 TRAPMGR[trapTask]: traputil.c(721) 14433 %% Gi2/0/26 status is Unauthorized
<190> Sep  6 06:17:54 sw11-1 AUTHMGR[authMgrTask]: auth_mgr_control.c(1089) 14432 %% User Authentication failed on interface Gi2/0/26.
<189> Sep  6 06:16:25 sw11-1 DOT1X[dot1xTask]: dot1x_radius.c(673) 14424 %% EAP message not received from server.RADIUS server did not send required EAP message.
<189> Sep  6 06:16:24 sw11-1 TRAPMGR[trapTask]: traputil.c(721) 14421 %% Gi2/0/26 status is Unauthorized

 

I want permit access via port and add vlan to port:

 

Attributies :

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "203"

 

 

 

 

MilanLeszkow

6 Posts

September 6th, 2018 00:00

Statistics of dot1x

 

#show dot1x interface Gi2/0/26 statistics  

Port........................................... Gi2/0/26
EAPOL Frames Received.......................... 0
EAPOL Frames Transmitted....................... 2807
EAPOL Start Frames Received.................... 0
EAPOL Logoff Frames Received................... 0
Last EAPOL Frame Version....................... 0
Last EAPOL Frame Source........................ 0000.0000.0000
EAP Response/Id Frames Received................ 0
EAP Response Frames Received................... 0
EAP Request/Id Frames Transmitted.............. 1408
EAP Request Frames Transmitted................. 0
Invalid EAPOL Frames Received.................. 0
EAPOL Length Error Frames Received............. 0

Was this post helpful?

View All

0 events found

No Events found!

Top