I'd have something like: radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key <shared-secret> radius-server timeout 2 radius-server deadtime 1 radius-server vsa send authentication ! aaa new-model ! ! aaa group server radius RADIUS-SERVERS server 192.168.1.50 auth-port 1812 acct-port 1813 ! aaa authentication dot1x default group RADIUS-SERVERS aaa accounting dot1x default start-stop group RADIUS-SERVERS ! dot1x system-auth-control dot1x guest-vlan supplicant ! int fa0/1 dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x timeout quiet-period 5 dot1x timeout server-timeout 5 dot1x timeout reauth-period server dot1x timeout tx-period 5 dot1x timeout supp-timeout 5 dot1x max-req 1 dot1x max-reauth-req 1 dot1x reauthentication dot1x guest-vlan 100 dot1x auth-fail vlan 100
> -----Original Message----- > From: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of > Omar Lopez Limonta > Sent: 25 April 2008 09:36 > To: FreeRadius users mailing list > Subject: Re: Dot1x on cisco 3560 > > On Fri, Apr 25, 2008 at 9:51 AM, <[EMAIL PROTECTED]> wrote: > > Hi, > > > > > > > xxxx Cleartext-Password := "PPPPPl" > > > Service-Type = NAS-Prompt-User, > > > cisco-avpair = "shell:priv-lvl=15" > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > this sort of stuff it for admin access to the switch > > > > > > > Sending Access-Challenge of id 60 to 172.29.11.1:21645 > > > Framed-IP-Address = 255.255.255.254 > > > Framed-MTU = 576 > > > Service-Type = Framed-User > > > EAP-Message = > 0x010300160410245db5b7205b11398ead15f567f6ed77 > > > Message-Authenticator = 0x00000000000000000000000000000000 > > > State = 0xb307e1b51eedc6cc895b65e64bcd34a3 > > > Finished request 0 > > > Going to the next request > > > --- Walking the entire request list --- > > > Waking up in 6 seconds... > > > rad_recv: Access-Request packet from host 172.29.11.1:21645, > id=60, length=123 > > > Sending duplicate reply to client authenticator-short-name:21645 - > ID: 60 > > > Re-sending Access-Challenge of id 60 to 172.29.11.1:21645 > > > > lots of these. looks like FR is sending challenges but the switch is > not > > responding. whats your IOS config look like? if you 'debug aaa' on > the switch > > can you see stuff happening at all? > > Mmmm is curious: > 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 > 67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS > server 172.29.11.7:1812,1813 has returned. > 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 > 67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS > server 172.29.11.7:1812,1813 is not responding. > Using debug in AAA on my switch. > > I have this radius settings on my cisco switch: > > #sh run | include radius > aaa authentication dot1x default group radius > aaa authorization network default group radius > radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3 > radius-server key mecago > # > > Any other line could be necessary ? > > I´m using MD5 challenge because i´m testing and i don´t want deploy > certificates or certificate server. > Are you using MS certificate Server with FR? > > -- > Xgalaga se disfruta más sobre NetBSD sparc64 > > Content Rules: > > ///// > \\\/// > ///\\\ The Duke of Url. > { O--O } > / /\ \ > \ -- / > [||] > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html