FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through a Cisco Small Business POE switch.
When testing authentication with a shutdown / no shutdown command on
port fa/17 which has an IP phone connected to it we receive the
following errors:
FREE RADIUS :
[ldap] expand: %{User-Name} - root
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=root)
[ldap] expand: dc=citlao,dc=local - dc=citlao,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.
CISCO POE SWITCH:
SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17
SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up: fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)
However when we try the same test on a port that has a PC connected to
it we do not receive such an error.
The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected. Why would this only be the case when
a CISCO IP phone tries to authenticate?
The Cisco switch port configurations are exactly the same and are as
follows :
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 30
dot1x mac-authentication mac-only
dot1x port-control auto
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
spanning-tree portfast
macro description no_ip_phone_desktop | ip_phone_desktop
switchport trunk allowed vlan add 100
macro auto smartport type ip_phone_desktop
What can I try to fix the authentication issues so that all ports are being
successfully authenticated ?
Thanks for your assistance,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who
connect through a Cisco Small Business POE switch.
When testing authentication with a shutdown / no shutdown command on
port fa/17 which has an IP phone connected to it we receive the
following errors:
FREE RADIUS :
[ldap] expand: %{User-Name} - root
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=root)
[ldap] expand: dc=citlao,dc=local - dc=citlao,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [root/trash] (from client
LTC-ROUTER port 2)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - root
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 31 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 12 ID 31 with timestamp +10922
Ready to process requests.
CISCO POE SWITCH:
SW-BN3-PoE(config-if)#shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17
SW-BN3-PoE(config-if)#
SW-BN3-PoE(config-if)#no shutdown
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP
status Forwarding
23-Sep-2013 14:17:42 %LINK-I-Up: fa17
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,
aggregated (3)
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or
password in Radius server, aggregated (1)
However when we try the same test on a port that has a PC connected to
it we do not receive such an error.
The CISCO switch says that we have the wrong user name and the Free
Radius log says access rejected. Why would this only be the case when
a CISCO IP phone tries to authenticate?
The Cisco switch port configurations are exactly the same and are as
follows :
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 30
dot1x mac-authentication mac-only
dot1x port-control auto
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
spanning-tree portfast
macro description no_ip_phone_desktop | ip_phone_desktop
switchport trunk allowed vlan add 100
macro auto smartport type ip_phone_desktop
What can I try to fix the authentication issues so that all ports are being
successfully authenticated ?
Thanks for your assistance,
Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error Access Rejected Only On Some CISCO Switch Ports
Thank you Alan I will pursue that line of inquiry further. On 9/23/2013 8:18 PM, Alan DeKok wrote: Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
