Re: FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Thank you Alan I will pursue that line of inquiry further. On 9/23/2013 8:18 PM, Alan DeKok wrote: Daniel Baker wrote: [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed What part of that is unclear? What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who connect through a Cisco Small Business POE switch. When testing authentication with a shutdown / no shutdown command on port fa/17 which has an IP phone connected to it we receive the following errors: FREE RADIUS : [ldap] expand: %{User-Name} -> root [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root) [ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect ( [ldap] User not found): [root/trash] (from client LTC-ROUTER port 2) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 31 to 192.168.1.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 12 ID 31 with timestamp +10922 Ready to process requests. CISCO POE SWITCH: SW-BN3-PoE(config-if)#shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17 SW-BN3-PoE(config-if)# SW-BN3-PoE(config-if)#no shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP status Forwarding 23-Sep-2013 14:17:42 %LINK-I-Up: fa17 23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server 23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3) 23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, aggregated (3) 23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3) 23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server, aggregated (1) However when we try the same test on a port that has a PC connected to it we do not receive such an error. The CISCO switch says that we have the wrong user name and the Free Radius log says access rejected. Why would this only be the case when a CISCO IP phone tries to authenticate? The Cisco switch port configurations are exactly the same and are as follows : dot1x max-req 1 dot1x reauthentication dot1x timeout quiet-period 30 dot1x mac-authentication mac-only dot1x port-control auto storm-control broadcast enable storm-control broadcast level 10 storm-control include-multicast spanning-tree portfast macro description "no_ip_phone_desktop | ip_phone_desktop" switchport trunk allowed vlan add 100 macro auto smartport type ip_phone_desktop What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Thanks for your assistance, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Daniel Baker wrote: > [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) > [ldap] object not found > [ldap] search failed What part of that is unclear? > What can I try to fix the authentication issues so that all ports are being > successfully authenticated ? Ensure that the people logging in have accounts in ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Error " Access Rejected" Only On Some CISCO Switch Ports
Hi Guys, we are trying to get Free Radius to authenticate our users who connect through a Cisco Small Business POE switch. When testing authentication with a shutdown / no shutdown command on port fa/17 which has an IP phone connected to it we receive the following errors: FREE RADIUS : [ldap] expand: %{User-Name} -> root [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root) [ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=citlao,dc=local, with filter (uid=root) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect ( [ldap] User not found): [root/trash] (from client LTC-ROUTER port 2) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 31 to 192.168.1.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 12 ID 31 with timestamp +10922 Ready to process requests. CISCO POE SWITCH: SW-BN3-PoE(config-if)#shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17 SW-BN3-PoE(config-if)# SW-BN3-PoE(config-if)#no shutdown SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP status Forwarding 23-Sep-2013 14:17:42 %LINK-I-Up: fa17 23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server 23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3) 23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding, aggregated (3) 23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3) 23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or password in Radius server, aggregated (1) However when we try the same test on a port that has a PC connected to it we do not receive such an error. The CISCO switch says that we have the wrong user name and the Free Radius log says access rejected. Why would this only be the case when a CISCO IP phone tries to authenticate? The Cisco switch port configurations are exactly the same and are as follows : dot1x max-req 1 dot1x reauthentication dot1x timeout quiet-period 30 dot1x mac-authentication mac-only dot1x port-control auto storm-control broadcast enable storm-control broadcast level 10 storm-control include-multicast spanning-tree portfast macro description "no_ip_phone_desktop | ip_phone_desktop" switchport trunk allowed vlan add 100 macro auto smartport type ip_phone_desktop What can I try to fix the authentication issues so that all ports are being successfully authenticated ? Thanks for your assistance, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html