Hi,
I'm hopping that you can help me,
because i'm trying this for a lot of time
I'm testing an SMC6248M switch to check if radius support
is fine, so I configured a freeradius server in one fedora 8.
I've made some tests adding clients to clients.conf and making
requests via radtest to ensure that the radius is well configured,
ex:
[EMAIL PROTECTED] ~]# radtest 003084-87faf2 * 192.168.1.13 1812 oincoinc
Sending Access-Request of id 116 to 192.168.1.13 port 1812
User-Name = 003084-87faf2
User-Password = *
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Re-sending Access-Request of id 116 to 192.168.1.13 port 1812
User-Name = 003084-87faf2
User-Password = omGtkKyB
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Reject packet from host 192.168.1.13:1812, id=116, length=20
rad_verify: Received Access-Reject packet from client 192.168.1.13 port
1812 with invalid signature (err=2)! (Shared secret is incorrect.)
If i change switch configuration to Auth by Local,RADIUS
and then try to access the administration interface with a
password that i only have in RADIUS config i get:
Username: dmgrilo
Password:
CLI session with the Tiger Stack 10/100 is opened.
To end the CLI session, enter [Exit].
logs show:
rad_recv: Access-Request packet from host 192.168.1.251:1815, id=204,
length=55
User-Name = dmgrilo
User-Password = 12345
NAS-IP-Address = 192.168.1.251
NAS-Identifier =
Sending Access-Accept of id 204 to 192.168.1.251 port 1815
which is ok.
But now i have a computer in ethernet 1/35 that i want to
auth via RADIUS, so i changed the port to dot1x port-control auto
and make the interface re-auth, i loose connection to that machine
and switch claims that it is not authenticated.
So, my question is, in the users from FreeRadius I have
the mac-address for the machine and passowrd:
# Green
000244-09a361 Auth-Type := Local, User-Password ==
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-ID = 1
So why does the switch don't ask the RADIUS to get access?
(nothing appears in logs)
I don't want to have supplicants installed in client, because
i want to connect phones too, but i guess with auth via MAC-Address
it wouldn't need supplicants, right?
One important thing is that when i check the show dot1x in
the switch it doesn't determine the supplicant mac-address..
i guess it should right?
802.1X is enabled on port 1/35
reauth-enabled: Enable
reauth-period: 3600
quiet-period: 60
tx-period: 30
supplicant-timeout: 30
server-timeout: 10
reauth-max: 2
max-req:2
Status Unauthorized
Operation mode Single-Host
Max count 5
Port-controlAuto
Supplicant 00-00-00-00-00-00
Current Identifier 1
Authenticator State Machine
State Connecting
Reauth Count2
Backend State Machine
State Idle
Request Count 0
Identifier(Server) 0
Reauthentication State Machine
State Initialize
So My real (resumed) question:
Do I need to have supplicants even so i want to authenticate
with the mac-address, or could it be that this switch doesn't
support this, and the normal behaviour should be that the switch
asks RADIUS to have access showing the machine credentials (MAC Address)!?
Tks in Adv.
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
