Re: Setup Help: freeradius + cisco catalist + linux & windows clients
Adrian Turcu <[EMAIL PROTECTED]> wrote: > Could someone point me to some comprehensive howto's about how should I > configure the freeradius to authenticate the clients based on their mac > address with the catalyst in the middle? There's no "howto" for that. Instead, the documentation describes generally how to configure the server, and what to do. > i get this messages on the screen and the client is never authenticated: > > rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77, > length=122 ... > Calling-Station-Id = "00-10-a4-99-8c-c4" > EAP-Message = 0x02150159424e494e5445524e4154494f4e414c The workstation is using EAP, not MAC address authentication. > in users i have addded > > someuserAuth-Type := Local Which will ensure EAP doesn't work. You also need to supply a password for he user, otherwise the server has no idea how to authenticate them. > for the above debug i used linux workstation with its mac-address > 00-10-a4-99-8c-c4 And xsupplicant is configured to do EAP, not MAC address authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setup Help: freeradius + cisco catalist + linux & windows clients
Hello list,
I'm completely new on this field with the concept of radius
authentication. For the last 2 weeks i read tons of docs about this
concept. I am confused. My task looks like a simple one:
- linux workstations running xsupplicant 1.0 (wired mode)
- windows XP and 2000 with 802.1x support
- cisco catalyst 3550 switch SMI license
- freeradius 1.0.1 that have to authenticate each workstation on the
network when plugged into the switch based on their mac address.
Could someone point me to some comprehensive howto's about how should I
configure the freeradius to authenticate the clients based on their mac
address with the catalyst in the middle?
I have compiled and installed freeradius with no errors. The
configuration files are the default ones, with the following additions:
in clients.conf i have added
192.168.10.10 {
secret = 1234567
shortname = ciscocatalyst
nastype = cisco
}
in users i have addded
someuserAuth-Type := Local
Service-Type = Framed-User
the cisco catalyst is configured for radius:
aaa new-model
aaa authentication dot1x default enable group radius
radius-server host 192.168.10.217 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key 1234567
!
! freeradius connected to FE 0/1
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
no cdp enable
spanning-tree portfast
!
! client connected to FE0/2
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
dot1x port-control auto
With radius running from the cmd line "radiusd -A -X"
i get this messages on the screen and the client is never authenticated:
rad_recv: Access-Request packet from host 192.168.10.10:1812, id=77,
length=122
NAS-IP-Address = 192.168.10.10
NAS-Port-Type = Async
User-Name = "someuser"
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = "00-10-a4-99-8c-c4"
EAP-Message = 0x02150159424e494e5445524e4154494f4e414c
Message-Authenticator = 0x914c5e809544da2aacf9babe83e2542b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "someuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 0 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched someuser at 219
modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 77 to 192.168.10.10:1812
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 77 with timestamp 417fb130
Nothing to do. Sleeping until we see a request.
for the above debug i used linux workstation with its mac-address
00-10-a4-99-8c-c4
Please help.
Kind Regards,
Adrian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
