ExtremeSwitching (Other)

Expand all | Collapse all

200-Series MAB - EAP in RADIUS Access Request

  • 1.  200-Series MAB - EAP in RADIUS Access Request

    Posted 11-08-2017 14:03
    I have a Problem with a 210-Series Extreme Switch doing MAC-Auth on Ports. I'm getting EAP Fields in the Radius Request and the Radius Server trying to use EAP instead of PEP because of this.

    Did i do anything wrong?

    RadiusConfig:
    authentication enable
    dot1x system-auth-control
    aaa authentication dot1x default radius
    authorization network radius
    dot1x dynamic-vlan enable
    radius server retransmit 2
    radius server timeout 3
    radius server host auth "X.X.X.X" name "Primary-RADIUS-Server"
    radius server key auth "X.X.X.X" encrypted "encrypted secret"
    radius server primary "X.X.X.X"
    line console

    Port Config:
    interface 0/15
    no port lacpmode
    authentication order mab
    authentication priority mab
    dot1x port-control mac-based
    dot1x mac-auth-bypass
    voice vlan 800
    voice vlan dscp 46
    service-policy in DSCP-Policy
    classofservice trust ip-dscp
    auto-voip protocol-based
    auto-voip oui-based
    no snmp trap link-status
    spanning-tree edgeport
    no spanning-tree port mode
    switchport mode trunk
    switchport trunk allowed vlan 1,800
    lldp transmit-tlv port-desc
    lldp transmit-tlv sys-name
    lldp transmit-tlv sys-desc
    lldp transmit-tlv sys-cap
    lldp transmit-mgmt
    lldp notification
    lldp med confignotification
    lldp portid-subtype interface-name
    exit

    Logs from the Web GUI:

    Port Access Control History Log Summary:
    0/15 17478d:15:36:25 0 Not Assigned 5C:26:0A:1A:21:5D Unauthorized 4
    0/15 17478d:15:35:39 0 Not Assigned 00:1A:E8:78:56:8D Unauthorized 4

    Buffered Log:
    1 Nov 8 15:41:05 Notice DOT1X Radius Authentication Failed on physPort:[15] lIntIfNum:[672]Mac Address :[5c:26:0a:1a:21:5d].
    2 Nov 8 15:39:39 Notice DOT1X Radius Authentication Failed on physPort:[15] lIntIfNum:[673]Mac Address :[00:1a:e8:78:56:8d].

    freeradius -X Output:
    ++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
    +++if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) {
    ++++update request {
    expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 5C-26-0A-1A-21-5D
    expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 5c-26-0a-1a-21-5d
    ++++} # update request = noop
    ++++[updated] = updated
    +++} # if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) = updated
    +++ ... skipping else for request 27: Preceding "if" was taken
    ++} # policy rewrite.credentials = updated
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "5C260A1A215D", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] = noop
    [eap] EAP packet type response id 0 length 17
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    [sql] expand: %{User-Name} -> 5C260A1A215D
    [sql] sql_set_user escaped user --> '5C260A1A215D'
    rlm_sql (sql): Reserving sql socket id: 22
    [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5C260A1A215D' ORDER BY id
    [sql] User found in radcheck table
    [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '5C260A1A215D' ORDER BY id
    [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '5C260A1A215D' ORDER BY priority
    [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Default' ORDER BY id
    [sql] User found in group Default
    [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Default' ORDER BY id
    rlm_sql (sql): Released sql socket id: 22
    ++[sql] = ok
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING: Auth-Type already set. Not setting to PAP
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP
    # Executing group from file /etc/freeradius/sites-enabled/default
    +group authenticate {
    [eap] EAP Identity
    [eap] processing type md5
    rlm_eap_md5: Issuing Challenge
    ++[eap] = handled
    +} # group authenticate = handled
    Sending Access-Challenge of id 114 to 184.228.1.6 port 51505
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "1"
    EAP-Message = 0x010100160410b8476a5a063bb7f1087a25c485974e1e
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x0acf04110ace00c79322fd449190561a
    Finished request 27.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Access-Request packet from host 184.228.1.6 port 51505, id=115, length=175
    User-Name = "5C260A1A215D"
    Called-Station-Id = "00-04-96-a0-50-2e"
    Calling-Station-Id = "5c:26:0a:1a:21:5d"
    NAS-Identifier = "00-04-96-a0-50-2c"
    NAS-IP-Address = 184.228.1.6
    NAS-Port = 15
    Framed-MTU = 1500
    NAS-Port-Type = Ethernet
    State = 0x0acf04110ace00c79322fd449190561a
    EAP-Message = 0x02010016041099b88240e29976bb1c902438bdefcd44
    Message-Authenticator = 0x339d603fe0f6f8185cdbef6eee3df438
    # Executing section authorize from file /etc/freeradius/sites-enabled/default
    +group authorize {
    ++[preprocess] = ok
    ++policy rewrite.credentials {
    +++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i)
    ?? Evaluating (User-Name) -> TRUE
    expand: %{User-Name} -> 5C260A1A215D
    expand: policy.mac-addr -> policy.mac-addr
    expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
    ? Evaluating ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
    +++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
    +++if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) {
    ++++update request {
    expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 5C-26-0A-1A-21-5D
    expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 5c-26-0a-1a-21-5d
    ++++} # update request = noop
    ++++[updated] = updated
    +++} # if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) = updated
    +++ ... skipping else for request 28: Preceding "if" was taken
    ++} # policy rewrite.credentials = updated
    ++[chap] = noop
    ++[mschap] = noop
    ++[digest] = noop
    [suffix] No '@' in User-Name = "5C260A1A215D", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] = noop
    [eap] EAP packet type response id 1 length 22
    [eap] No EAP Start, assuming it's an on-going EAP conversation
    ++[eap] = updated
    ++[files] = noop
    [sql] expand: %{User-Name} -> 5C260A1A215D
    [sql] sql_set_user escaped user --> '5C260A1A215D'
    rlm_sql (sql): Reserving sql socket id: 21
    [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5C260A1A215D' ORDER BY id
    [sql] User found in radcheck table
    [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '5C260A1A215D' ORDER BY id
    [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '5C260A1A215D' ORDER BY priority
    [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Default' ORDER BY id
    [sql] User found in group Default
    [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Default' ORDER BY id
    rlm_sql (sql): Released sql socket id: 21
    ++[sql] = ok
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING: Auth-Type already set. Not setting to PAP
    ++[pap] = noop
    +} # group authorize = updated
    Found Auth-Type = EAP
    # Executing group from file /etc/freeradius/sites-enabled/default
    +group authenticate {
    [eap] Request found, released from the list
    [eap] EAP/md5
    [eap] processing type md5
    [eap] Freeing handler
    ++[eap] = ok
    +} # group authenticate = ok
    Login OK: [5C260A1A215D/


  • 2.  RE: 200-Series MAB - EAP in RADIUS Access Request

    Posted 11-13-2017 18:28
    Alexander,

    Please open a case with the GTAC