200-Series MAB - EAP in RADIUS Access Request

  • 0
  • 1
  • Problem
  • Updated 9 months ago
  • Solved
  • (Edited)
I have a Problem with a 210-Series Extreme Switch doing MAC-Auth on Ports. I'm getting EAP Fields in the Radius Request and the Radius Server trying to use EAP instead of PEP because of this.

Did i do anything wrong?

RadiusConfig:
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
authorization network radius
dot1x dynamic-vlan enable
radius server retransmit 2
radius server timeout 3
radius server host auth "X.X.X.X" name "Primary-RADIUS-Server"
radius server key auth "X.X.X.X" encrypted "encrypted secret"
radius server primary "X.X.X.X"
line console

Port Config:
interface 0/15
no port lacpmode
authentication order  mab
authentication priority  mab
dot1x port-control mac-based
dot1x mac-auth-bypass
voice vlan 800
voice vlan dscp 46
service-policy in DSCP-Policy
classofservice trust ip-dscp
auto-voip protocol-based
auto-voip oui-based
no snmp trap link-status
spanning-tree edgeport
no spanning-tree port mode
switchport mode trunk
switchport trunk allowed vlan 1,800
lldp transmit-tlv port-desc
lldp transmit-tlv sys-name
lldp transmit-tlv sys-desc
lldp transmit-tlv sys-cap
lldp transmit-mgmt
lldp notification
lldp med confignotification
lldp portid-subtype interface-name
exit


Logs from the Web GUI:

Port Access Control History Log Summary:
0/15 17478d:15:36:25 0 Not Assigned 5C:26:0A:1A:21:5D  Unauthorized 4
0/15 17478d:15:35:39 0 Not Assigned 00:1A:E8:78:56:8D  Unauthorized 4


Buffered Log:
1 Nov 8 15:41:05 Notice DOT1X Radius Authentication Failed on physPort:[15] lIntIfNum:[672]Mac Address :[5c:26:0a:1a:21:5d].
2 Nov 8 15:39:39 Notice DOT1X Radius Authentication Failed on physPort:[15] lIntIfNum:[673]Mac Address :[00:1a:e8:78:56:8d].


freeradius -X Output:
++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) {
++++update request {
        expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 5C-26-0A-1A-21-5D
        expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 5c-26-0a-1a-21-5d
++++} # update request = noop
++++[updated] = updated
+++} # if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) = updated
+++ ... skipping else for request 27: Preceding "if" was taken
++} # policy rewrite.credentials = updated
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "5C260A1A215D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql]   expand: %{User-Name} -> 5C260A1A215D
[sql] sql_set_user escaped user --> '5C260A1A215D'
rlm_sql (sql): Reserving sql socket id: 22
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '5C260A1A215D'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '5C260A1A215D'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '5C260A1A215D'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'Default'           ORDER BY id
[sql] User found in group Default
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'Default'           ORDER BY id
rlm_sql (sql): Released sql socket id: 22
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 114 to 184.228.1.6 port 51505
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        EAP-Message = 0x010100160410b8476a5a063bb7f1087a25c485974e1e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0acf04110ace00c79322fd449190561a
Finished request 27.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 184.228.1.6 port 51505, id=115, length=175
        User-Name = "5C260A1A215D"
        Called-Station-Id = "00-04-96-a0-50-2e"
        Calling-Station-Id = "5c:26:0a:1a:21:5d"
        NAS-Identifier = "00-04-96-a0-50-2c"
        NAS-IP-Address = 184.228.1.6
        NAS-Port = 15
        Framed-MTU = 1500
        NAS-Port-Type = Ethernet
        State = 0x0acf04110ace00c79322fd449190561a
        EAP-Message = 0x02010016041099b88240e29976bb1c902438bdefcd44
        Message-Authenticator = 0x339d603fe0f6f8185cdbef6eee3df438
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy rewrite.credentials {
+++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (User-Name) -> TRUE
        expand: %{User-Name} -> 5C260A1A215D
        expand: policy.mac-addr -> policy.mac-addr
        expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) {
++++update request {
        expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 5C-26-0A-1A-21-5D
        expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 5c-26-0a-1a-21-5d
++++} # update request = noop
++++[updated] = updated
+++} # if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) = updated
+++ ... skipping else for request 28: Preceding "if" was taken
++} # policy rewrite.credentials = updated
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "5C260A1A215D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql]   expand: %{User-Name} -> 5C260A1A215D
[sql] sql_set_user escaped user --> '5C260A1A215D'
rlm_sql (sql): Reserving sql socket id: 21
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '5C260A1A215D'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '5C260A1A215D'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '5C260A1A215D'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'Default'           ORDER BY id
[sql] User found in group Default
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'Default'           ORDER BY id
rlm_sql (sql): Released sql socket id: 21
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [5C260A1A215D/<via Auth-Type = EAP>] (from client 184.228.0.0/16 port 15 cli 5c-26-0a-1a-21-5d)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql]   expand: %{User-Name} -> 5C260A1A215D
[sql] sql_set_user escaped user --> '5C260A1A215D'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '5C260A1A215D',                           '',                           'Access-Accept', '2017-11-08 15:54:52')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '5C260A1A215D',                           '',                           'Access-Accept', '2017-11-08 15:54:52')
rlm_sql (sql): Reserving sql socket id: 20
rlm_sql (sql): Released sql socket id: 20
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 115 to 184.228.1.6 port 51505
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        EAP-Message = 0x03010004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "5C260A1A215D"
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 27 ID 114 with timestamp +626
Cleaning up request 28 ID 115 with timestamp +626
Ready to process requests.
Photo of Alexander Wilmink

Alexander Wilmink

  • 70 Points
  • unsure

Posted 9 months ago

  • 0
  • 1
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,702 Points 2k badge 2x thumb
Alexander,

Please open a case with the GTAC