200-Series MAB - EAP in RADIUS Access Request

Alexander_Wilmi — Wed, 08 Nov 2017 22:03:00 GMT

I have a Problem with a 210-Series Extreme Switch doing MAC-Auth on Ports. I'm getting EAP Fields in the Radius Request and the Radius Server trying to use EAP instead of PEP because of this.

Did i do anything wrong?

RadiusConfig:
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
authorization network radius
dot1x dynamic-vlan enable
radius server retransmit 2
radius server timeout 3
radius server host auth "X.X.X.X" name "Primary-RADIUS-Server"
radius server key auth "X.X.X.X" encrypted "encrypted secret"
radius server primary "X.X.X.X"
line console

Port Config:
interface 0/15
no port lacpmode
authentication order mab
authentication priority mab
dot1x port-control mac-based
dot1x mac-auth-bypass
voice vlan 800
voice vlan dscp 46
service-policy in DSCP-Policy
classofservice trust ip-dscp
auto-voip protocol-based
auto-voip oui-based
no snmp trap link-status
spanning-tree edgeport
no spanning-tree port mode
switchport mode trunk
switchport trunk allowed vlan 1,800
lldp transmit-tlv port-desc
lldp transmit-tlv sys-name
lldp transmit-tlv sys-desc
lldp transmit-tlv sys-cap
lldp transmit-mgmt
lldp notification
lldp med confignotification
lldp portid-subtype interface-name
exit

Logs from the Web GUI:

Port Access Control History Log Summary:
0/15 17478d:15:36:25 0 Not Assigned 5C:26:0A:1A:21:5D Unauthorized 4
0/15 17478d:15:35:39 0 Not Assigned 00:1A:E8:78:56:8D Unauthorized 4

Buffered Log:
1 Nov 8 15:41:05 Notice DOT1X Radius Authentication Failed on physPort:[15] lIntIfNum:[672]Mac Address :[5c:26:0a:1a:21:5d].
2 Nov 8 15:39:39 Notice DOT1X Radius Authentication Failed on physPort:[15] lIntIfNum:[673]Mac Address :[00:1a:e8:78:56:8d].

freeradius -X Output:
++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) {
++++update request {
expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 5C-26-0A-1A-21-5D
expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 5c-26-0a-1a-21-5d
++++} # update request = noop
++++[updated] = updated
+++} # if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) = updated
+++ ... skipping else for request 27: Preceding "if" was taken
++} # policy rewrite.credentials = updated
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "5C260A1A215D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> 5C260A1A215D
[sql] sql_set_user escaped user --> '5C260A1A215D'
rlm_sql (sql): Reserving sql socket id: 22
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5C260A1A215D' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '5C260A1A215D' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '5C260A1A215D' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Default' ORDER BY id
[sql] User found in group Default
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Default' ORDER BY id
rlm_sql (sql): Released sql socket id: 22
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 114 to 184.228.1.6 port 51505
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x010100160410b8476a5a063bb7f1087a25c485974e1e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0acf04110ace00c79322fd449190561a
Finished request 27.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 184.228.1.6 port 51505, id=115, length=175
User-Name = "5C260A1A215D"
Called-Station-Id = "00-04-96-a0-50-2e"
Calling-Station-Id = "5c:26:0a:1a:21:5d"
NAS-Identifier = "00-04-96-a0-50-2c"
NAS-IP-Address = 184.228.1.6
NAS-Port = 15
Framed-MTU = 1500
NAS-Port-Type = Ethernet
State = 0x0acf04110ace00c79322fd449190561a
EAP-Message = 0x02010016041099b88240e29976bb1c902438bdefcd44
Message-Authenticator = 0x339d603fe0f6f8185cdbef6eee3df438
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy rewrite.credentials {
+++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i)
?? Evaluating (User-Name) -> TRUE
expand: %{User-Name} -> 5C260A1A215D
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++? if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) {
++++update request {
expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 5C-26-0A-1A-21-5D
expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 5c-26-0a-1a-21-5d
++++} # update request = noop
++++[updated] = updated
+++} # if ((User-Name) && "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) = updated
+++ ... skipping else for request 28: Preceding "if" was taken
++} # policy rewrite.credentials = updated
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "5C260A1A215D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> 5C260A1A215D
[sql] sql_set_user escaped user --> '5C260A1A215D'
rlm_sql (sql): Reserving sql socket id: 21
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '5C260A1A215D' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '5C260A1A215D' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '5C260A1A215D' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Default' ORDER BY id
[sql] User found in group Default
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Default' ORDER BY id
rlm_sql (sql): Released sql socket id: 21
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [5C260A1A215D/] (from client 184.228.0.0/16 port 15 cli 5c-26-0a-1a-21-5d)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> 5C260A1A215D
[sql] sql_set_user escaped user --> '5C260A1A215D'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '5C260A1A215D', '', 'Access-Accept', '2017-11-08 15:54:52')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '5C260A1A215D', '', 'Access-Accept', '2017-11-08 15:54:52')
rlm_sql (sql): Reserving sql socket id: 20
rlm_sql (sql): Released sql socket id: 20
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 115 to 184.228.1.6 port 51505
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "5C260A1A215D"
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 27 ID 114 with timestamp +626
Cleaning up request 28 ID 115 with timestamp +626
Ready to process requests.

RE: 200-Series MAB - EAP in RADIUS Access Request

Daniel_Coughlin — Tue, 14 Nov 2017 02:28:00 GMT

Alexander,

Please open a case with the GTAC

topic RE: 200-Series MAB - EAP in RADIUS Access Request in ExtremeSwitching (Other)

200-Series MAB - EAP in RADIUS Access Request

RE: 200-Series MAB - EAP in RADIUS Access Request