I have been struggling on this problem for a while. Basically my Radius server (Linux based Freeradius, not Cisco ACS) send a Reject packet but the switch (WS-3750-24PS) somehow OVERWRITE the result and authorized the port!! The following is the debug on the switch:
*Mar 1 00:02:49.877: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed state to up
*Mar 1 00:02:50.884: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/5, changed state to up
*Mar 1 00:02:54.063: %DOT1X-5-FAIL: Authentication failed for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9
*Mar 1 00:02:54.063: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9
... (Repeated for another 2 times)
*Mar 1 00:02:57.117: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9
*Mar 1 00:02:57.117: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0014.22fd.dd98) on Interface Fa1/0/5 AuditSessionID AC11FE640000000400028FD9
I also captured the packets and I will attach it here as well.
I do know that it hasn't finished a full EAP (I am using PEAP for Win XP clients) cycle and rejected it a little bit earlier. However based on the RFC 3579 the switch should reject the request upon receiving a Reject:
"Reception of a RADIUS Access-Reject packet MUST result in the NAS denying access to the authenticating peer" (Section 2.1 on page 5)
I have also tried firmware 12.2(50) and 12.2(52) and I am currently running the newest 12.2(53) but they behave the same...
Any ideas why it would do that and will there be a fix?
I have installed freeradius on my test box running Gentoo, and i have a Cisco 2960 switch which i had 802.1x enabled and radius, bear in my mind i am stil in the testing phase using a Win XP SP3 PC as the client.
The idea behind this is that the client will be a "server running anytype of OS" , the switch(12.(2) 53) and the freeradius server, first the server will be allocated to a specific port (i enabled port security by MAC) and then the switch will be the intermediator between the server and free radius.
My question is how will the server initiate the authentication automatically, is there some Cisco software i have to install on the server or 3rd party package(software)?
Please help if you can i see you already have a almost similar setup to mine.
I work in a Security Banking environment and we have a PCI project i am part of.
If you are using MAC address to authenticate the clients (or your servers), there is nothing you need to install. You need to configure your switch to use the MAC address of the client to authenticate the device. It's called "MAC authentication bypass".
In this case the client will not respond to normal EAP packets (since it doesn't support it) and after timeout, the switch sends an Access-request to radius server with the MAC as BOTH the username and password.
The commands you gave me i used them but the interface is shutdown soon after invoking them.
I have been doing some studying on the AAA radius into depth and there is mention of a methodlist.
Can you help me with defining a AAA method list for RADIUS authentication.Also will this method list be the same for Accounting and Authorization? from the research i have done i view a method list functioning the same way as a Access-list, am i correct by doing so?
To define a methodlist is it just Giving the list a name say "radmethlist" for example, and how do i view the contents of the list? what command do i issue to view the method list created.
Please assist as i am lost, on where i made an error in the configs. i have attached a *.txt file with the commands i used for AAA config after general switch setup.
I can confirm the bug, we have following switch and portconfig:
Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 52 WS-C3560G-48PS 12.2(53)SE2 C3560-IPSERVICESK9-M
interface GigabitEthernet0/39 switchport mode access authentication event server dead action authorize vlan 9 authentication event no-response action authorize vlan 9 authentication event server alive action reinitialize authentication port-control auto authentication periodic authentication timer reauthenticate 10 dot1x pae authenticator dot1x timeout tx-period 5 no cdp enable spanning-tree portfast spanning-tree bpduguard enable end
So, if dot1x is not supported by the client, or the radius server is down the client sould be put in vlan 9!
But sometimes this happens:
Aug 31 12:23:20 172.16.0.24 183428: Aug 31 10:23:20.472: %DOT1X-5-SUCCESS: Authentication successful for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E Aug 31 12:23:22 172.16.0.24 183430: Aug 31 10:23:21.496: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E Aug 31 12:23:51 172.16.0.24 183431: Aug 31 10:23:51.133: %DOT1X-5-FAIL: Authentication failed for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E Aug 31 12:23:53 172.16.0.24 183433: Aug 31 10:23:52.164: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E Aug 31 12:23:53 172.16.0.24 183434: Aug 31 10:23:52.164: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0016.cbaa.0fcb) on Interface Gi0/39 AuditSessionID AC1000180000276A14BBFD2E
This "Override" results in the client to be put in the vlan it was before the "Authentication failed" and even worse:
It stays there forever! No reauthentificate takes place after the "Override" whatsoever.
What does %DOT1X-5-RESULT_OVERRIDE mean? How and why is it triggered?!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...