Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3750x using MAB and FreeRadius - Authorization failure

Hi All,

I am trying to get a 3750X to authenticate using MAB and to assign a VLAN to the port.  I can see that I get proper authentication but authorization always fails even though I can see the appropriate attributes comeing from the RADIUS (FreeRADIUS) server.

Mar 31 22:40:13.960: %AUTHMGR-5-START: Starting 'mab' for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Mar 31 22:40:13.977: %MAB-5-SUCCESS: Authentication successful for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Mar 31 22:40:13.994: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Mar 31 22:40:14.002: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Configuration:

aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa session-id common

ip radius source-interface Vlan100

radius-server host 10.10.10.235 auth-port 1812 acct-port 1813

radius-server key 7 1511021F0725

interface GigabitEthernet2/0/27

switchport access vlan 110

switchport mode access

authentication event fail action next-method

authentication host-mode multi-domain

authentication port-control auto

mab

no macro auto processing

spanning-tree portfast

spanning-tree bpduguard enable

end

FreeRADIUS User:

406c8f1e360f Cleartext-Password := "406c8f1e360f"

        Service-Type = "Framed-User",

        Tunnel-Type=13,

        Tunnel-Medium-Type = 6,

        Tunnel-Private-Group-ID:1 = 100

I have also enabled use_tunneled_reply = yes in the eap.conf file.

RADIUS Debug on C3750x

Mar 31 22:44:29.066: %AUTHMGR-5-START: Starting 'mab' for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.075: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Mar 31 22:44:29.075: RADIUS(00000000): Config NAS IP: 10.10.10.39

Mar 31 22:44:29.075: RADIUS(00000000): sending

Mar 31 22:44:29.075: RADIUS(00000000): Send Access-Request to 10.10.10.235:1812 id 1645/230, len 261

Mar 31 22:44:29.083: RADIUS:  authenticator 99 83 11 D2 70 11 43 49 - CB 55 F2 39 D9 84 8B C0

Mar 31 22:44:29.083: RADIUS:  User-Name           [1]   14  "406c8f1e360f"

Mar 31 22:44:29.083: RADIUS:  User-Password       [2]   18  *

Mar 31 22:44:29.083: RADIUS:  Service-Type        [6]   6   Call Check                [10]

Mar 31 22:44:29.083: RADIUS:  Vendor, Cisco       [26]  31

Mar 31 22:44:29.083: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"

Mar 31 22:44:29.083: RADIUS:  Framed-MTU          [12]  6   1500

Mar 31 22:44:29.083: RADIUS:  Called-Station-Id   [30]  19  "28-94-0F-D2-9D-9B"

Mar 31 22:44:29.083: RADIUS:  Calling-Station-Id  [31]  19  "40-6C-8F-1E-36-0F"

Mar 31 22:44:29.083: RADIUS:  Message-Authenticato[80]  18

Mar 31 22:44:29.083: RADIUS:   AD 78 33 C9 12 3C A0 89 E9 74 66 E1 88 22 A1 E5            [ x3<tf"]

Mar 31 22:44:29.083: RADIUS:  EAP-Key-Name        [102] 2   *

Mar 31 22:44:29.083: RADIUS:  Vendor, Cisco       [26]  49

Mar 31 22:44:29.083: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A0A0A270000015109B77931"

Mar 31 22:44:29.083: RADIUS:  Vendor, Cisco       [26]  18

Mar 31 22:44:29.083: RADIUS:   Cisco AVpair       [1]   12  "method=mab"

Mar 31 22:44:29.083: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.39

Mar 31 22:44:29.083: RADIUS:  NAS-Port            [5]   6   60000

Mar 31 22:44:29.083: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet2/0/27"

Mar 31 22:44:29.083: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Mar 31 22:44:29.083: RADIUS(00000000): Sending a IPv4 Radius Packet

Mar 31 22:44:29.083: RADIUS(00000000): Started 5 sec timeout

Mar 31 22:44:29.100: RADIUS: Received from id 1645/230 10.10.10.235:1812, Access-Accept, len 44

Mar 31 22:44:29.100: RADIUS:  authenticator 69 67 B4 07 EF D8 73 EE - EA 23 A9 BA 92 5C A5 DE

Mar 31 22:44:29.100: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Mar 31 22:44:29.100: RADIUS:  Tunnel-Type         [64]  6   00:VLAN                   [13]

Mar 31 22:44:29.100: RADIUS:  Tunnel-Medium-Type  [65]  6   00:ALL_802                [6]

Mar 31 22:44:29.100: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"

Mar 31 22:44:29.100: RADIUS(00000000): Received from id 1645/230

Mar 31 22:44:29.108: %MAB-5-SUCCESS: Authentication successful for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.117: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.117: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.469: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/27, changed state to up

Mar 31 22:44:30.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/27, changed state to up


Any ideas on where this might be failing.

248
Views
0
Helpful
0
Replies