cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1308
Views
0
Helpful
2
Replies

RADIUS packet-id not incrementing, called-station-id missing

I am running v1.3.5.58 on an SG300-20.  I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy.  It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication. 

1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation.  The packet identifier is always 0x00.

2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP).  Instead, it is left blank.

Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot.  Have I done something in the config to cause this to happen (see below)?  Is this a known bug?  Does it have a workaround?  Will our hero save defeat the villain and save the day?  ;-)

config-file-header

ausoff-sw-test1

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode switch

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

spanning-tree priority 40960

port jumbo-frame

vlan database

vlan 2-3,12,14,16,99,600,1000,1010

exit

voice vlan id 1010

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

dot1x system-auth-control

dot1x traps authentication failure 802.1x

dot1x traps authentication success 802.1x

hostname ausoff-sw-test1

line console

exec-timeout 30

exit

line ssh

exec-timeout 30

exit

line telnet

exec-timeout 30

exit

encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=

encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x

radius-server host 172.18.58.58 usage dot1.x

radius-server timeout 10

logging host 172.18.58.50

aaa accounting dot1x start-stop group radius

enable password level 15 encrypted

username nac password encrypted *** privilege 15

username admin password encrypted *** privilege 15

username cisco password encrypted *** privilege 15

username readonly password encrypted ***

ip ssh server

ip ssh password-auth

snmp-server server

snmp-server engineID local 800000090308cc68423f4d

snmp-server location "***"

snmp-server contact "***"

snmp-server community *** rw 172.18.58.58 view DefaultSuper

snmp-server community *** rw 172.18.14.105 view DefaultSuper

snmp-server host 172.18.58.58 traps version 2c nac

snmp-server host 172.18.58.58 version 3 auth nac

snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper

snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper

encrypted snmp-server user nac nac v3 auth sha ***

encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***

ip http timeout-policy 1800

clock timezone " " -6

sntp anycast client enable ipv4

sntp broadcast client enable ipv4

clock source sntp

sntp unicast client enable

sntp unicast client poll

sntp server 0.pool.ntp.org poll

sntp server 1.pool.ntp.org poll

ip domain name blah.net

ip name-server  172.18.19.232

ip domain timeout 2

ip domain retry 1

ip telnet server

!

interface vlan 2

name NACRegistration

!

interface vlan 3

name NACIsolation

!

interface vlan 12

name Users

!

interface vlan 14

name Dev

!

interface vlan 16

name LAN

!

interface vlan 99

name Mgmt

ip address 172.18.58.61 255.255.255.128

!

interface vlan 600

name "Core Test"

dot1x guest-vlan

!

interface vlan 1000

name Guest

!

interface vlan 1010

name Voice

!

interface gigabitethernet1

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet2

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet3

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet4

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet5

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet6

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet7

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet8

dot1x host-mode multi-sessions

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

switchport access vlan 600

!

interface gigabitethernet9

dot1x host-mode single-host

dot1x violation-mode protect trap 10

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet10

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet11

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet12

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet13

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet14

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet15

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet16

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet17

dot1x host-mode multi-sessions

no snmp trap link-status

port monitor GigabitEthernet 20

spanning-tree disable

spanning-tree bpduguard enable

switchport mode general

switchport general acceptable-frame-type untagged-only

switchport forbidden default-vlan

!

interface gigabitethernet18

dot1x host-mode multi-sessions

dot1x guest-vlan enable

dot1x radius-attributes vlan static

dot1x port-control auto

spanning-tree disable

spanning-tree bpduguard enable

switchport mode access

!

interface gigabitethernet19

switchport trunk native vlan 600

!

interface gigabitethernet20

spanning-tree link-type point-to-point

switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010

macro description switch

!next command is internal.

macro auto smartport dynamic_type switch

!

exit

ip default-gateway 172.18.58.1

2 Replies 2

Tom Watts
VIP Alumni
VIP Alumni

Hi Dale, I haven't visited this question in a very long time. But if I recall correctly, the switch used to not support call station id. If it does support it (presently) then you'd need to do a packet capture to confirm what the switch is sending so the RADIUS proxy will match it. So if the id is using all CAP then the RADIUS Proxy must also use all CAP. The syntax must be 100% the same.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thank you for your response, Tom.  I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300.  There is not an issue with capitalization, the value is simply not provided at all.  Here is an example of a tcpdump decode of such a packet.  Please note the missing attribute:

15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)

    172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114

        Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000

          NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61

            0x0000:  ac12 3a3d

          NAS Port Type Attribute (61), length: 6, Value: Ethernet

            0x0000:  0000 000f

          NAS Port Attribute (5), length: 6, Value: 57

            0x0000:  0000 0039

          Username Attribute (1), length: 12, Value: SSO\dalewl

            0x0000:  5353 4f5c 6461 6c65 776c

          Accounting Session ID Attribute (44), length: 10, Value: 050000DF

            0x0000:  3035 3030 3030 4446

          Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C

            0x0000:  4530 2d44 422d 3535 2d42 332d 3144 2d35

            0x0010:  43

          EAP Message Attribute (79), length: 17, Value: ..

            0x0000:  0201 000f 0153 534f 5c64 616c 6577 6c

          Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.

            0x0000:  bed3 b19e c70f 52e0 ec31 afcb d545 55ad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X