Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
0
Helpful
3
Replies

SG350 - Radius Mac Auth Bypass

iLevac001
Level 1
Level 1

‎09-23-2017 11:08 AM - edited ‎03-21-2019 11:16 AM

Hello all,

I am new to cisco sb's product.

I just puchased a SG350-10MP to do some test before replacing all my switch from an other vendor for SG350.

I need radius mac auth bypass to work in my setup.

I configured easily on the switch with the gui.

I tried to configure with ssh but I quickly understand it's not the same language than IOS?

 

Anyway, my problem is that the switch didn't provide user-password in the radius request.

So the radius server decline all access-request.

 

Here's the config from the switch :

config-file-header
switch8815c9
v2.3.0.130 / RLINUX_913_193
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
!
unit-type-control-start 
unit-type unit 1 network gi uplink none 
unit-type-control-end 
!
vlan database
vlan 102 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
bonjour interface range vlan 1
hostname switch8815c9
encrypted radius-server host XX.XX.XX.XX key taT/y21cTj8C1Jz0DwpXeBN+ng06wkJxGgV/9oDRWno= 
username cisco password encrypted 8e61b69669a1afb0f272d927af378326ef53165b privilege 15 
ip ssh server
!
interface vlan 102
 name noauth 
 dot1x auth-not-req 
!
interface GigabitEthernet2
 dot1x reauthentication 
 dot1x authentication mac 
 dot1x radius-attributes vlan 
 dot1x port-control auto 
!
exit

And here's the radius request :

rad_recv: Access-Request packet from host XX.XX.XX.XX port 49205, id=25, length=172
        NAS-IP-Address = 10.254.0.145
        NAS-Port-Type = Ethernet
        NAS-Port = 2
        User-Name = "f09fc23007cc"
        Acct-Session-Id = "0500000F"
        State = 0x170f8d99170e89a94cc6f961f3d79794
        Called-Station-Id = "00-56-2B-88-15-CB"
        Calling-Station-Id = "F0-9F-C2-30-07-CC"
        EAP-Message = 0x0201002204109c93f84d75501bc6cbe805e08c4e83b2663039666332333030376363
        Message-Authenticator = 0x49812374a5eb89af616566636c0c720d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "f09fc23007cc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> f09fc23007cc
[sql] sql_set_user escaped user --> 'f09fc23007cc'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'f09fc23007cc'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'f09fc23007cc'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'f09fc23007cc'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[sql]   expand: %{User-Name} -> f09fc23007cc
[sql] sql_set_user escaped user --> 'f09fc23007cc'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'f09fc23007cc',                           '',                           'Access-Reject', '2017-09-22 12:06:48')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'f09fc23007cc',                           '',                           'Access-Reject', '2017-09-22 12:06:48')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[attr_filter.access_reject]     expand: %{User-Name} -> f09fc23007cc
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 25 to XX.XX.XX.XX port 49205
        EAP-Message = 0x04010004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

Anyone had this issue?

 

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎09-24-2017 01:52 PM

Hi

I don't have experience with this kind of switches.
However on your radius log oui can see that mac address (username) is sent to your radius server.
Can you share the radius response and log you're getting?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

iLevac001
Level 1
Level 1
In response to Francesco Molino

‎09-25-2017 10:23 AM

@Francesco Molino wrote:
Hi

I don't have experience with this kind of switches.
However on your radius log oui can see that mac address (username) is sent to your radius server.
Can you share the radius response and log you're getting?

I already attached to radius log.

Request and reply.

We can clearly see that there is no password transmitted.

 

There is already a thread of this about the SG300 since 2011 :

https://supportforums.cisco.com/t5/small-business-switches/sg300-mac-based-802-1x-authentification-aka-mab-mac-auth-bypass/m-p/1867352

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to iLevac001

‎09-25-2017 11:54 AM

I don't see your attachment.

What type of radius server are you using?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents