09-23-2017 11:08 AM - edited 03-21-2019 11:16 AM
Hello all,
I am new to cisco sb's product.
I just puchased a SG350-10MP to do some test before replacing all my switch from an other vendor for SG350.
I need radius mac auth bypass to work in my setup.
I configured easily on the switch with the gui.
I tried to configure with ssh but I quickly understand it's not the same language than IOS?
Anyway, my problem is that the switch didn't provide user-password in the radius request.
So the radius server decline all access-request.
Here's the config from the switch :
config-file-header switch8815c9 v2.3.0.130 / RLINUX_913_193 CLI v1.0 file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! ! unit-type-control-start unit-type unit 1 network gi uplink none unit-type-control-end ! vlan database vlan 102 exit voice vlan oui-table add 0001e3 Siemens_AG_phone________ voice vlan oui-table add 00036b Cisco_phone_____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3C_Aolynk______________ voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone___________ voice vlan oui-table add 00e075 Polycom/Veritel_phone___ voice vlan oui-table add 00e0bb 3Com_phone______________ dot1x system-auth-control bonjour interface range vlan 1 hostname switch8815c9 encrypted radius-server host XX.XX.XX.XX key taT/y21cTj8C1Jz0DwpXeBN+ng06wkJxGgV/9oDRWno= username cisco password encrypted 8e61b69669a1afb0f272d927af378326ef53165b privilege 15 ip ssh server ! interface vlan 102 name noauth dot1x auth-not-req ! interface GigabitEthernet2 dot1x reauthentication dot1x authentication mac dot1x radius-attributes vlan dot1x port-control auto ! exit
And here's the radius request :
rad_recv: Access-Request packet from host XX.XX.XX.XX port 49205, id=25, length=172 NAS-IP-Address = 10.254.0.145 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "f09fc23007cc" Acct-Session-Id = "0500000F" State = 0x170f8d99170e89a94cc6f961f3d79794 Called-Station-Id = "00-56-2B-88-15-CB" Calling-Station-Id = "F0-9F-C2-30-07-CC" EAP-Message = 0x0201002204109c93f84d75501bc6cbe805e08c4e83b2663039666332333030376363 Message-Authenticator = 0x49812374a5eb89af616566636c0c720d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "f09fc23007cc", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> f09fc23007cc [sql] sql_set_user escaped user --> 'f09fc23007cc' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'f09fc23007cc' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'f09fc23007cc' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'f09fc23007cc' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> f09fc23007cc [sql] sql_set_user escaped user --> 'f09fc23007cc' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'f09fc23007cc', '', 'Access-Reject', '2017-09-22 12:06:48') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'f09fc23007cc', '', 'Access-Reject', '2017-09-22 12:06:48') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> f09fc23007cc attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 25 to XX.XX.XX.XX port 49205 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
Anyone had this issue?
09-24-2017 01:52 PM
09-25-2017 10:23 AM
@Francesco Molino wrote:
Hi
I don't have experience with this kind of switches.
However on your radius log oui can see that mac address (username) is sent to your radius server.
Can you share the radius response and log you're getting?
I already attached to radius log.
Request and reply.
We can clearly see that there is no password transmitted.
There is already a thread of this about the SG300 since 2011 :
09-25-2017 11:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide