clients.conf client 192.168.0.0/16 { secret = testing123 shortname = private-network-2 } users.conf c82a1437e57c User-Password := "c82a1437e57c" Tunnel-Type:0 = "VLAN", Tunnel-Medium-Type:0 = "IEEE-802", Tunnel-Private-Group-Id:0 = "30" switch switchcc12bb# switchcc12bb# switchcc12bb# switchcc12bb#sh running-config config-file-header switchcc12bb v1.4.0.88 / R800_NIK_1_4_194_194 CLI v1.0 set system queues-mode 4 file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! vlan database vlan 10 exit voice vlan oui-table add 0001e3 Siemens_AG_phone________ voice vlan oui-table add 00036b Cisco_phone_____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3C_Aolynk______________ voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone___________ voice vlan oui-table add 00e075 Polycom/Veritel_phone___ voice vlan oui-table add 00e0bb 3Com_phone______________ dot1x system-auth-control bonjour interface range vlan 1 hostname switchcc12bb encrypted radius-server key WSX6YFwgD28kkPTEDWczuxRpCZGlUr0LVvgN3nS+s/I= radius-server host 192.168.1.10 aaa authentication enable default radius ! interface vlan 10 dot1x guest-vlan ! interface gigabitethernet1/1/2 dot1x host-mode single-host dot1x violation-mode protect trap 10 dot1x guest-vlan enable dot1x reauthentication dot1x authentication mac dot1x radius-attributes vlan dot1x port-control auto ! exit switchcc12bb#sh mac address-table Flags: I - Internal usage VLAN Aging time is 300 sec Vlan Mac Address Port Type ------------ --------------------- ---------- ---------- 1 64:70:02:00:0e:aa gi1/1/3 dynamic 1 d4:d7:48:cc:12:bb 0 self 30 c8:2a:14:37:e5:7c gi1/1/2 dynamic switchcc12bb# switchcc12bb#sh version Unit SW version Boot version HW version ------------------- ------------------- ------------------- ------------------- 1 1.4.0.88 1.4.0.02 V01 freeradius debug Mon Dec 01 11:39:17 2014 : Debug: Module: Linked to module rlm_realm Mon Dec 01 11:39:17 2014 : Debug: Module: Instantiating module "suffix" from fi le ../etc/raddb/modules/realm Mon Dec 01 11:39:17 2014 : Debug: realm suffix { Mon Dec 01 11:39:17 2014 : Debug: format = "suffix" Mon Dec 01 11:39:17 2014 : Debug: delimiter = "@" Mon Dec 01 11:39:17 2014 : Debug: ignore_default = no Mon Dec 01 11:39:17 2014 : Debug: ignore_null = no Mon Dec 01 11:39:17 2014 : Debug: } Mon Dec 01 11:39:17 2014 : Debug: (Loaded rlm_files, checking if it's valid) Mon Dec 01 11:39:17 2014 : Debug: Module: Linked to module rlm_files Mon Dec 01 11:39:17 2014 : Debug: Module: Instantiating module "files" from fil e ../etc/raddb/modules/files Mon Dec 01 11:39:17 2014 : Debug: files { Mon Dec 01 11:39:17 2014 : Debug: usersfile = "../etc/raddb/users" Mon Dec 01 11:39:17 2014 : Debug: acctusersfile = "../etc/raddb/acct_users " Mon Dec 01 11:39:17 2014 : Debug: preproxy_usersfile = "../etc/raddb/prepr oxy_users" Mon Dec 01 11:39:17 2014 : Debug: compat = "no" Mon Dec 01 11:39:17 2014 : Debug: } Mon Dec 01 11:39:17 2014 : Debug: reading pairlist file ../etc/raddb/users Mon Dec 01 11:39:17 2014 : Debug: reading pairlist file ../etc/raddb/acct_users Mon Dec 01 11:39:17 2014 : Debug: reading pairlist file ../etc/raddb/preproxy_us ers Mon Dec 01 11:39:17 2014 : Debug: Module: Checking preacct {...} for more modul es to load Mon Dec 01 11:39:17 2014 : Debug: (Loaded rlm_acct_unique, checking if it's valid) Mon Dec 01 11:39:17 2014 : Debug: Module: Linked to module rlm_acct_unique Mon Dec 01 11:39:17 2014 : Debug: Module: Instantiating module "acct_unique" fr om file ../etc/raddb/modules/acct_unique Mon Dec 01 11:39:17 2014 : Debug: acct_unique { Mon Dec 01 11:39:17 2014 : Debug: key = "User-Name, Acct-Session-Id, NAS-I P-Address, NAS-Identifier, NAS-Port" Mon Dec 01 11:39:17 2014 : Debug: } Mon Dec 01 11:39:17 2014 : Debug: Module: Checking accounting {...} for more mo dules to load Mon Dec 01 11:39:17 2014 : Debug: (Loaded rlm_detail, checking if it's valid ) Mon Dec 01 11:39:17 2014 : Debug: Module: Linked to module rlm_detail Mon Dec 01 11:39:17 2014 : Debug: Module: Instantiating module "detail" from fi le ../etc/raddb/modules/detail Mon Dec 01 11:39:17 2014 : Debug: detail { Mon Dec 01 11:39:17 2014 : Debug: detailfile = "../var/log/radius/radacct/ %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" Mon Dec 01 11:39:17 2014 : Debug: header = "%t" Mon Dec 01 11:39:17 2014 : Debug: detailperm = 384 Mon Dec 01 11:39:17 2014 : Debug: dirperm = 493 Mon Dec 01 11:39:17 2014 : Debug: locking = no Mon Dec 01 11:39:17 2014 : Debug: log_packet_header = no Mon Dec 01 11:39:17 2014 : Debug: } Mon Dec 01 11:39:17 2014 : Debug: (Loaded rlm_radutmp, checking if it's vali d) Mon Dec 01 11:39:17 2014 : Debug: Module: Linked to module rlm_radutmp Mon Dec 01 11:39:17 2014 : Debug: Module: Instantiating module "radutmp" from f ile ../etc/raddb/modules/radutmp Mon Dec 01 11:39:17 2014 : Debug: radutmp { Mon Dec 01 11:39:17 2014 : Debug: filename = "../var/log/radius/radutmp" Mon Dec 01 11:39:17 2014 : Debug: username = "%{User-Name}" Mon Dec 01 11:39:17 2014 : Debug: case_sensitive = yes Mon Dec 01 11:39:17 2014 : Debug: check_with_nas = yes Mon Dec 01 11:39:18 2014 : Debug: perm = 384 Mon Dec 01 11:39:18 2014 : Debug: callerid = yes Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: (Loaded rlm_attr_filter, checking if it's valid) Mon Dec 01 11:39:18 2014 : Debug: Module: Linked to module rlm_attr_filter Mon Dec 01 11:39:18 2014 : Debug: Module: Instantiating module "attr_filter.acc ounting_response" from file ../etc/raddb/modules/attr_filter Mon Dec 01 11:39:18 2014 : Debug: attr_filter attr_filter.accounting_response { Mon Dec 01 11:39:18 2014 : Debug: attrsfile = "../etc/raddb/attrs.accounti ng_response" Mon Dec 01 11:39:18 2014 : Debug: key = "%{User-Name}" Mon Dec 01 11:39:18 2014 : Debug: relaxed = no Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: reading pairlist file ../etc/raddb/attrs.accou nting_response Mon Dec 01 11:39:18 2014 : Debug: Module: Checking session {...} for more modul es to load Mon Dec 01 11:39:18 2014 : Debug: Module: Checking post-proxy {...} for more mo dules to load Mon Dec 01 11:39:18 2014 : Debug: Module: Checking post-auth {...} for more mod ules to load Mon Dec 01 11:39:18 2014 : Debug: Module: Instantiating module "attr_filter.acc ess_reject" from file ../etc/raddb/modules/attr_filter Mon Dec 01 11:39:18 2014 : Debug: attr_filter attr_filter.access_reject { Mon Dec 01 11:39:18 2014 : Debug: attrsfile = "../etc/raddb/attrs.access_r eject" Mon Dec 01 11:39:18 2014 : Debug: key = "%{User-Name}" Mon Dec 01 11:39:18 2014 : Debug: relaxed = no Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: reading pairlist file ../etc/raddb/attrs.acces s_reject Mon Dec 01 11:39:18 2014 : Debug: } # modules Mon Dec 01 11:39:18 2014 : Debug: } # server Mon Dec 01 11:39:18 2014 : Debug: server inner-tunnel { # from file ../etc/raddb /sites-enabled/inner-tunnel Mon Dec 01 11:39:18 2014 : Debug: modules { Mon Dec 01 11:39:18 2014 : Debug: Module: Checking authenticate {...} for more modules to load Mon Dec 01 11:39:18 2014 : Debug: Module: Checking authorize {...} for more mod ules to load Mon Dec 01 11:39:18 2014 : Debug: Module: Checking session {...} for more modul es to load Mon Dec 01 11:39:18 2014 : Debug: Module: Checking post-proxy {...} for more mo dules to load Mon Dec 01 11:39:18 2014 : Debug: Module: Checking post-auth {...} for more mod ules to load Mon Dec 01 11:39:18 2014 : Debug: } # modules Mon Dec 01 11:39:18 2014 : Debug: } # server Mon Dec 01 11:39:18 2014 : Debug: radiusd: #### Opening IP addresses and Ports # ### Mon Dec 01 11:39:18 2014 : Debug: listen { Mon Dec 01 11:39:18 2014 : Debug: type = "auth" Mon Dec 01 11:39:18 2014 : Debug: ipaddr = * Mon Dec 01 11:39:18 2014 : Debug: port = 0 Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: listen { Mon Dec 01 11:39:18 2014 : Debug: type = "auth" Mon Dec 01 11:39:18 2014 : Debug: ipv6addr = :: IPv6 address [::] Mon Dec 01 11:39:18 2014 : Debug: port = 0 Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: listen { Mon Dec 01 11:39:18 2014 : Debug: type = "acct" Mon Dec 01 11:39:18 2014 : Debug: ipaddr = * Mon Dec 01 11:39:18 2014 : Debug: port = 0 Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: listen { Mon Dec 01 11:39:18 2014 : Debug: type = "acct" Mon Dec 01 11:39:18 2014 : Debug: ipv6addr = :: IPv6 address [::] Mon Dec 01 11:39:18 2014 : Debug: port = 0 Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: listen { Mon Dec 01 11:39:18 2014 : Debug: type = "auth" Mon Dec 01 11:39:18 2014 : Debug: ipaddr = 127.0.0.1 Mon Dec 01 11:39:18 2014 : Debug: port = 18120 Mon Dec 01 11:39:18 2014 : Debug: } Mon Dec 01 11:39:18 2014 : Debug: ... adding new socket proxy address * port 55 349 Mon Dec 01 11:39:18 2014 : Debug: Listening on authentication address * port 181 2 Mon Dec 01 11:39:18 2014 : Debug: Listening on authentication address :: port 18 12 Mon Dec 01 11:39:18 2014 : Debug: Listening on accounting address * port 1813 Mon Dec 01 11:39:18 2014 : Debug: Listening on accounting address :: port 1813 Mon Dec 01 11:39:18 2014 : Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Mon Dec 01 11:39:18 2014 : Debug: Listening on proxy address * port 1814 Mon Dec 01 11:39:18 2014 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 49205, id=5, length=1 37 NAS-IP-Address = 192.168.1.1 NAS-Port-Type = Ethernet NAS-Port = 50 User-Name = "c82a1437e57c" Acct-Session-Id = "05000009" Called-Station-Id = "D4-D7-48-CC-12-BD" Calling-Station-Id = "C8-2A-14-37-E5-7C" EAP-Message = 0x0200001101633832613134333765353763 Message-Authenticator = 0x54999f6bb3769ecfd65a71d3dfb08400 Mon Dec 01 11:39:32 2014 : Info: # Executing section authorize from file ../etc/ raddb/sites-enabled/default Mon Dec 01 11:39:32 2014 : Info: +group authorize { Mon Dec 01 11:39:32 2014 : Info: ++[preprocess] = ok Mon Dec 01 11:39:32 2014 : Info: ++[chap] = noop Mon Dec 01 11:39:32 2014 : Info: ++[mschap] = noop Mon Dec 01 11:39:32 2014 : Info: ++[digest] = noop Mon Dec 01 11:39:32 2014 : Info: ++[wimax] = ok Mon Dec 01 11:39:32 2014 : Info: [suffix] No '@' in User-Name = "c82a1437e57c", looking up realm NULL Mon Dec 01 11:39:32 2014 : Info: [suffix] No such realm "NULL" Mon Dec 01 11:39:32 2014 : Info: ++[suffix] = noop Mon Dec 01 11:39:32 2014 : Info: [eap] EAP packet type response id 0 length 17 Mon Dec 01 11:39:32 2014 : Info: [eap] No EAP Start, assuming it's an on-going E AP conversation Mon Dec 01 11:39:32 2014 : Info: ++[eap] = updated Mon Dec 01 11:39:32 2014 : Info: [files] users: Matched entry c82a1437e57c at li ne 53 Mon Dec 01 11:39:32 2014 : Info: ++[files] = ok Mon Dec 01 11:39:32 2014 : Info: ++[expiration] = noop Mon Dec 01 11:39:32 2014 : Info: ++[logintime] = noop Mon Dec 01 11:39:32 2014 : Info: [pap] WARNING: Auth-Type already set. Not sett ing to PAP Mon Dec 01 11:39:32 2014 : Info: ++[pap] = noop Mon Dec 01 11:39:32 2014 : Info: +} # group authorize = updated Mon Dec 01 11:39:32 2014 : Info: Found Auth-Type = EAP Mon Dec 01 11:39:32 2014 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mon Dec 01 11:39:32 2014 : Info: !!! Replacing User-Password in config items with Cleartext-Password. !!! Mon Dec 01 11:39:32 2014 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mon Dec 01 11:39:32 2014 : Info: !!! Please update your configuration so that th e "known good" !!! Mon Dec 01 11:39:32 2014 : Info: !!! clear text password is in Cleartext-Passwor d, and not in User-Password. !!! Mon Dec 01 11:39:32 2014 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mon Dec 01 11:39:32 2014 : Info: # Executing group from file ../etc/raddb/sites- enabled/default Mon Dec 01 11:39:32 2014 : Info: +group authenticate { Mon Dec 01 11:39:32 2014 : Info: [eap] EAP Identity Mon Dec 01 11:39:32 2014 : Info: [eap] processing type md5 Mon Dec 01 11:39:32 2014 : Debug: rlm_eap_md5: Issuing Challenge Mon Dec 01 11:39:32 2014 : Info: ++[eap] = handled Mon Dec 01 11:39:32 2014 : Info: +} # group authenticate = handled Sending Access-Challenge of id 5 to 192.168.1.1 port 49205 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "30" EAP-Message = 0x0101001604109abc6f07edd90c2c8787534ab91fe63b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc5db9d3ac5da99dc304590239c16b7e1 Mon Dec 01 11:39:32 2014 : Info: Finished request 0. Mon Dec 01 11:39:32 2014 : Debug: Going to the next request Mon Dec 01 11:39:32 2014 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49205, id=6, length=1 72 NAS-IP-Address = 192.168.1.1 NAS-Port-Type = Ethernet NAS-Port = 50 User-Name = "c82a1437e57c" Acct-Session-Id = "05000009" State = 0xc5db9d3ac5da99dc304590239c16b7e1 Called-Station-Id = "D4-D7-48-CC-12-BD" Calling-Station-Id = "C8-2A-14-37-E5-7C" EAP-Message = 0x0201002204102b53f9f6760ec431836c94c580bcc08e633832613134 333765353763 Message-Authenticator = 0x63c06c285b844ae35324b7158f1f0432 Mon Dec 01 11:39:32 2014 : Info: # Executing section authorize from file ../etc/ raddb/sites-enabled/default Mon Dec 01 11:39:32 2014 : Info: +group authorize { Mon Dec 01 11:39:32 2014 : Info: ++[preprocess] = ok Mon Dec 01 11:39:32 2014 : Info: ++[chap] = noop Mon Dec 01 11:39:32 2014 : Info: ++[mschap] = noop Mon Dec 01 11:39:32 2014 : Info: ++[digest] = noop Mon Dec 01 11:39:32 2014 : Info: ++[wimax] = ok Mon Dec 01 11:39:32 2014 : Info: [suffix] No '@' in User-Name = "c82a1437e57c", looking up realm NULL Mon Dec 01 11:39:32 2014 : Info: [suffix] No such realm "NULL" Mon Dec 01 11:39:32 2014 : Info: ++[suffix] = noop Mon Dec 01 11:39:32 2014 : Info: [eap] EAP packet type response id 1 length 34 Mon Dec 01 11:39:32 2014 : Info: [eap] No EAP Start, assuming it's an on-going E AP conversation Mon Dec 01 11:39:32 2014 : Info: ++[eap] = updated Mon Dec 01 11:39:32 2014 : Info: [files] users: Matched entry c82a1437e57c at li ne 53 Mon Dec 01 11:39:32 2014 : Info: ++[files] = ok Mon Dec 01 11:39:32 2014 : Info: ++[expiration] = noop Mon Dec 01 11:39:32 2014 : Info: ++[logintime] = noop Mon Dec 01 11:39:32 2014 : Info: [pap] WARNING: Auth-Type already set. Not sett ing to PAP Mon Dec 01 11:39:32 2014 : Info: ++[pap] = noop Mon Dec 01 11:39:32 2014 : Info: +} # group authorize = updated Mon Dec 01 11:39:32 2014 : Info: Found Auth-Type = EAP Mon Dec 01 11:39:32 2014 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mon Dec 01 11:39:32 2014 : Info: !!! Replacing User-Password in config items with Cleartext-Password. !!! Mon Dec 01 11:39:32 2014 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mon Dec 01 11:39:32 2014 : Info: !!! Please update your configuration so that th e "known good" !!! Mon Dec 01 11:39:32 2014 : Info: !!! clear text password is in Cleartext-Passwor d, and not in User-Password. !!! Mon Dec 01 11:39:32 2014 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Mon Dec 01 11:39:32 2014 : Info: # Executing group from file ../etc/raddb/sites- enabled/default Mon Dec 01 11:39:32 2014 : Info: +group authenticate { Mon Dec 01 11:39:32 2014 : Info: [eap] Request found, released from the list Mon Dec 01 11:39:32 2014 : Info: [eap] EAP/md5 Mon Dec 01 11:39:32 2014 : Info: [eap] processing type md5 Mon Dec 01 11:39:32 2014 : Info: [eap] Freeing handler Mon Dec 01 11:39:32 2014 : Info: ++[eap] = ok Mon Dec 01 11:39:32 2014 : Info: +} # group authenticate = ok Mon Dec 01 11:39:32 2014 : Auth: Login OK: [c82a1437e57c] (from client private-n etwork-2 port 50 cli C8-2A-14-37-E5-7C) Mon Dec 01 11:39:32 2014 : Info: # Executing section post-auth from file ../etc/ raddb/sites-enabled/default Mon Dec 01 11:39:32 2014 : Info: +group post-auth { Mon Dec 01 11:39:32 2014 : Info: ++[exec] = noop Mon Dec 01 11:39:32 2014 : Info: +} # group post-auth = noop Sending Access-Accept of id 6 to 192.168.1.1 port 49205 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "30" EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "c82a1437e57c" Mon Dec 01 11:39:32 2014 : Info: Finished request 1. Mon Dec 01 11:39:32 2014 : Debug: Going to the next request Mon Dec 01 11:39:32 2014 : Debug: Waking up in 4.9 seconds. Mon Dec 01 11:39:37 2014 : Info: Cleaning up request 0 ID 5 with timestamp +14 Mon Dec 01 11:39:37 2014 : Info: Cleaning up request 1 ID 6 with timestamp +14 Mon Dec 01 11:39:37 2014 : Info: Ready to process requests.