Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
0
Helpful
6
Replies

Having a problem with PEAP and Cisco 2960 Switch

blittrell
Level 1
Level 1

‎01-14-2011 07:55 AM - edited ‎03-10-2019 05:43 PM

Hi All,

    I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 

    The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.

Any ideas?

Labels:
0 Helpful
6 Replies 6

Nicolas Darchis
Cisco Employee
Cisco Employee

‎01-16-2011 12:35 AM

I'm not clear about your symptoms.

When you use PEAP, do you mean that the authentication is not working (your FreeRadius indicates a reject) or that the authentication is ok but the vlan is not sent back to the switch ?

For the first case, it's a FreeRadius config. For the second, I'd advise a "debug radius" to see the radius exchange between the switch and the radius server.

I'd also like to check your config.

Nicolas

0 Helpful

blittrell
Level 1
Level 1
In response to Nicolas Darchis

‎01-17-2011 05:29 PM

It is the second incident, the Radius server is reporting everything as ok but the switch is not changing vlans.  The weird thing is that the switch changes vlans when using EAP-MSChapV2 but not PEAP.  So Eap works with the same switch, supplicant and radius server with no changes other then the type of authentication and PEAP appears to work as well, the output from both EAP and PEAP on the Radius server is identical yet with PEAP the switch does not change VLANs.  I already went through the switch config and it appears right but I have not found anything specific to PEAP and was hoping to see if there is someone on this forum that knows if there is in fact a special config specific to PEAP on the switch.

    I have run debug aaa and dot1x, did not see a radius, will try that next to see if there is anything

Thanks

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to blittrell

‎01-17-2011 10:52 PM

What are you using on the client ? I've never seen any client doing EAP-Mschapv2 actually. All clients do PEAP-mschapv2.

And if you don't share output, people will have a hard time commenting your setup :-)

Nicolas

0 Helpful

blittrell
Level 1
Level 1
In response to Nicolas Darchis

‎01-18-2011 07:21 AM

Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work.  I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client.  I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2.  I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..

CSSC Client pops out:

14:25:08.453  Network Connection requested from user  context.
14:25:08.468  Connection authentication started using the logged in  user's credentials.
14:25:08.468  Port state transition to  AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796  Port state  transition to  AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828   Port state transition to  AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843   Identity has been requested from the network.
14:25:09.875  Identity has been  sent to the network.
14:25:09.890  Authentication started using method type  EAP-PEAP, level 0
14:25:09.890  The server has requested using authentication  type: EAP-PEAP
14:25:09.890  The client has requested using authentication  type:  EAP-PEAP
14:25:09.968  Profile does not require server  validation.
14:25:10.031  Identity has been requested from the  network.
14:25:10.031  Identity has been sent to the  network.
14:25:10.046  Authentication started using method type  EAP-MSCHAP-V2, level 1
14:25:10.046  The server has requested using  authentication type: EAP-MSCHAP-V2
14:25:10.046  The client has requested  using authentication type:  EAP-MSCHAP-V2
14:25:10.078  Port state transition  to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078  The  authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************

[ldap] user RadiusUser authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

Waking up in 0.7 seconds.

Waking up in 0.7 seconds.

Waking up in 0.1 seconds.

Waking up in 3.7 seconds.

Waking up in 0.1 seconds.

Ready to process requests.

Waking up in 0.9 seconds.

Ready to process requests.

Waking up in 0.9 seconds.

[ldap] performing user authorization for anonymous

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: object not found or got ambiguous search result

[ldap] search failed

rlm_ldap: ldap_release_conn: Release Id: 0

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

Waking up in 0.9 seconds.

Waking up in 0.9 seconds.

Waking up in 0.9 seconds.

Waking up in 0.8 seconds.

Waking up in 0.8 seconds.

Waking up in 0.8 seconds.

[ldap] performing user authorization for RadiusUser

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"

rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802

rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN

[ldap] looking for reply items in directory...

rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only

rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"

rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802

rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN

[ldap] user RadiusUser authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

Waking up in 0.8 seconds.

[ldap] performing user authorization for RadiusUser

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"

rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802

rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN

[ldap] looking for reply items in directory...

rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only

rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"

rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802

rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN

[ldap] user RadiusUser authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

Waking up in 0.8 seconds.

[ldap] performing user authorization for RadiusUser

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"

rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802

rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN

[ldap] looking for reply items in directory...

rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only

rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"

rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802

rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN

[ldap] user RadiusUser authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

Waking up in 0.8 seconds.

Waking up in 0.7 seconds.

Waking up in 3.7 seconds.

Ready to process requests.

Waking up in 0.9 seconds.

Ready to process requests.

**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps.
0 Helpful

blittrell
Level 1
Level 1
In response to blittrell

‎01-18-2011 08:01 PM

Found the problem.  After I had TAC on the line and they were doing the debug I noticed the reply of some of the info looked like ciphertext so I enabled the tunneling of the replies on the FreeRadius server and that did it.  That was under peap config in the /etc/raddb/eap.conf file.  I will post tomorrow the exact setting in case other people have the issue.

Thanks

0 Helpful

blittrell
Level 1
Level 1
In response to blittrell

‎01-19-2011 01:11 PM

Just updating like I mentioned in the previous post, the setting I changed was the "use_tunneled_reply = yes".  This fixed the issue mentioned above.

Thanks

0 Helpful
Customers Also Viewed These Support Documents