Solved: mab authentication fails on multi-domain port: authentication result 'server dead'

CSchaatsbergen · ‎01-20-2011

Greetings all,

First of all, I do not have extensive experience with configuring Cisco switches (about half a year now) but I have been reading loads and loads of dokumentation.

I am trying to setup Multi-Domain Authentication (MDA) on our Cisco switches using mab and am running into something strange. Currently only mab is requested by my employer.

Switch = 3560G-48 IOS version 12.2(55)SE1

Radius = Freeradius (version 2.1.10)

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swiosfs.html is my bible

On port Gi0/29 a Cisco 7961 IP-phone is connected and attached to that phone a notebook is connected

Switch configuration:

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
!

interface GigabitEthernet0/29
description 235A
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail retry 0 action authorize vlan 7
authentication event server dead action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
mab
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!

radius-server dead-criteria time 5 tries 5
radius-server host 10.1.1.24 auth-port 1812 acct-port 1813
radius-server key 7 xxx
radius-server vsa send accounting
radius-server vsa send authentication

Radius reply: (for full reply see attached radius-response.txt)

Sending Access-Accept of id 98 to 10.1.1.207 port 1645
        Cisco-AVPair = "Tunnel-Type=VLAN"
        Cisco-AVPair = "Tunnel-Medium-Type=802"
        Cisco-AVPair = "Tunnel-Private-Group-ID=7"
        Cisco-AVPair = "Tunnel-Preference"

So an Access Accept with VLAN assignment data

Debugging on the switch:

001776: *Mar 1 09:27:35.606: mab-ev(Gi0/29): Received MAB context create from AuthMgr
001777: *Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: *Mar 1 09:27:35.606: mab-ev(Gi0/29): Created MAB client context 0x2200000F
001779: *Mar 1 09:27:35.606:     mab : initial state mab_initialize has enter
001780: *Mar 1 09:27:35.606: mab-ev(Gi0/29): Sending create new context event to EAP from MAB for 0x2200000F (MACAddress)
001781: *Mar 1 10:27:35.606 CET: %AUTHMGR-5-START: Starting 'mab' for client (MACAddress) on Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: *Mar 1 09:27:35.606: mab-sm(Gi0/29): Received event 'MAB_CONTINUE' on handle 0x2200000F
001783: *Mar 1 09:27:35.606:     mab : during state mab_initialize, got event 1(mabContinue)
001784: *Mar 1 09:27:35.606: @@@ mab : mab_initialize -> mab_authorizing
001785: *Mar 1 09:27:35.606: mab-ev(Gi0/29): Starting MAC-AUTH-BYPASS for 0x2200000F (MACAddress)
001786: *Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received an Access-Reject for 0x2200000F (MACAddress)
001787: *Mar 1 10:27:35.622 CET: %MAB-5-FAIL: Authentication failed for client (MACAddress) on Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: *Mar 1 09:27:35.622: mab-sm(Gi0/29): Received event 'MAB_RESULT' on handle 0x2200000F
001789: *Mar 1 09:27:35.622:     mab : during state mab_authorizing, got event 5(mabResult)
001790: *Mar 1 09:27:35.622: @@@ mab : mab_authorizing -> mab_terminate
001791: *Mar 1 09:27:35.622: mab-ev(Gi0/29): Deleted credentials profile for 0x2200000F (dot1x_mac_auth_MACAddress)
001792: *Mar 1 09:27:35.622: mab-ev(Gi0/29): Sending event (2) to AuthMGR for MACAddress
001793: *Mar 1 10:27:35.622 CET: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (MACAddress) on Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: *Mar 1 10:27:35.622 CET: %AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: *Mar 1 10:27:36.512 CET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (MACAddress) on Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC

So Radius returns an Access_Accept and the switch processes it as an Access-Reject and shortly considers Radius as dead.

Help would be appreciated!

Chris

Alexander De Menezes · ‎01-28-2011

Hi Chris,

In response to your last post, dynamic vlan assignment could be achieved with using RADIUS IETF attributes as per link:
http://tools.cisco.com/squish/d1791

or using the cisco-av pair as per link:
http://tools.cisco.com/squish/8Bd61

As you are using Free Radius and the cisco-av pairs.Please can you enable the following debug output on switch and replicate the problem with client authentiation attempt:
debug radius
debug authentication all
debug authentication feature all

Following the client authentication event, also obtain the following from switch:
show authentication sessions interface

I have come across issues with the case sensitivity of the cisco-av pair.For example vlan assignment working when using lower case sensitive "tunnel-private-group-id (# 81) = vlanid" instead of "tunnel-private-group-ID (# 81) = vlanid".

When testing with the "tunnel-private-group-ID(#81)=vlanid", I would get an error relating to:

RADIUS/DECODE: parse unknown cisco vsa "tunnel-private-group-ID" - FAIL

So from 2nd link , with the changes:
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-id(#81)=vlanid"

If you still have an issue, please include the above debug/show output which will shed some light on the problem.

Thanks,
Alex

View solution in original post

Alexander De Menezes · ‎02-08-2011

Hi Chris,

From your debug as the attribute "tunnel-medium-type=802 media(6)" is being ignored.

If using IETF, i get:

RADIUS:Tunnel-Medium-Type [65] 01:ALL_802 [6]

Can you verify with using "tunnel-medium-type=ALL_802", so your radius log will then look like:

RADIUS: Cisco AVpair [1] "tunnel-medium-type=ALL_802"

instead of:

RADIUS: Cisco AVpair [1] "tunnel-medium-type=802 media(6)"

HTH,

Alex

View solution in original post

Alexander De Menezes · ‎02-08-2011

Great to know its working.

Thank you for the rating :-)

Cheers,

Alex

View solution in original post

CSchaatsbergen · ‎01-20-2011

To be on the safe side, I just plugged the notebook directly into the network, so no longer connected throught the IP Phone, but had the same outcome. There are no problems authentication the IP Phone, Radius returns Cisco-AVPair = "device-traffic-class=voice" for IP Phone mac addresses and they are properly assigned to the voice VLAN. I do not see the Cisco-AVPair in the logs below, but since it is assigned properly to the Voice VLAN I guess they are received nonetheless.

001966: *Mar 1 11:27:47.861 CET: %ILPOWER-5-POWER_GRANTED: Interface Gi0/29: Power granted
001967: *Mar 1 10:27:49.832: mab-ev(Gi0/29): Received MAB context create from AuthMgr
001968: *Mar 1 10:27:49.832: mab-ev(Gi0/29): Created MAB client context 0xE6000031
001969: *Mar 1 10:27:49.832:     mab : initial state mab_initialize has enter
001970: *Mar 1 10:27:49.832: mab-ev(Gi0/29): Sending create new context event to EAP from MAB for 0xE6000031 (0000.0000.0000)
001971: *Mar 1 10:27:49.832: mab-sm(Gi0/29): Received event 'MAB_START' on handle 0xE6000031
001972: *Mar 1 10:27:49.832:     mab : during state mab_initialize, got event 4 (mabStart)
001973: *Mar 1 10:27:49.832: @@@ mab : mab_initialize -> mab_acquiring
001974: *Mar 1 11:27:51.812 CET: %LINK-3-UPDOWN: Interface GigabitEthernet0/29, changed state to up
001975: *Mar 1 11:27:52.819 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/29, changed state to up
001976: *Mar 1 10:28:30.157: mab-ev: Received NEW MAC (PhoneMac) for 0xE6000031
001977: *Mar 1 11:28:30.157 CET: %AUTHMGR-5-START: Starting 'mab' for client (PhoneMac) on Interface Gi0/29 AuditSessionID 0A0101CF00000086023ECAA3
001978: *Mar 1 10:28:30.157: mab-sm(Gi0/29): Received event 'MAB_AVAILABLE' on handle 0xE6000031
001979: *Mar 1 10:28:30.157:     mab : during state mab_acquiring, got event 7(mabAvailable)
001980: *Mar 1 10:28:30.157: @@@ mab : mab_acquiring -> mab_authorizing
001981: *Mar 1 10:28:30.157: mab-ev(Gi0/29): Starting MAC-AUTH-BYPASS for 0xE6000031 (PhoneMac)
001982: *Mar 1 10:28:30.157: mab-ev(Gi0/29): MAB received an Access-Accept for 0xE6000031 (PhoneMac)
001983: *Mar 1 11:28:30.165 CET: %MAB-5-SUCCESS: Authentication successful for client (PhoneMac) on Interface Gi0/29 AuditSessionID 0A0101CF00000086023ECAA3
001984: *Mar 1 10:28:30.165: mab-sm(Gi0/29): Received event 'MAB_RESULT' on handle 0xE6000031
001985: *Mar 1 10:28:30.165:     mab : during state mab_authorizing, got event 5(mabResult)
001986: *Mar 1 10:28:30.165: @@@ mab : mab_authorizing -> mab_terminate
001987: *Mar 1 10:28:30.165: mab-ev(Gi0/29): Deleted credentials profile for 0xE6000031 (dot1x_mac_auth_PhoneMac)
001988: *Mar 1 10:28:30.165: mab-ev(Gi0/29): Sending event (2) to AuthMGR for PhoneMac
001989: *Mar 1 11:28:30.165 CET: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (PhoneMac) on Interface Gi0/29 AuditSessionID 0A0101CF00000086023ECAA3
001990: *Mar 1 11:28:30.366 CET: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (PhoneMac) on Interface Gi0/29 AuditSessionID 0A0101CF00000086023ECAA3

CSchaatsbergen · ‎01-20-2011

Doing some experimentation with the Cisco AVPair Return values

Original:

Cisco-AVPair = "Tunnel-Type=VLAN"
Cisco-AVPair = "Tunnel-Medium-Type=802"
Cisco-AVPair = "Tunnel-Private-Group-ID=7"

Cisco-AVPair = "Tunnel-Preference"

Gives Access_Reject and Radius Dead on the switch

Attempt1:

Cisco-AVPair = "Tunnel-Type=VLAN"
Cisco-AVPair = "Tunnel-Medium-Type=IEE-802"
Cisco-AVPair = "Tunnel-Private-Group-ID=7"

Cisco-AVPair = "Tunnel-Preference"

Attempt2:

Tunnel-Type="VLAN"
Tunnel-Medium-Type="802"
Tunnel-Private-Group-ID="7"

Attempt3:

Tunnel-Type="VLAN"
Tunnel-Medium-Type="802"
Tunnel-Private-Group-ID=7

Attempt4:

Tunnel-Type=VLAN
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=7

Attempt5:

Cisco-AVPair = "Tunnel-Type=VLAN"
Cisco-AVPair = "Tunnel-Medium-Type=802"
Cisco-AVPair = "Tunnel-Private-Group-ID=7"

and a couple more all had the same outcome:

Access Accept but no VLAN assignment.

So the reject seems caused by the Tunnel-Preference in combination with a proper Tunnel-Medium-Type.

So now I wonder if either the Access_Reject or no VLAN being assigned is my problem......

CSchaatsbergen · ‎01-28-2011

Anyone?

Alexander De Menezes · ‎01-28-2011

Hi Chris,

In response to your last post, dynamic vlan assignment could be achieved with using RADIUS IETF attributes as per link:
http://tools.cisco.com/squish/d1791

or using the cisco-av pair as per link:
http://tools.cisco.com/squish/8Bd61

As you are using Free Radius and the cisco-av pairs.Please can you enable the following debug output on switch and replicate the problem with client authentiation attempt:
debug radius
debug authentication all
debug authentication feature all

Following the client authentication event, also obtain the following from switch:
show authentication sessions interface

I have come across issues with the case sensitivity of the cisco-av pair.For example vlan assignment working when using lower case sensitive "tunnel-private-group-id (# 81) = vlanid" instead of "tunnel-private-group-ID (# 81) = vlanid".

When testing with the "tunnel-private-group-ID(#81)=vlanid", I would get an error relating to:

RADIUS/DECODE: parse unknown cisco vsa "tunnel-private-group-ID" - FAIL

So from 2nd link , with the changes:
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-id(#81)=vlanid"

If you still have an issue, please include the above debug/show output which will shed some light on the problem.

Thanks,
Alex

CSchaatsbergen · ‎02-08-2011

Hi,

Sorry for the delayed answer. Managements priority is always swaying. OK, finally got to testing this again and unfortunately it does not work yet. Will continue testing and keep you up-to-date but if anyone figures out what could work then please reply.

The debug messages are very handy, though there are a lot, the most important one currently:

025893: Feb 8 09:10:40.653: RADIUS/DECODE: parse unknown cisco vsa "tunnel-medium-type(" - IGNORE

Reply was "tunnel-medium-type(#65)=802 media(6)"

Second try:

029243: Feb 8 09:20:36.634: RADIUS: Vendor, Cisco       [26] 24
029244: Feb 8 09:20:36.634: RADIUS:   Cisco AVpair       [1]   18 "tunnel-type=VLAN"
029245: Feb 8 09:20:36.634: RADIUS: Vendor, Cisco       [26] 39
029246: Feb 8 09:20:36.634: RADIUS:   Cisco AVpair       [1]   33 "tunnel-medium-type=802 media(6)"
029247: Feb 8 09:20:36.634: RADIUS: Vendor, Cisco       [26] 33
029248: Feb 8 09:20:36.634: RADIUS:   Cisco AVpair       [1]   27 "tunnel-private-group-id=7"
029249: Feb 8 09:20:36.634: RADIUS(000020E2): Received from id 1645/180
029250: Feb 8 09:20:36.634: RADIUS/DECODE: VSA tunnel-medium-type=802 media(6); no mapping; FAIL

Chris

Added second try

Alexander De Menezes · ‎02-08-2011

Hi Chris,

From your debug as the attribute "tunnel-medium-type=802 media(6)" is being ignored.

If using IETF, i get:

RADIUS:Tunnel-Medium-Type [65] 01:ALL_802 [6]

Can you verify with using "tunnel-medium-type=ALL_802", so your radius log will then look like:

RADIUS: Cisco AVpair [1] "tunnel-medium-type=ALL_802"

instead of:

RADIUS: Cisco AVpair [1] "tunnel-medium-type=802 media(6)"

HTH,

Alex

CSchaatsbergen · ‎02-08-2011

Yay, that worked!

040567: Feb 8 09:58:17.069: RADIUS: Received from id 1645/182 10.1.1.24:1812, Access-Accept, len 111
040568: Feb 8 09:58:17.069: RADIUS: authenticator 9C E7 E2 27 3E 9C 88 FA - FD FB 1B 9F 18 CE D2 01
040569: Feb 8 09:58:17.069: RADIUS: Vendor, Cisco       [26] 24
040570: Feb 8 09:58:17.069: RADIUS:   Cisco AVpair       [1]   18 "tunnel-type=VLAN"
040571: Feb 8 09:58:17.069: RADIUS: Vendor, Cisco       [26] 34
040572: Feb 8 09:58:17.069: RADIUS:   Cisco AVpair       [1]   28 "tunnel-medium-type=ALL_802"
040573: Feb 8 09:58:17.069: RADIUS: Vendor, Cisco       [26] 33
040574: Feb 8 09:58:17.069: RADIUS:   Cisco AVpair       [1]   27 "tunnel-private-group-id=7"
040575: Feb 8 09:58:17.102: RADIUS(00002100): Received from id 1645/182
040576: Feb 8 10:58:17.119 CET: %MAB-5-SUCCESS: Authentication successful for client (0022.158e.a4ac) on Interface Gi0/29 AuditSessionID 0A0101CF00000B8E6265DE37
040577: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Received AUTHC_RESULT from mab (handle 0xAF000B8E)
040578: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Authc Result: success
040579: Feb 8 10:58:17.119 CET: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0022.158e.a4ac) on Interface Gi0/29 AuditSessionID 0A0101CF00000B8E6265DE37
040580: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Client 0022.158e.a4ac, Method mab changing state from 'Running' to 'Authc Success'
040581: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Client 0022.158e.a4ac, Context changing state from 'Running' to 'Authc Success'
040582: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Existing AAA ID: 0x00002100
040583: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Received AAA ID 0x00002100 from method
040584: Feb 8 09:58:17.119: AUTH-EVENT: Enter auth_mgr_idc_modify_keys
040585: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Set new linksec data (handle 0xAF000B8E) NULL data
040586: Feb 8 09:58:17.119: AUTH-EVENT (Gi0/29) Signalling Authc success for client 0022.158e.a4ac
040587: Feb 8 09:58:17.127: AUTH-FEAT-AUTH-POLICY-EVENT (Gi0/29) epm_policy_apply_request returned 1 for
040588: Feb 8 09:58:17.127: AUTH-FEAT-AUTOCFG-EVENT (Gi0/29) No auto-config feature attributes present
040589: Feb 8 09:58:17.127: AUTH-FEAT-MDA-EVENT (Gi0/29) Get domain: DATA
040590: Feb 8 09:58:17.127: AUTH-FEAT-MDA-EVENT (Gi0/29) Get domain: DATA
040591: Feb 8 09:58:17.127: AUTH-FEAT-GUEST-VLAN-EVENT (Gi0/29) Guest VLAN not active
040592: Feb 8 09:58:17.127: AUTH-FEAT-MDA-EVENT (Gi0/29) Get domain: DATA
040593: Feb 8 09:58:17.127: AUTH-FEAT-MDA-EVENT (Gi0/29) Get domain: DATA
040594: Feb 8 09:58:17.127: AUTH-FEAT-VLAN-GROUP-EVENT (Gi0/29) RADIUS provided VLAN name 7 with tag 0
040595: Feb 8 09:58:17.127: AUTH-EVENT (Gi0/29) Authorized client count: 0
040596: Feb 8 09:58:17.127: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/29) PM Actions: Setting vlan 7 in DATA domain
040597: Feb 8 09:58:17.127: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/29) Assigning dynamic vlan = 7 on port GigabitEthernet0/29
040598: Feb 8 10:58:17.127 CET: %AUTHMGR-5-VLANASSIGN: VLAN 7 assigned to Interface Gi0/29 AuditSessionID 0A0101CF00000B8E6265DE37
040599: Feb 8 09:58:17.127: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/29) vlan 1 vp is removed
040600: Feb 8 09:58:17.127: AUTH-FEAT-SWITCH-PM-EVENT (Gi0/29) ignored vlan 7 vp is added

Thank you so very much, I would probably never have found that!

Chris

Alexander De Menezes · ‎02-08-2011

Great to know its working.

Thank you for the rating :-)

Cheers,

Alex