cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1486
Views
0
Helpful
0
Replies

mac auth bypass with freeradius problem

Hi,

I'm experiencing a problem with mac auth bypass in a catalyst 3560, i connect a phone and a pc to a port and both get

authenticated and working but the phone keep reauthenticating and the console show this error:

*Mar  1 02:10:34.221: %MAB-5-SUCCESS: Authentication successful for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.221: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.229: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 11 on port FastEthernet0/3 cannot be equivalent to the Voice VLAN AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.229: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.954: %MAB-5-SUCCESS: Authentication successful for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.954: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.963: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 11 on port FastEthernet0/3 cannot be equivalent to the Voice VLAN AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.963: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

But the phone didn't lost connection.

Here is the config:

SWITCH:

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

!        

aaa session-id common

system mtu routing 1500

vtp mode transparent

no authentication logging verbose

ip domain-name alturna-net

!

dot1x system-auth-control

no dot1x logging verbose

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10  

name DATA

!

vlan 11

name VOICE

!

vlan 999

name PARKING

!

ip ssh version 2

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

switchport voice vlan 11

authentication event fail action authorize vlan 999

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

mab eap

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 10,11

switchport mode trunk

spanning-tree portfast

!

interface Vlan10

ip address 10.12.0.22 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

!

ip sla enable reaction-alerts

!

radius-server host 10.12.0.21 auth-port 1812 acct-port 1813 key 1234

radius-server vsa send authentication

!

!

line con 0

logging synchronous

line vty 0 4

length 0

transport input ssh

line vty 5 15

!

end

FREERADIUS user file:

20cf30292a13  Auth-Type := "EAP",  Cleartext-Password := 20cf30292a13

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-id = "DATA"

00235e1a6d59  Auth-Type := "EAP",   Cleartext-Password := 00235e1a6d59

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-id = "VOICE"

Any help will be much apreciated!

Thanks,


0 REPLIES 0
Content for Community-Ad