cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1802
Views
0
Helpful
0
Replies

mac auth bypass with freeradius problem

Hi,

I'm experiencing a problem with mac auth bypass in a catalyst 3560, i connect a phone and a pc to a port and both get

authenticated and working but the phone keep reauthenticating and the console show this error:

*Mar  1 02:10:34.221: %MAB-5-SUCCESS: Authentication successful for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.221: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.229: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 11 on port FastEthernet0/3 cannot be equivalent to the Voice VLAN AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.229: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.954: %MAB-5-SUCCESS: Authentication successful for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.954: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.963: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 11 on port FastEthernet0/3 cannot be equivalent to the Voice VLAN AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.963: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

But the phone didn't lost connection.

Here is the config:

SWITCH:

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

!        

aaa session-id common

system mtu routing 1500

vtp mode transparent

no authentication logging verbose

ip domain-name alturna-net

!

dot1x system-auth-control

no dot1x logging verbose

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10  

name DATA

!

vlan 11

name VOICE

!

vlan 999

name PARKING

!

ip ssh version 2

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

switchport voice vlan 11

authentication event fail action authorize vlan 999

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

mab eap

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 10,11

switchport mode trunk

spanning-tree portfast

!

interface Vlan10

ip address 10.12.0.22 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

!

ip sla enable reaction-alerts

!

radius-server host 10.12.0.21 auth-port 1812 acct-port 1813 key 1234

radius-server vsa send authentication

!

!

line con 0

logging synchronous

line vty 0 4

length 0

transport input ssh

line vty 5 15

!

end

FREERADIUS user file:

20cf30292a13  Auth-Type := "EAP",  Cleartext-Password := 20cf30292a13

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-id = "DATA"

00235e1a6d59  Auth-Type := "EAP",   Cleartext-Password := 00235e1a6d59

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-id = "VOICE"

Any help will be much apreciated!

Thanks,


0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: