Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1921
Views
0
Helpful
0
Replies

mac auth bypass with freeradius problem

saul alonso ramos
Level 1
Level 1

ā€Ž01-07-2014 03:17 AM - edited ā€Ž03-10-2019 09:14 PM

Hi,

I'm experiencing a problem with mac auth bypass in a catalyst 3560, i connect a phone and a pc to a port and both get

authenticated and working but the phone keep reauthenticating and the console show this error:

*Mar  1 02:10:34.221: %MAB-5-SUCCESS: Authentication successful for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.221: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.229: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 11 on port FastEthernet0/3 cannot be equivalent to the Voice VLAN AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:10:34.229: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.954: %MAB-5-SUCCESS: Authentication successful for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.954: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.963: %DOT1X_SWITCH-5-ERR_VLAN_EQ_VVLAN: Data VLAN 11 on port FastEthernet0/3 cannot be equivalent to the Voice VLAN AuditSessionID 0A0C001600000030006A91FB

*Mar  1 02:11:34.963: %AUTHMGR-5-FAIL: Authorization failed for client (0023.5e1a.6d59) on Interface Fa0/3 AuditSessionID 0A0C001600000030006A91FB

But the phone didn't lost connection.

Here is the config:

SWITCH:

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization network default group radius

!        

aaa session-id common

system mtu routing 1500

vtp mode transparent

no authentication logging verbose

ip domain-name alturna-net

!

dot1x system-auth-control

no dot1x logging verbose

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10  

name DATA

!

vlan 11

name VOICE

!

vlan 999

name PARKING

!

ip ssh version 2

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

switchport voice vlan 11

authentication event fail action authorize vlan 999

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority mab dot1x

authentication port-control auto

mab eap

dot1x pae authenticator

spanning-tree portfast

!

interface FastEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport trunk allowed vlan 10,11

switchport mode trunk

spanning-tree portfast

!

interface Vlan10

ip address 10.12.0.22 255.255.255.0

!

ip classless

ip http server

ip http secure-server

!

!

ip sla enable reaction-alerts

!

radius-server host 10.12.0.21 auth-port 1812 acct-port 1813 key 1234

radius-server vsa send authentication

!

!

line con 0

logging synchronous

line vty 0 4

length 0

transport input ssh

line vty 5 15

!

end

FREERADIUS user file:

20cf30292a13  Auth-Type := "EAP",  Cleartext-Password := 20cf30292a13

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-id = "DATA"

00235e1a6d59  Auth-Type := "EAP",   Cleartext-Password := 00235e1a6d59

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-id = "VOICE"

Any help will be much apreciated!

Thanks,


1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents