cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


607
Views
0
Helpful
2
Replies
sankongacth
Beginner

Mystical Radius Support on Cisco SG200-26 Smart Switch not working :)

Good Day Everyone,

Support Request: SR636256465

 

I have a problem with mythical radius and 802.1x support on a brand new SG200-26 

Info as follows :

1.4.1.3
a325fec192ba4927b6809c1867a22278
1.3.5.06
da8bcdbf216c7df1a3bcb41ec8669e76
en-US
1.4.1.3
 

 

 

Local support in Thailand can not give me any clear answers, so here goes ...

I have a working Radius server on the network, and bought the SG200-26 as well as other SG200-08 switches to do

1) Vlan sepperation of the school network.
2) Do 802.1x authentication with radius as well as dynamic vlan assignment etc...

 

Now, the fun starts ....

 

Configured all stuff as it should be, and the sg200-26 does not send a single byte to the radius server, checked it with wireshark and tcpdump ....

No transmission of anything to radius .....

Mystical radius support indeed ......

 

anyone care to give me some insights ?? it will be appreciated ...

 

Regards

 

Jean

 

 

2 REPLIES 2
Michal Bruncko
Enthusiast

just first shot: did you used domain name of RADIUS server(s) and just forgot to configure DNS server IPs on switch?

secondly: example configuration snip could help audience to understand your setup and increase chance to get your issue solved

Hi Michal,

Thanks for the reply :)  

We have decided to scrap the cisco switch and go with something else, but in answer to your questions

1) No, I have used the ip-address for the server.

2) Description of my setup ...

 

The SG200-26 is connected to a PFSense Firewall box with a trunk port to carry vlan traffic.
Freeradius is also running on this PFSense Box.

Required functionality would be 

1) vlan separation of the school network. - Working OK
2) Radius Authentication - 802.1x and or Plain MAC-Authentication of workstations connected to the physical network

3. dynamic Vlan assignment by Radius and switch

Radius Config : radiusd.conf

/usr/local/etc/raddb/radiusd.conf
prefix = /usr/pbi/freeradius-i386
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
libdir = 
pidfile = ${run_dir}/radiusd.pid
db_dir = ${raddbdir}
name = radiusd
#chroot = /path/to/chroot/directory
#user = freeradius
#group = freeradius
 
###############################################################################
### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ###
### delete_blocked_requests = no                                            ###
### usercollide = no                                                        ###
### lower_user = no                                                         ###
### lower_pass = no                                                         ###
### nospace_user = no                                                       ###
### nospace_pass = no                                                       ###
###############################################################################
 
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
listen {
type = auth
ipaddr = 192.168.17.1
port = 1812
}
listen {
type = auth
ipaddr = 192.168.8.1
port = 1812
}
listen {
type = acct
ipaddr = 192.168.17.1
port = 1813
}
listen {
type = acct
ipaddr = 192.168.8.1
port = 1813
}
 
log {
destination = syslog
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
msg_goodpass = ""
msg_badpass = ""
}
 
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
 
### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server
#proxy_requests = yes
#$INCLUDE  proxy.conf
$INCLUDE  clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
}
 
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
### Dis-/Enable sql.conf INCLUDE
#$INCLUDE sql.conf
 
### Dis-/Enable sql/mysql/counter.conf INCLUDE
#$INCLUDE sql/mysql/counter.conf
 
#$INCLUDE sqlippool.conf
}
 
instantiate {
 
exec
expr
daily
weekly
monthly
forever
expiration
logintime
### Dis-/Enable sql instatiate
#sql
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/


 

users file

 

/usr/local/etc/raddb/users
 
"jean" MD5-Password := "<secret>"
 
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "1",
cisco-avpair = "shell:priv-lvl=15"
 
 
 
"root" MD5-Password := "<secret>"
 
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "1",
cisco-avpair = "shell:priv-lvl=15"
 
 

The config is standard and works with other devices.

I have been able to get the switch to authenticate by radius after a complete factory restore and reconfig.

802.1x and mac authentication still doesnt work. Can see eap packets being generated now, before there was none, but the switch never tries to communicate with radius to auth a port...

 

Will upload wireshark captures today :)

 

 


 

 

Create
Recognize Your Peers
Polls
How would you describe your level of technical expertise?