Hi Michal,
Thanks for the reply :)
We have decided to scrap the cisco switch and go with something else, but in answer to your questions
1) No, I have used the ip-address for the server.
2) Description of my setup ...
The SG200-26 is connected to a PFSense Firewall box with a trunk port to carry vlan traffic.
Freeradius is also running on this PFSense Box.
Required functionality would be
1) vlan separation of the school network. - Working OK
2) Radius Authentication - 802.1x and or Plain MAC-Authentication of workstations connected to the physical network
3. dynamic Vlan assignment by Radius and switch
Radius Config : radiusd.conf
/usr/local/etc/raddb/radiusd.conf
prefix = /usr/pbi/freeradius-i386
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
libdir =
pidfile = ${run_dir}/radiusd.pid
db_dir = ${raddbdir}
name = radiusd
#chroot = /path/to/chroot/directory
#user = freeradius
#group = freeradius
###############################################################################
### Is not present in freeradius 2.x radiusd.conf anymore but it was in 1.x ###
### delete_blocked_requests = no ###
### usercollide = no ###
### lower_user = no ###
### lower_pass = no ###
### nospace_user = no ###
### nospace_pass = no ###
###############################################################################
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
listen {
type = auth
ipaddr = 192.168.17.1
port = 1812
}
listen {
type = auth
ipaddr = 192.168.8.1
port = 1812
}
listen {
type = acct
ipaddr = 192.168.17.1
port = 1813
}
listen {
type = acct
ipaddr = 192.168.8.1
port = 1813
}
log {
destination = syslog
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
msg_goodpass = ""
msg_badpass = ""
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server
#proxy_requests = yes
#$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
### Dis-/Enable sql.conf INCLUDE
#$INCLUDE sql.conf
### Dis-/Enable sql/mysql/counter.conf INCLUDE
#$INCLUDE sql/mysql/counter.conf
#$INCLUDE sqlippool.conf
}
instantiate {
exec
expr
daily
weekly
monthly
forever
expiration
logintime
### Dis-/Enable sql instatiate
#sql
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
users file
/usr/local/etc/raddb/users
"jean" MD5-Password := "<secret>"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "1",
cisco-avpair = "shell:priv-lvl=15"
"root" MD5-Password := "<secret>"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "1",
cisco-avpair = "shell:priv-lvl=15"
The config is standard and works with other devices.
I have been able to get the switch to authenticate by radius after a complete factory restore and reconfig.
802.1x and mac authentication still doesnt work. Can see eap packets being generated now, before there was none, but the switch never tries to communicate with radius to auth a port...
Will upload wireshark captures today :)
