02-10-2014 03:55 PM
I am running v1.3.5.58 on an SG300-20. I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy. It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication.
1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation. The packet identifier is always 0x00.
2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP). Instead, it is left blank.
Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot. Have I done something in the config to cause this to happen (see below)? Is this a known bug? Does it have a workaround? Will our hero save defeat the villain and save the day? ;-)
config-file-header
ausoff-sw-test1
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
spanning-tree priority 40960
port jumbo-frame
vlan database
vlan 2-3,12,14,16,99,600,1000,1010
exit
voice vlan id 1010
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
dot1x traps authentication failure 802.1x
dot1x traps authentication success 802.1x
hostname ausoff-sw-test1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=
encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x
radius-server host 172.18.58.58 usage dot1.x
radius-server timeout 10
logging host 172.18.58.50
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted
username nac password encrypted *** privilege 15
username admin password encrypted *** privilege 15
username cisco password encrypted *** privilege 15
username readonly password encrypted ***
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308cc68423f4d
snmp-server location "***"
snmp-server contact "***"
snmp-server community *** rw 172.18.58.58 view DefaultSuper
snmp-server community *** rw 172.18.14.105 view DefaultSuper
snmp-server host 172.18.58.58 traps version 2c nac
snmp-server host 172.18.58.58 version 3 auth nac
snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
encrypted snmp-server user nac nac v3 auth sha ***
encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***
ip http timeout-policy 1800
clock timezone " " -6
sntp anycast client enable ipv4
sntp broadcast client enable ipv4
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 0.pool.ntp.org poll
sntp server 1.pool.ntp.org poll
ip domain name blah.net
ip name-server 172.18.19.232
ip domain timeout 2
ip domain retry 1
ip telnet server
!
interface vlan 2
name NACRegistration
!
interface vlan 3
name NACIsolation
!
interface vlan 12
name Users
!
interface vlan 14
name Dev
!
interface vlan 16
name LAN
!
interface vlan 99
name Mgmt
ip address 172.18.58.61 255.255.255.128
!
interface vlan 600
name "Core Test"
dot1x guest-vlan
!
interface vlan 1000
name Guest
!
interface vlan 1010
name Voice
!
interface gigabitethernet1
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet2
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet3
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet4
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet5
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet6
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet7
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet8
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
!
interface gigabitethernet9
dot1x host-mode single-host
dot1x violation-mode protect trap 10
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet10
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet11
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet12
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet13
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet14
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet15
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet16
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet17
dot1x host-mode multi-sessions
no snmp trap link-status
port monitor GigabitEthernet 20
spanning-tree disable
spanning-tree bpduguard enable
switchport mode general
switchport general acceptable-frame-type untagged-only
switchport forbidden default-vlan
!
interface gigabitethernet18
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
!
interface gigabitethernet19
switchport trunk native vlan 600
!
interface gigabitethernet20
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
exit
ip default-gateway 172.18.58.1
02-11-2014 04:02 PM
Hi Dale, I haven't visited this question in a very long time. But if I recall correctly, the switch used to not support call station id. If it does support it (presently) then you'd need to do a packet capture to confirm what the switch is sending so the RADIUS proxy will match it. So if the id is using all CAP then the RADIUS Proxy must also use all CAP. The syntax must be 100% the same.
-Tom
Please mark answered for helpful posts
02-12-2014 11:57 AM
Thank you for your response, Tom. I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300. There is not an issue with capitalization, the value is simply not provided at all. Here is an example of a tcpdump decode of such a packet. Please note the missing attribute:
15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)
172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114
Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000
NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61
0x0000: ac12 3a3d
NAS Port Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
NAS Port Attribute (5), length: 6, Value: 57
0x0000: 0000 0039
Username Attribute (1), length: 12, Value: SSO\dalewl
0x0000: 5353 4f5c 6461 6c65 776c
Accounting Session ID Attribute (44), length: 10, Value: 050000DF
0x0000: 3035 3030 3030 4446
Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C
0x0000: 4530 2d44 422d 3535 2d42 332d 3144 2d35
0x0010: 43
EAP Message Attribute (79), length: 17, Value: ..
0x0000: 0201 000f 0153 534f 5c64 616c 6577 6c
Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.
0x0000: bed3 b19e c70f 52e0 ec31 afcb d545 55ad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide