Re: SG300-28 RADIUS accounting firmware 1.0.0.27 and 1.1.2.0

Nachtfalkeaw · ‎01-28-2012

Hi,

I am using the CISCO SG300-28 with firmware version 1.0.0.27. I enabled RADIUS authentication and accounting. Authentication is working but there are no accounting requests/replys (Accounting on, accounting off, accoun ting start, accounting stop) when running RADIUS in debug mode. I also did a packetcapture and there are no accounting packets.

So i updated the firmware image up to version 1.1.2.0.

When I now want to configure accounting in RADIUS settings then there isn't any option to set an accounting port.

Ich checked the data sheet of the switch and it says that accounting is supported:

===============================================

802.1X: RADIUS authentication and accounting, MD5 hash; guest VLAN; unauthenticated VLAN, single/multiple host mode and single/multiple sessions

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html

===============================================

I did a second packet capture with the new firmware image and there are still no accounting packets.

The RADIUS server is configured correct for accounting because when using another NAS like a WLAN-AP with DD-WRT accounting is workings. It is working with pfsense Captive Portal (an open source firewall and routing solution with a hotspot portal).

Thank you for your feedback!

Alexander Wilke

Nachtfalkeaw · ‎01-30-2012

Hi,

I made some more tests with the switch and the different image versions. I did the following:

Image 1.0.0.27

[1.0.0.27.cap]: packetcapture (uncut to show you that I didn't cut something) between SG300-28 and freeradius 2.1.12

[Image-version-1.0.0.27.jpg]: Screenshot of the active image

[radius-1.0.0.27.jpg]: screenshot of the GUI which shows authentication and accounting

Image 1.1.2.0

[1.1.2.0.cap]: packetcapture (uncut to show you that I didn't cut something) between SG300-28 and freeradius 2.1.12

[Image-version-1.1.2.0.jpg]: Screenshot of the active image

[radius-1.1.2.0.jpg]: screenshot of the GUI which shows authentication without accounting

excerpt of radiusd.conf (interfaces):

listen {

type = auth

ipaddr = 192.168.0.22

port = 1812

}

listen {

type = acct

ipaddr = 192.168.0.22

port = 1813

}

clients.conf

client "CISCO" {

ipaddr = 192.168.0.19

proto = udp

secret = pfsense

require_message_authenticator = no

max_connections = 16

shortname = CISCO

nastype = other

#login = !root

#password = someadminpas

#virtual_server = home1

#coa_server = coa

}

users file:

"myuser" Cleartext-Password := "mypass"

Tunnel-Type = VLAN,

Tunnel-Medium-Type = IEEE-802,

Tunnel-Private-Group-ID = "10"

Nachtfalkeaw · ‎01-30-2012

Could just upload 5 files. Here is the last one.

mplewis · ‎02-20-2012

I am curious to know if you ever received any answers to this enquiry. We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work at all. We already use RADIUS on our primary network CISCO switches (3560s and 3750s) and these work fine so we know the RADIUS server is working.

When trying to use RADIUS authentication to gain management access onto the switch. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, the switch simply says “authentication failed” when to receives the response. We are using Microsoft NPS for authentication purposes.

Any advice you could offer would be gratefully received.

Mike Lewis

Nachtfalkeaw · ‎02-20-2012

Hi Mike,

I didn't use/try authentication for management access. Just for client authentication. This is working with FreeRADIUS 2.1.12. Accounting isn't available till now. Development for accounting is in progress. No ETA but they told me I will recieve feedback on early march on the accounting behaviour.

I opened a case (620518769) for that.

I am sorry that I cannot help you on your specific problem.

Alexander Wilke