SG300: MAC authentication with Radius VLAN assignment problems

jer0nim0x · ‎12-10-2014

Hi,

I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)

Here's the final switch config:

config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
!
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
!
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
!
interface gigabitethernet6
switchport mode access
switchport access vlan 110
!
interface gigabitethernet9
switchport mode access
switchport access vlan 12
!
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
!
exit
ip default-gateway 192.168.99.1

On the switch side I would expect VLAN 666 to be set but it's not there:

switchf460dc#show dot1x users

                          MAC               Auth   Auth   Session        VLAN
Port     Username         Address           Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25

This is the radius users file. It's a simple file for test.

DEFAULT Auth-Type := Accept
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 666

I am attaching a screenshot of the Radius reply sent by the server.

I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.

It may be that the tag is missing in the Radius reply? If yes, how do I add it?

Any ideas?

Thanks.

Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

Aleksandra Dargiel · ‎12-12-2014

Hi,

First of all it would be good idea to upgrade firmware to 1.4.0.88 version and ensure boot code is 1.3.5.06

DVA is not supported with multiple-sessions in Layer 3 (page 444): http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/Cisco_300Sx_v1_4_AG.pdf?mdfid=283019666

Regards,

Aleksandra

jer0nim0x · ‎12-13-2014

Hi,

As you can see from my update I have tried FW1.4 where dot1x/Radius doesn't seem to do anything at all.

Also from the config that I posted you can clearly see that the device is in L2 mode.

Best regards

jer0nim0x · ‎12-13-2014

I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.

So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.

I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.

Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

jer0nim0x · ‎03-22-2015

Hi again,

SR 633001533 has now been open for months.

Noone seems to be interested in it.

Best regards.,

Marki

jer0nim0x · ‎04-13-2017

To whoever will find this in the future, here is the solution:

For some reason, these devices only accept the VLAN (Tunnel-Private-Group-ID) returned by Radius if an EAP authentication takes place inside the Radius session.

This means there will NOT be the usual
1) Access-Request
2) Access-Accept (or Reject)

But:
1) Access-Request
2) Access-Challenge (EAP-MD5)
3) Access-Request
4) Access-Accept (or Radius)

Now if you have devices in your network that don't require the EAP part, as well as some that do (like these Cisco SGs or some Dell switches) then this is a Freeradius config that may work for you (YMMV).

This is part of the authorize{} section in the default server:

authorize {
preprocess

...

files
if (ok) { # The MAC address was found in the file lookup
    if (EAP-Message) {
      update control {
        Cleartext-Password := "%{User-Name}" # the quotes are important
      }
      eap
    }
    else {
      update control {
        Auth-Type := Accept
      }
    }
    update reply {
      Tunnel-Type:0 = VLAN
      Tunnel-Medium-Type:0 = IEEE-802
    }

...
}

We get the Tunnel-Private-Group-ID from the file lookup ("files") and we set Tunnel-Type and Tunnel-Medium-Type statically.

The important part is where we check for the EAP-Message. For the EAP Challenge to work we need to set the password (internal to Radius) to the User-Name transmitted by the switch (in this case the MAC address). We also MUST NOT set an Auth-Type in this case. The eap module will handle that.

In case there is no EAP dialog happening we just set Auth-Type to Accept.

We have struggled hard to find this out and, to this day, there still has been noone who could explain why it has to work this way. Radius returns all necessary attributes for a MAC authentication, there is no need for an additional EAP dialogue in order for the VLAN id to be transmitted or accepted.