cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21664
Views
40
Helpful
19
Replies

sg300 MAC-Based 802.1x authentification aka. mab (mac-auth-bypass)

jan.zacharias
Level 1
Level 1

Hi,

the 300 series administation guide states on page 287:

The authentication methods can be:

The authentication methods can be:

* 802.1x

   [...]

* MAC-based—The switch can be configured to use this mode to

authenticate and authorized devices that do not support 802.1x. The switch

emulates the supplicant role on behalf of the non 802.1x capable devices,

and uses the MAC address of the devices as the username and password

when communicating with the RADIUS servers. MAC addresses for

username and password must be entered in lower case and with no

delimiting characters (for example: aaccbb55ccff).

So this is just what we know as mac auth bypass in IOS terms.

However the implementation is not quite the same:

Here a mab request from a IOS device as seen by freeradius:

rad_recv: Access-Request packet from host 192.168.0.1 port 1645, id=35, length=160

        User-Name = "001c25a2104c"

        User-Password = "001c25a2104c"

        Service-Type = Call-Check

        Framed-MTU = 1500

        Called-Station-Id = "8C-B6-4F-1A-C4-05"

        Calling-Station-Id = "00-1C-25-A2-10-4C"

        Message-Authenticator = 0x81a4802ccb11e5da3d1f0b78c1c04db1

        NAS-Port-Type = Ethernet

        NAS-Port = 50005

        NAS-Port-Id = "GigabitEthernet0/5"

        NAS-IP-Address = 192.168.0.1

And now the same request with a sg300-10 device (latest firmware):

rad_recv: Access-Request packet from host 192.168.0.2 port 49181, id=0, length=108
        NAS-IP-Address = 192.168.0.2
        NAS-Port-Type = Ethernet
        NAS-Port = 56
        User-Name = "001c25a2104c"
        Calling-Station-Id = "00-1C-25-A2-10-4C"
        EAP-Message = 0x0200001101303031633235613231303363
        Message-Authenticator = 0x7e5e378a5324111080b1c0ff7d6a9add

192.168.0.1

The device does not send the User-Password = mac-address - why? It says so in the admin guide (see quote above)?

19 Replies 19

jan.zacharias
Level 1
Level 1

Dear Cisco,

I figured out on my own that the password is transmitted as md5 hash when doing the eap challenge/response stuff.

That makes no sense, as MAB is unsecure by design, so I just compare User-Name and Calling-Station-Id and send

Sending Access-Accept of id 0 to 192.168.0.2 port 49181

        Tunnel-Type:0 = VLAN

        Tunnel-Medium-Type:0 = IEEE-802

        Tunnel-Private-Group-Id:0 = "9"

via freeradius, however the switch logs:

22-Nov-2011 20:42:16 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:1c:25:a2:10:4c was rejected on port gi7 because Radius accept message does not contain VLAN ID

What the heII?!

Note: it works perfectly well when processing normal 802.1x requests.

I can only imagine that the switch wants the answer in a nice eap envelope.

However, before I waste more time on this I want a clear statement from the cisco guys.

Bonus would be if you can give an example of how MAB is meant to work on sg300 devices

with freeradius. And I do not mean the easy way via users file ...

Thanks!

Hi jan

Here is my MAC based authentication configuration below for interface Gigabit 1, give it a try and see how it goes.  I was waiting for someone else to answer your query for the following reason.

I am using a NSS324 NAS unit with Radius server add-on module  for Radius authentication, which will not authenticate the incoming MAC based requests so I will always fail any mac based requests coming in, as you can see from my radius log that follows;

.

2011-11-2517:07:09000e7f74bd48192.168.10.22---RADIUS---Auth Fail
2011-11-2517:06:09000e7f74bd48192.168.10.22---RADIUS---Auth Fail

(My NAS supports PAP, EAP-TLS/PAP, and EAP-TTLS/PAP authentication schemes for system user accounts.)

However, the switch is configured to push the unauthorized MAC address client into vlan100.

So that's what I did to validate MAC based authentication was progressing by checking the;

  • IP network the PC eventually was dumped into. the PC was allocated a IP address in VLAN100..
  • see and  capture if the Radius exchange between server and switch via  wireshark.
  • check the switch vlan configuration as seen below to see which vlan the port was placed in..

As you can see from the screen captures below, the switch added Gi1 to vlan100 as a results of failed authetication attempt..That's whay I expected.

switch0fdcfd#show vlan

Vlan       Name                   Ports                Type     Authorization

---- ----------------- --------------------------- ------------ -------------

1           1                gi2-10,Po1-8           Default      Required

100         100                 gi1,gi10            permanent       Guest

switch0fdcfd#sh system

System Description:                       10-port Gigabit PoE Managed Switch

System Up Time (days,hour:min:sec):       00,02:32:55

System Contact:

System Name:                              switch0fdcfd

System Location:

System MAC Address:                       68:bd:ab:0f:dc:fd

System Object ID:                         1.3.6.1.4.1.9.6.1.83.10.2

switch0fdcfd#show version

SW version    1.1.1.8 ( date  30-Aug-2011 time  10:46:34 )

Boot version    1.0.0.4 ( date  08-Apr-2010 time  16:37:57 )

HW version    V30


switch0fdcfd#show run

interface  gi10

spanning-tree link-type point-to-point

exit


interface  gi1

dot1x host-mode multi-sessions

exit


vlan database

vlan 100

exit


interface vlan 100

dot1x guest-vlan

exit


voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________


dot1x system-auth-control

interface  gi1

dot1x reauthentication

exit

interface  gi1

dot1x mac-authentication mac-only

exit

interface gi1

dot1x guest-vlan enable

exit

interface gigabitethernet1

dot1x port-control auto

exit


interface vlan 1

ip address 192.168.10.22 255.255.255.0

exit

ip default-gateway 192.168.10.1

interface vlan 1

no ip address dhcp

exit

hostname switch0fdcfd


radius-server host 192.168.10.61 key 123456789 priority 2


radius-server key 123456789


aaa authentication dot1x default radius


no snmp-server server

ip domain name fred.com

ip name-server  209.18.47.61 209.18.47.62

ip telnet server

interface gigabitethernet10

macro description "switch | no_switch | switch"

exit

interface gigabitethernet10

!next command is internal.

macro auto smartport dynamic_type switch

switchport trunk allowed vlan add 100

exit

switch0fdcfd#


If setup correctly,  MAC based authentication works, so i have been told many times.

This obviously necessitates setting up the AAA server correctly, which i could not do

If you wish to progress your query further, please open a case with your distribution partner or  the good folk at the Small Business Support Center (SBSC).

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

regards Dave


Thanks David,

David Hornstein wrote:

If setup correctly,  MAC based authentication works, so i have been told many times.

This obviously necessitates setting up the AAA server correctly, which i could not do

please understand that this is not what I expected as a qualified solution.

Hi,

Sorry,  I responded to your query  because no one did, but, if you question if the switch MAC based authetication works, then open a case with  the good folk at SBSC and work with them to resolve your query.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

Sorry, gave the application a try, just do not have a full Radius server in my lab.  :-(

regards Dave. 

Hey, no problem I really appreciate your answer. Im now chatting with Borislav Atanassov, however he just told me that my Serialnumber is not under warranty. Very strange as the device specs say lifetime warranty...

Greetings Mr. Zacharias,

Today Boby and I configured this on our lab and this is our findings

we have a PC connected to port Gi1 without any 1x configuration

with the following switch config

switch3ba5e1#show run

vlan database

vlan 100

exit

interface vlan 100

dot1x guest-vlan

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

dot1x system-auth-control

interface  gi1

dot1x reauthentication

exit

interface  gi1

dot1x mac-authentication mac-only

exit

interface gi1

dot1x guest-vlan enable

exit

interface gigabitethernet1

dot1x port-control auto

exit

interface vlan 1

ip address 192.168.1.254 255.255.255.0

exit

interface vlan 1

no ip address dhcp

exit

hostname switch3ba5e1

radius-server host 192.168.1.222 priority 1

radius-server key testing123

aaa authentication dot1x default radius

no snmp-server server

the only difference between Mr. Hornstein  and ours is that he is  running 1.1.1.8 and we are running 1.1.2.0

and we see  the following on FreeRadius when the PC connect to port gi1

og expands to ../var/log/radius/radacct/192.168.1.254/reply-detail-20111202.log

  modcall[post-auth]: module "reply_log" returns ok for request 1

modcall: leaving group post-auth (returns ok) for request 1

Sending Access-Accept of id 0 to 192.168.1.254 port 49181

        Tunnel-Type:0 = VLAN

        Tunnel-Medium-Type:0 = IEEE-802

        Tunnel-Private-Group-Id:0 = "1"

        Reply-Message = "Hello, c42c030e3ec7"

        EAP-Message = 0x03010004

        Message-Authenticator = 0x00000000000000000000000000000000

        User-Name = "c42c030e3ec7"

Finished request 1

Going to the next request

Waking up in 6 seconds...

this is on the switch Side

this is our users.conf on the FreeRadius:

#################################################################################

c42c030e3ec7 User-Password == "c42c030e3ec7"

         Tunnel-Type:0 = "VLAN",

         Tunnel-Medium-Type:0 = "IEEE-802",

         Tunnel-Private-Group-Id:0 = "1",

         Reply-Message = "Hello, %u"

Kindly share with us know your radius configuration, what firmware version you are running,  a diagram of your topology, and your Switch configs

Thank you

Victor Cappuccio

Cisco Small Business Support

www.cisco.com/go/smallbizhelp

Hi Jan,

for me the Mac-Auth is working on SG300 firmware image 1.1.2.0.

When enabling this on the switch the switch send the MAC as "username" and as "password" in this format: "001122aabbcc". So for freeradius it is seen as a real 802.1X authentication type.

The CISCO isn't able to send just the calling-station-id (MAC) to freeradius like it is described here:

http://wiki.freeradius.org/Mac-Auth#Plain+Mac-Auth

My users file looks like this:

===========

"000039e296ea" Cleartext-Password := "000039e296ea"

    Tunnel-Type = VLAN,

    Tunnel-Medium-Type = IEEE-802,

    Tunnel-Private-Group-ID = "10"

===========

Alexander Wilke

Hi Alexander,

Could you solve this problem, or you still have troubles with MAC based authentication and VLAN assignment? Because I have a working MAC-only based authentication here, I can send you the running configuration, and also the freeradius configuration for that.

Best regards,

Geza

Hi Geza,

I did not have any problems with that. I just want to say that it is working in my configuration. :-)

Not sure if the thread starter "jan.zacharias@dfki.de" could solve the problem.

Alexander

Hi Alexander and Jan,

I am sorry, I did not check that. But if Jan needs help with this, then of course my offer is valid for him too...

Best regards,

Geza

I'm currently in contact with Cisco because of exactly this issue.

Did someone make progress beyond what was reported here?

Lannar Dean
Level 1
Level 1

Sorry to revive a dead thread, but I am running into this same issue.  It seems there is no way to configure this switch to perform only mac-based authentication.  I was not able to find any way to change the behavior from sending the EAP messages to just sending the mac as username and password.

I am using freeradius but an implementation in another device that doesn't really allow me to change its configuration much.  It is expecting fields 1 and 2 to be the MAC address for the username and password, and results in stating the EAP type doesn't match.

Login incorrect: [f0def1fb5f1d] (from client 192.168.5.100/32 port 1 cli F0-DE-F1-FB-5F-1D)
[eap] Response appears to match, but EAP type is wrong.
# Executing group from file /usr/local/etc/raddb/radiusd.conf
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = MD5-Challenge
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair NAS-IP-Address = 192.168.5.100
rlm_perl: Added pair EAP-Message = 0x0201002204103c7ae7659aae20833d873898e4dd1906663064656631666235663164
rlm_perl: Added pair User-Name = f0def1fb5f1d
rlm_perl: Added pair Message-Authenticator = 0x36bcd0966db5687cb7b20046dd9fcaf8
rlm_perl: Added pair State = 0x8e4e0f878e4f16419e6e1a8485d4a92d
rlm_perl: Added pair Calling-Station-Id = F0-DE-F1-FB-5F-1D
rlm_perl: Added pair NAS-Port-Type = Ethernet
2013/04/26 17:49:30 freeradius_hook[4627] INFO> main::authorize - performing authorize
[<thread>] # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf

did anyone else have any luck?  Cisco Small Business team couldn't find a resolution either and just said it can't be done. 

Hi Lannar,

you are actually the first person that understands the problem...

I think this will not be fixed as the linksys stuff is not maintained by cisco anymore.

Best luck patching your freeradius daemon.

It was my understanding that these small business switches are separate from the linksys product line, and as such are going to be continued to be developed/supported..  hopefully anyway..  its a relatively good product at a good price point, and I'd love to continue using them for our clients.  The lack of full-blown iOS is frustrating however.  the relevant command in a normal cisco device (mab) simply doesn't exist in this switch.

I spoke with the developer of my freedadius implementation, and it will cost me 5 days of R+D at $2000/day.  Guess its time for me to move to a different switch.