Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
0
Replies

3750x using MAB and FreeRadius - Authorization failure

pjjoh1001
Level 1
Level 1

‎01-12-2014 11:35 AM - edited ‎03-07-2019 05:31 PM

Hi All,

I am trying to get a 3750X to authenticate using MAB and to assign a VLAN to the port.  I can see that I get proper authentication but authorization always fails even though I can see the appropriate attributes comeing from the RADIUS (FreeRADIUS) server.

Mar 31 22:40:13.960: %AUTHMGR-5-START: Starting 'mab' for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Mar 31 22:40:13.977: %MAB-5-SUCCESS: Authentication successful for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Mar 31 22:40:13.994: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Mar 31 22:40:14.002: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015009B394AF

Configuration:

aaa new-model

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa session-id common

ip radius source-interface Vlan100

radius-server host 10.10.10.235 auth-port 1812 acct-port 1813

radius-server key 7 1511021F0725

interface GigabitEthernet2/0/27

switchport access vlan 110

switchport mode access

authentication event fail action next-method

authentication host-mode multi-domain

authentication port-control auto

mab

no macro auto processing

spanning-tree portfast

spanning-tree bpduguard enable

end

FreeRADIUS User:

406c8f1e360f Cleartext-Password := "406c8f1e360f"

        Service-Type = "Framed-User",

        Tunnel-Type=13,

        Tunnel-Medium-Type = 6,

        Tunnel-Private-Group-ID:1 = 100

I have also enabled use_tunneled_reply = yes in the eap.conf file.

RADIUS Debug on C3750x

Mar 31 22:44:29.066: %AUTHMGR-5-START: Starting 'mab' for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.075: RADIUS/ENCODE(00000000):Orig. component type = Invalid

Mar 31 22:44:29.075: RADIUS(00000000): Config NAS IP: 10.10.10.39

Mar 31 22:44:29.075: RADIUS(00000000): sending

Mar 31 22:44:29.075: RADIUS(00000000): Send Access-Request to 10.10.10.235:1812 id 1645/230, len 261

Mar 31 22:44:29.083: RADIUS:  authenticator 99 83 11 D2 70 11 43 49 - CB 55 F2 39 D9 84 8B C0

Mar 31 22:44:29.083: RADIUS:  User-Name           [1]   14  "406c8f1e360f"

Mar 31 22:44:29.083: RADIUS:  User-Password       [2]   18  *

Mar 31 22:44:29.083: RADIUS:  Service-Type        [6]   6   Call Check                [10]

Mar 31 22:44:29.083: RADIUS:  Vendor, Cisco       [26]  31

Mar 31 22:44:29.083: RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"

Mar 31 22:44:29.083: RADIUS:  Framed-MTU          [12]  6   1500

Mar 31 22:44:29.083: RADIUS:  Called-Station-Id   [30]  19  "28-94-0F-D2-9D-9B"

Mar 31 22:44:29.083: RADIUS:  Calling-Station-Id  [31]  19  "40-6C-8F-1E-36-0F"

Mar 31 22:44:29.083: RADIUS:  Message-Authenticato[80]  18

Mar 31 22:44:29.083: RADIUS:   AD 78 33 C9 12 3C A0 89 E9 74 66 E1 88 22 A1 E5            [ x3<tf"]

Mar 31 22:44:29.083: RADIUS:  EAP-Key-Name        [102] 2   *

Mar 31 22:44:29.083: RADIUS:  Vendor, Cisco       [26]  49

Mar 31 22:44:29.083: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A0A0A270000015109B77931"

Mar 31 22:44:29.083: RADIUS:  Vendor, Cisco       [26]  18

Mar 31 22:44:29.083: RADIUS:   Cisco AVpair       [1]   12  "method=mab"

Mar 31 22:44:29.083: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.39

Mar 31 22:44:29.083: RADIUS:  NAS-Port            [5]   6   60000

Mar 31 22:44:29.083: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet2/0/27"

Mar 31 22:44:29.083: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Mar 31 22:44:29.083: RADIUS(00000000): Sending a IPv4 Radius Packet

Mar 31 22:44:29.083: RADIUS(00000000): Started 5 sec timeout

Mar 31 22:44:29.100: RADIUS: Received from id 1645/230 10.10.10.235:1812, Access-Accept, len 44

Mar 31 22:44:29.100: RADIUS:  authenticator 69 67 B4 07 EF D8 73 EE - EA 23 A9 BA 92 5C A5 DE

Mar 31 22:44:29.100: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Mar 31 22:44:29.100: RADIUS:  Tunnel-Type         [64]  6   00:VLAN                   [13]

Mar 31 22:44:29.100: RADIUS:  Tunnel-Medium-Type  [65]  6   00:ALL_802                [6]

Mar 31 22:44:29.100: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"

Mar 31 22:44:29.100: RADIUS(00000000): Received from id 1645/230

Mar 31 22:44:29.108: %MAB-5-SUCCESS: Authentication successful for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.117: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.117: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (406c.8f1e.360f) on Interface Gi2/0/27 AuditSessionID 0A0A0A270000015109B77931

Mar 31 22:44:29.469: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/27, changed state to up

Mar 31 22:44:30.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/27, changed state to up


Any ideas on where this might be failing.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card