Discussion:
Problems with freeradius 802.1x and Cisco Catalyst 3560
Omar Lopez Limonta
2008-04-24 10:48:19 UTC
Permalink
Hi i have some problems with authentication in Freeradius with Cisco
Catalyst 3560 and 802.1x configuration.

Freeradius -X -A tell me:

Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.



My clients.conf file has this:

172.29.11.1 {
secret = mecago
shortname = cisco3560
nastype = other
}

I also test with nastype = cisco , and it doesn´t run too.

In mi cisco config I have this :
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default local
aaa session-id common

radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3
radius-server key mecago

interface FastEthernet0/5
switchport access vlan 2
switchport mode access
dot1x port-control auto
dot1x pae authenticator
spanning-tree portfast


Any one have any idea about this error?

Thanks.
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscribe? See h
A***@lboro.ac.uk
2008-04-24 11:11:53 UTC
Permalink
Hi,
Post by Omar Lopez Limonta
Hi i have some problems with authentication in Freeradius with Cisco
Catalyst 3560 and 802.1x configuration.
Ignoring request from unknown client 172.29.11.1:21645
so it doesnt know about the client. but there is an entry in the clients.conf
file - did you restart the freeradius process after adding that client?
you've not sent the full output of radiusd -X either...could you post
it...otherwise i have to ask questions like.. is clients.conf
being refered to in your radiusd.conf file?? are the permissions
on clients.conf correct? are you really using clients.conf or is
your system using NAS list in SQL ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Omar Lopez Limonta
2008-04-24 11:28:08 UTC
Permalink
Post by A***@lboro.ac.uk
Post by Omar Lopez Limonta
Ignoring request from unknown client 172.29.11.1:21645
so it doesnt know about the client. but there is an entry in the clients.conf
file - did you restart the freeradius process after adding that client?
Yes have i restarted service when i change my clients.conf
Post by A***@lboro.ac.uk
you've not sent the full output of radiusd -X either...could you post
it...otherwise i have to ask questions like.. is clients.conf
being refered to in your radiusd.conf file??are the permissions
on clients.conf correct? are you really using clients.conf or is
In radiusd.conf
$INCLUDE ${confdir}/clients.conf
Post by A***@lboro.ac.uk
your system using NAS list in SQL ?
I using a file with users , i don´t using SQL

Here is my full freeradius -X -A output:

***@zodiac:/etc/freeradius# freeradius -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
A***@lboro.ac.uk
2008-04-24 11:55:05 UTC
Permalink
Hi,
Post by Omar Lopez Limonta
Yes have i restarted service when i change my clients.conf
which clients.conf did you edit? /etc/freeradius/clients.conf ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Omar Lopez Limonta
2008-04-24 12:02:40 UTC
Permalink
Post by A***@lboro.ac.uk
Hi,
Post by Omar Lopez Limonta
Yes have i restarted service when i change my clients.conf
which clients.conf did you edit? /etc/freeradius/clients.conf ?
Yes and i put on radiusd.conf:

$INCLUDE /etc/freeradius/clients.conf

To force it to get this file ...
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscribe? See http://www.fre
Ivan Kalik
2008-04-24 12:43:26 UTC
Permalink
You have mutiple freeradius instalations. radiusd.conf you are editing is
not the one installation you are running is using. You most likely have
one lot in /usr/local/etc/raddb/ and one somewhere else. You also have
two radiusd instances in sbin and it's subfolders. Find out which one
do you need to run in order to use configuration files you are editing.

Ivan Kalik
Kalik Informatika ISP
Post by Omar Lopez Limonta
Post by A***@lboro.ac.uk
Hi,
Post by Omar Lopez Limonta
Yes have i restarted service when i change my clients.conf
which clients.conf did you edit? /etc/freeradius/clients.conf ?
$INCLUDE /etc/freeradius/clients.conf
To force it to get this file ...
--
Xgalaga se disfruta mĂĄs sobre NetBSD sparc64
/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Omar Lopez Limonta
2008-04-24 14:21:25 UTC
Permalink
Post by Ivan Kalik
You have mutiple freeradius instalations. radiusd.conf you are editing is
not the one installation you are running is using. You most likely have
one lot in /usr/local/etc/raddb/ and one somewhere else. You also have
two radiusd instances in sbin and it's subfolders. Find out which one
do you need to run in order to use configuration files you are editing.
Ivan Kalik
Kalik Informatika ISP
I only have one installation and one clients.conf:

***@zodiac:/etc/freeradius# find / -iname "radiusd.conf"
/etc/freeradius/radiusd.conf
***@zodiac:/etc/freeradius#

Also I install freeradius in two diferent servers and i get the same
error , one with ubuntu and other with debian.

I can force which config file use with freeradius in the command line?

Thanks.
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
A***@lboro.ac.uk
2008-04-24 14:35:28 UTC
Permalink
ls -la /etc/freeradius

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Omar Lopez Limonta
2008-04-24 14:50:37 UTC
Permalink
Post by A***@lboro.ac.uk
ls -la /etc/freeradius
alan
In clients.conf i put a 744 permsions.

***@zodiac:/etc/freeradius# ls -la
total 236
drwxr-s--- 3 root freerad 4096 Apr 24 16:38 .
drwxr-xr-x 86 root root 4096 Apr 24 12:10 ..
-rw-r----- 1 root freerad 422 Aug 6 2006 acct_users
-rw-r----- 1 root freerad 3454 Aug 6 2006 attrs
drwxr-s--- 3 root freerad 4096 Apr 24 11:08 certs
-rwxr--r-- 1 root freerad 3015 Apr 24 16:38 clients.conf
-rw-r----- 1 root freerad 929 Aug 6 2006 dictionary
-rw-r----- 1 root freerad 9080 Aug 6 2006 eap.conf
-rw-r----- 1 root freerad 8266 Aug 6 2006 experimental.conf
-rw-r----- 1 root freerad 2396 Aug 6 2006 hints
-rw-r----- 1 root freerad 1604 Aug 6 2006 huntgroups
-rw-r----- 1 root freerad 2333 Aug 6 2006 ldap.attrmap
-rw-r----- 1 root freerad 9330 Aug 6 2006 mssql.conf
-rw-r----- 1 root freerad 856 Aug 6 2006 naspasswd
-rw-r----- 1 root freerad 12267 Aug 6 2006 oraclesql.conf
-rw-r----- 1 root freerad 14156 Aug 6 2006 postgresql.conf
-rw-r----- 1 root freerad 531 Aug 6 2006 preproxy_users
-rw-r----- 1 root freerad 8862 Aug 6 2006 proxy.conf
-rw-r----- 1 root freerad 57856 Apr 24 14:01 radiusd.conf
-rw-r----- 1 root freerad 187 Aug 6 2006 realms
-rw-r----- 1 root freerad 1405 Aug 6 2006 snmp.conf
-rw-r----- 1 root freerad 13892 Aug 6 2006 sql.conf
-rw-r----- 1 root freerad 7231 Apr 24 11:12 users
-rw-r----- 1 root freerad 7267 Aug 6 2006 x99.conf
-rw-r----- 1 root freerad 4165 Aug 6 2006 x99passwd.sample
------------------------------

And i start like Nicolas said with freeradius -A -X -d /etc/freeradius .

It it is not working yet.

Any other idea?
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/un
Nicolas Goutte
2008-04-24 14:37:00 UTC
Permalink
Post by Omar Lopez Limonta
Post by Ivan Kalik
You have mutiple freeradius instalations. radiusd.conf you are editing is
not the one installation you are running is using. You most
likely have
one lot in /usr/local/etc/raddb/ and one somewhere else. You also have
two radiusd instances in sbin and it's subfolders. Find out which one
do you need to run in order to use configuration files you are editing.
Ivan Kalik
Kalik Informatika ISP
/etc/freeradius/radiusd.conf
As far as I know /etc/raddb/radius.conf is expected on systems that
are not BSD. (By the way: a Mac counts a BSD here.)
Post by Omar Lopez Limonta
Also I install freeradius in two diferent servers and i get the same
error , one with ubuntu and other with debian.
I can force which config file use with freeradius in the command line?
Use -d for selecting the directory in which the configuration files are.
Post by Omar Lopez Limonta
Thanks.
Have a nice day!
Post by Omar Lopez Limonta
--
Xgalaga se disfruta más sobre NetBSD sparc64
/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2008-04-24 11:22:36 UTC
Permalink
Post by Omar Lopez Limonta
Hi i have some problems with authentication in Freeradius with Cisco
Catalyst 3560 and 802.1x configuration.
...
Post by Omar Lopez Limonta
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
...
Post by Omar Lopez Limonta
172.29.11.1 {
The server isn't reading the file that you are editing. Double-check
that you don't have two copies of the configuration files installed.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A***@lboro.ac.uk
2008-04-24 15:07:03 UTC
Permalink
hi,

just a wild stab in the dark.....

172.29.11.1 {
secret = mecago
shortname = cisco3560
nastype = other
}


change that to

172.29.11.1/32 {
secret = mecago
shortname = cisco3560
nastype = other
}

or

172.29.11.1/0 {
secret = mecago
shortname = cisco3560
nastype = other
}

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Omar Lopez Limonta
2008-04-24 15:23:13 UTC
Permalink
Post by A***@lboro.ac.uk
hi,
just a wild stab in the dark.....
172.29.11.1 {
secret = mecago
shortname = cisco3560
nastype = other
}
change that to
172.29.11.1/32 {
secret = mecago
shortname = cisco3560
nastype = other
}
or
172.29.11.1/0 {
secret = mecago
shortname = cisco3560
nastype = other
}
Alan , yes is a very wild stab in the dark, i test with
172.29.11.1/0
172.29.11.1/32
172.29.11.0/24
0.0.0.0/0

I´m thinking that it don´t open clients.conf is there any way to put
clients on radiusd.conf without including this file.
Any other idea?
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscrib
Omar Lopez Limonta
2008-04-24 15:34:16 UTC
Permalink
On Thu, Apr 24, 2008 at 5:23 PM, Omar Lopez Limonta
Post by Omar Lopez Limonta
Alan , yes is a very wild stab in the dark, i test with
172.29.11.1/0
172.29.11.1/32
172.29.11.0/24
0.0.0.0/0
I´m thinking that it don´t open clients.conf is there any way to put
clients on radiusd.conf without including this file.
Any other idea?
I do strace -o salida.freeradius freeradius -A -X -d /etc/freeradius/
to know if clients.conf is open by freeradius process.
And I it open the file ok.

I have the problem with two different versions of freeradius and two
different operating systems.

open("/etc/freeradius/clients.conf", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0744, st_size=3017, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f57000
read(4, "#\n# clients.conf - client config"..., 4096) = 3017
read(4, "", 4096) = 0
close(4) = 0
munmap(0xb7f57000, 4096) = 0
time(NULL) = 1209050527
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscribe? See http:
Alan DeKok
2008-04-24 15:36:05 UTC
Permalink
Post by A***@lboro.ac.uk
just a wild stab in the dark.....
172.29.11.1 {
?

client 172.29.11.1 {
...
}

Naming a section by the IP address won't do anything useful. You have
to label it a "client" section.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Omar Lopez Limonta
2008-04-24 16:05:10 UTC
Permalink
Post by Alan DeKok
Post by A***@lboro.ac.uk
just a wild stab in the dark.....
172.29.11.1 {
?
client 172.29.11.1 {
...
}
Naming a section by the IP address won't do anything useful. You have
to label it a "client" section.
Alan DeKok.
Alan thanks was this :) , a very stupid mistake.
Thanks to all :D.
--
Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]

-
List info/subscribe/unsubscribe? See http://www.fre
Loading...