[OSL | CCIE_Security] Dot1X Radius Config

Mack, David A (Dave) Fri, 29 Jan 2010 10:54:14 -0800

Hello All!
    This is follow-on to me earlier dot1x question. Here is the
situation:


I have a Windows XP client connected to Cat 3650 and a configured ACS
server. With the Cat configured as RAIDUS IETF client in the ACS, I can
authenticate the XP PC and get the VLAN pushed back to the Cat. All
works fine. So now I want to try setting the Cat to be a RADIUS (Cisco
IOS/PIX 6.x) client in the ACS. I would expect to have to use the
configuration Yusuf shows in his book on pages 339-341. Now here is
where the problem starts. First, if you look at his debug output you see
that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed
back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why
are both methods used?? I tried used using just the IETF values and it
works just fine. So why use the Cisco AV-PAIRS? Now If try to add the
AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not
recognize them:


*Mar 17 23:21:18.222: RADIUS:  Message-Authenticato[80]  18  
*Mar 17 23:21:18.222: RADIUS:   16 DF 78 4A FF DD 02 62 E2 45 CA 35 74
E7 53 F5           [ xJbE5tS]
*Mar 17 23:21:18.222: RADIUS:  Vendor, Cisco       [26]  49  
*Mar 17 23:21:18.222: RADIUS:   Cisco AVpair       [1]   43
"audit-session-id=0A1414040000003F5767FE11"
*Mar 17 23:21:18.222: RADIUS:  NAS-Port
SEC-CAT4(config-if)#-Type       [61]  6   Ethernet                  [15]
*Mar 17 23:21:18.222: RADIUS:  NAS-Port            [5]   6   50018

*Mar 17 23:21:18.222: RADIUS:  NAS-Port-Id         [87]  21
"GigabitEthernet0/18"
*Mar 17 23:21:18.222: RADIUS:  State               [24]  27  
*Mar 17 23:21:18.222: RADIUS:   45 41 50 3D 30 2E 32 30 31 2E 34 39 37
2E 31 3B  [EAP=0.201.497.1;]
*Mar 17 23:21:18.222: RADIUS:   53 56 43 3D 30 2E 31 64 3B         [
SVC=0.1d;]
*Mar 17 23:21:18.222: RADIUS:  NAS-IP-A
SEC-CAT4(config-if)#ddress      [4]   6   10.20.20.4                
*Mar 17 23:21:18.247: RADIUS: Received from id 1645/84
10.20.20.101:1812, Access-Accept, len 243
*Mar 17 23:21:18.247: RADIUS:  authenticator 34 14 2D BA 5D 79 93 70 -
88 91 01 F4 39 14 79 24

Note that the AV-PAIRS below appear exactly as they do on page 341

*Mar 17 23:21:18.247: RADIUS:  Vendor, Cisco       [26]  49  
*Mar 17 23:21:18.247: RADIUS:   Cisco AVpair       [1]   43
"cisco-avpair= "tunnel-type(#64)=VLAN(13)""
*Mar 17 23:21:18.247: RADIUS:  Vendor, Cisco       [26]  60  
*Mar 17 23:21:18.247: RADIUS:   Cis
SEC-CAT4(config-if)#co AVpair       [1]   54  "cisco-avpair=
"tunnel-medium-type(#65)=802 media(6)""
*Mar 17 23:21:18.247: RADIUS:  Vendor, Cisco       [26]  56  
*Mar 17 23:21:18.247: RADIUS:   Cisco AVpair       [1]   50
"cisco-avpair= "tunnel-private-group-ID(#81)=200""
*Mar 17 23:21:18.247: RADIUS:  Framed-IP-Address   [8]   6
255.255.255.255           
*Mar 17 23:21:18.247: RADIUS:  EAP-Message         [79]  6   
*Mar 17 23:21:18.247: RADIUS:   03 21 00 04                 [ !]
*Mar 17 23:21:18.247: RADIUS:  Clas
SEC-CAT4(config-if)#s               [25]  28  
*Mar 17 23:21:18.247: RADIUS:   43 41 43 53 3A 30 2F 33 35 34 32 64 2F
61 31 34  [CACS:0/3542d/a14]
*Mar 17 23:21:18.247: RADIUS:   31 34 30 34 2F 35 30 30 31 38        [
1404/50018]
*Mar 17 23:21:18.247: RADIUS:  Message-Authenticato[80]  18  
*Mar 17 23:21:18.247: RADIUS:   31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8
C6 74 5D            [ 1x6st]]
*Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84

But, the switch does not know what do with them...

*Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco
<======================
SEC-CAT4(config-if)#-avpair" - IGNORE
*Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
"cisco-avpair" - IGNORE        <======================
*Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
"cisco-avpair" - IGNORE        <======================
*Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4
bytes
*Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success
*Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for
client (0008.7492.2c0e) on Interface Gi0/18
*Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2) 
SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e
*Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1

Has anyone got this to work?? What is the "Secret Sauce"?

Thanks!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

[OSL | CCIE_Security] Dot1X Radius Config

Reply via email to