For better understanding. Here are the packets, the Catalyst sends to the radius (Cisco ACS). Captured with Ethereal. The feature (Mac-Authentication-bypass) was tested by myself, with ACS 4.0 beta and worked.
The switch sends three packets like that:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xa9 (169)
Length: 65
Authenticator: 1C3208670AF4106D1619034D1BD50526
Attribute Value Pairs
AVP: l=8 t=User-Name(1): azbycx
AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156
AVP: l=13 t=EAP-Message(79) Last Segment[1]
AVP: l=18 t=Message-Authenticator(80): 996FDE4A9B0077AAC30FA6A8AE65BC09
They are NOT answered by the ACS-radius. Btw. WHAT is username: azbycx? Some kind of default? It is always the same username, no matter what MAC i plug into the Switch! Cisco documentation sucks big time on this! :( Why is he doing it, it was definitely not configured in CatOS.
----------------------
After that, it sends the "real" access-request:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x1 (1)
Length: 100
Authenticator: 012E175F0CF11CB90FE21A16008B1613
Attribute Value Pairs
AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156
AVP: l=6 t=NAS-Port(5): 110
AVP: l=6 t=Service-Type(6): Call-Check(10)
AVP: l=19 t=Called-Station-Id(30): 00-14-1b-xx-xx-xx
AVP: l=19 t=Calling-Station-Id(31): 00-0e-7f-xx-xx-xx
AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
AVP: l=18 t=Message-Authenticator(80): 3BF52FD5838A862CD4BFBD478515982A
"Called-Station-ID" is the MAC of the Switch-Interface. "Calling-Station-ID" is the MAC that needs to be authenticated.
I'd really appreciate, if someone could help me out on the freeradius mysql config, based on that scenario. Thanks.
Bye Flo
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
