Config are ok... it should work... IOS version maybe ? can you try to update your switch ??
M-A Le 11-05-05 14:39, Willis, Ben a écrit : > Is anyone out there using Cisco 3750's with mac authentication? They are > listed in the table on the website as being supported.... > > Thanks, > Ben > > ________________________________________ > From: Willis, Ben [[email protected]] > Sent: Tuesday, May 03, 2011 2:22 PM > To: '[email protected]' > Subject: Re: [Packetfence-users] Radius Problems > > I got it "working" by changing my switch config to this instead of what is > detailed in the network device config guide. It actually istn working because > I get the message: > > > pf::WebAPI(3433) ERROR: Wired MAC Authentication (Wired Access Authorization > through RADIUS) is not supported on switch type > pf::SNMP::Cisco::Catalyst_3750. Please let us know what hardware you are > using. (pf::SNMP::supportsWiredMacAuth) > > > > I thought that I could use this config with Cisco 3750's? Am I only able to > use port security? > > > > > ---Cisco 3750 radius config- > aaa authentication login default local > aaa authentication dot1x default group radius > aaa authorization network default group radius > > radius-server host 10.10.80.203 auth-port 1812 acct-port 1813 key ###### > > > ---Cisco 3750 port config (802.1x with MAC Authentication bypass > (MultiDomain) )- > interface FastEthernet1/0/38 > switchport access vlan 100 > switchport mode access > switchport voice vlan 15 > authentication host-mode multi-domain > authentication order dot1x mab > authentication priority dot1x mab > authentication port-control auto > authentication periodic > authentication timer restart 10800 > authentication timer reauthenticate 10800 > mab > no snmp trap link-status > dot1x pae authenticator > dot1x timeout quiet-period 2 > dot1x timeout tx-period 3 > end > > > Thanks, > Ben > _______________________ > There is no place like 127.0.0.1 > > http://lmgtfy.com/?q=Anderson+School+District+Five > > > -----Original Message----- > From: Marc-André Jutras [mailto:[email protected]] > Sent: Tuesday, May 03, 2011 2:01 PM > To: [email protected] > Subject: Re: [Packetfence-users] Radius Problems > > Ben, > > your radiusd.conf file seems to be ok... > > - Any access-list on your switch who can block these requests ? > - try to re-enter your radius password in your switch... make sure this one > is matching your radiusd.conf... > - what's the ip address of your switch ? IOS version ? send me your swich > config, I'll validate it... > > M-A > Le 11-05-03 13:38, Willis, Ben a écrit : >> Marc, >> >> I disabled iptables and I still don't get a connection from my switch. I >> have my switches configured in clients.conf and since radius works locally I >> dont know what else to confirm. >> >> >> >> client localhost { >> ipaddr = 127.0.0.1 >> secret = testing123 >> require_message_authenticator = no >> nastype = other # localhost isn't usually a NAS... >> } >> >> client Cisco3750x { >> secret = cisco >> ipaddr = 10.85.10.1 >> } >> >> client RAMS.MC.SW01 { >> secret = cisco >> ipaddr = 172.20.85.1 >> } >> >> client 172.20.95.1 { >> secret = cisco >> ipaddr = 172.20.95.1 >> nastype = cisco >> } >> >> client 10.95.0.0/16 { >> secret = cisco >> shortname = GVMS >> } >> >> >> >> Thanks, >> Ben >> _______________________ >> There is no place like 127.0.0.1 >> >> http://lmgtfy.com/?q=Anderson+School+District+Five >> >> >> -----Original Message----- >> From: Marc-André Jutras [mailto:[email protected]] >> Sent: Tuesday, May 03, 2011 1:11 PM >> To: [email protected] >> Subject: Re: [Packetfence-users] Radius Problems >> >> Hi again ! :) >> >> 1- to test your radius setup, de-activate your iptables ( iptables -F ) and >> try to authenticate... if this is not working, validate your radius config... >> >> 2- if your radius server is working, reload iptables and try to activate >> some log foryour traffic... ( example : >> http://www.techbytes.ca/techbyte136.html ) >> >> 3- radiusd[3363]: segfault at 0000000000000000 rip 00002b4adba035db >> rsp >> 00007ffffa992bb0 error 4 >> no issue there : this is what's happening every time you restart PF... >> ( PF will kill -9 radiusd at every restart ... ) >> >> M-A >> Le 11-05-03 12:49, Willis, Ben a écrit : >>> Me again... >>> >>> I have PF working now with port security but my switches refuse to >>> work (Cisco 3750 (V2 and X's) with any 802.1x mac auth configurations. >>> The switch states: >>> >>> %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for >>> client (Unknown MAC) on Interface Fa1/0/46 >>> >>> %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on >>> Interface Fa1/0/46 >>> >>> %AUTHMGR-5-START: Starting 'mab' for client (0025.6444.6aaa) on >>> Interface Fa1/0/46 >>> >>> It seems like radius is not answering but radius does work for the >>> registration portal. I have verified iptables: >>> >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 1812 -d 10.10.80.203 -i >>> eth0.10 -j ACCEPT >>> >>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 1813 -d 10.10.80.203 -i >>> eth0.10 -j ACCEPT >>> >>> This is the radius server config on my switches (straight out of the >>> guides): >>> >>> aaa new-model >>> >>> aaa group server radius packtfence >>> >>> server 10.10.80.203 auth-port 1812 acct-port 1813 >>> >>> aaa authentication login default local >>> >>> aaa authentication dot1x default group packetfence >>> >>> aaa authorization network default group packetfence >>> >>> radius-server host 10.10.80.203 auth-port 1812 acct-port 1813 timeout >>> 2 key ###### >>> >>> radius-server vsa send authentication >>> >>> I did notice this error while monitoring /var/log/messages: >>> >>> A5DO-NAC kernel: radiusd[3363]: segfault at 0000000000000000 rip >>> 00002b4adba035db rsp 00007ffffa992bb0 error 4 >>> >>> Hoping that someone can point me in the right direction...... >>> >>> Thanks for the help so far, >>> >>> Ben in SC >>> >>> *//* >>> > > ANDERSON SCHOOL DISTRICT FIVE NOTICE: This email may contain business related > information that is > PERSONAL AND CONFIDENTIAL. If you have received this email in error, this > does not > constitute permission to examine, copy or distribute the accompanying > material. > If you receive this message in error, please notify the sender immediately or > call 864-260-5000. > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Marc-Andre Jutras, Project manager - Inverse inc. [email protected] :: +1.514.447.4918 (x110) :: http://www.inverse.ca Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
