[PacketFence-users] cisco small business sg300 802.1.X mac auth bypass howto

Alexandre DERUMIER Tue, 29 Oct 2013 05:36:16 -0700

Hi, all.

I have succesfully  cisco sg300 switchs with 802.1.X mac-auth-bypass with 
dynamic vlan,


here a little howto:


first : use firmware 1.1.2.0, others are buggy


sg300 configuration (packetfence server is 192.168.0.1)
---------------------------------------------------------

global
------



dot1x system-auth-control
radius-server host 192.168.0.1 timeout 10 retransmit 5 key secret
aaa authentication enable SSH enable
aaa authentication login SSH local
aaa authentication dot1x default radius none



interface vlan 106   (choose a non packetfence managed vlan)
 dot1x guest-vlan  


snmp-server engineID local 800000090320bbc0c0e078
snmp-server host 192.168.0.1 version 3 auth readUser
snmp-server group readGroup v3 auth notify DefaultSuper read DefaultSuper
snmp-server group readGroup v3 priv notify DefaultSuper read DefaultSuper
snmp-server group writeGroup v3 auth notify DefaultSuper read DefaultSuper 
write DefaultSuper
snmp-server group writeGroup v3 priv notify DefaultSuper read DefaultSuper 
write DefaultSuper
snmp-server user readUser readGroup v3 auth md5 authpwdread priv privpwdread
snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv privpwdwrite
snmp-server enable traps



port
----
int giX
    switchport mode access
    dot1x guest-vlan timeout 180
    dot1x host-mode multi-sessions
    dot1x reauthentication
    dot1x timeout reauth-period 7200
    dot1x port-control auto
    dot1x mac-authentication mac-only



Packetfence configuration
--------------------------

1) we need to change default_eap_type from peap to md5, or it doesn't work

/usr/local/pf/conf/radiusd/eap.conf
default_eap_type = md5


2) (I use Cisco::Catalyst_3550 type, it's work fine)

/usr/local/pf/conf/switches.conf


mode=production
SNMPAuthProtocolRead=MD5
guestVlan=106
SNMPUserNameTrap=readUser
SNMPPrivPasswordTrap=privpwdread
SNMPAuthProtocolTrap=MD5
SNMPAuthProtocolWrite=MD5
SNMPUserNameWrite=writeUser
description=sw-edge01
SNMPVersionTrap=3
SNMPEngineID = 800000090320bbc0c0e078
type=Cisco::Catalyst_3550           
SNMPUserNameRead=readUser
VoIPEnabled=N
ODISOVlan=100
isolationVlan=108
radiusSecret=secret
SNMPVersion=3
SNMPPrivPasswordRead=privpwdread
SNMPPrivProtocolWrite=DES
SNMPAuthPasswordWrite=authpwdwrite
SNMPPrivPasswordWrite=privpwdwrite
SNMPAuthPasswordRead=authpwdread
SNMPPrivProtocolTrap=DES
registrationVlan=107
SNMPPrivProtocolRead=DES
SNMPAuthPasswordTrap=authpwdread




Best Regards,

Alexandre Derumier

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] cisco small business sg300 802.1.X mac auth bypass howto

Reply via email to