To add, as I think they may well be of use, these are the lines above the line I have mentioned in the switch debug:
RADIUS: EAP-login: length of eap packet = 4 3d03h: RADIUS: Tunnel-MType, [00] 00 00 06 3d03h: RADIUS: tag='00', consider the attribute untagged. 3d03h: RADIUS: TAS(0) created and enqueued. 3d03h: RADIUS: Tunnel-Type, [00] 00 00 0D 3d03h: RADIUS: Tunnel-GID, [00] 741 3d03h: RADIUS: unrecognized Microsoft VSA type 17 3d03h: RADIUS: unrecognized Microsoft VSA type 16 3d03h: RADIUS: TAS(0) takes precedence over tagged attributes, tunnel_type=13 3d03h: RADIUS: free TAS(0) 3d03h: RADIUS: no appropriate authorization type for user. -----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 05 December 2013 14:49 To: '[email protected]' Subject: Re: [PacketFence-users] dot1x being denied on wired clients Hi Jason, Thanks for the reply. Here is an obfuscated switch config: Current configuration : 3461 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname 2960test ! enable secret 5 123456789 ! aaa new-model aaa group server radius packetfence server 1.2.3.4 auth-port 1812 acct-port 1813 server 1.2.3.5 auth-port 1812 acct-port 1813 ! aaa authentication login default local aaa authentication login MyVTY line aaa authentication login MyCon none aaa authentication dot1x default group packetfence aaa authorization network default group packetfence ! aaa session-id common system mtu routing 1500 ip subnet-zero ! no ip domain-lookup ip name-server 1.3.4.5 ! ! ! dot1x system-auth-control dot1x guest-vlan supplicant no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 description Andi test switchport mode access dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x timeout quiet-period 3 dot1x timeout tx-period 15 dot1x timeout supp-timeout 10 dot1x reauthentication dot1x guest-vlan 704 spanning-tree portfast ! interface Vlan1 ip address 10.2.3.4 255.255.255.0 no ip route-cache ! ip default-gateway 10.2.3.2 ip http server logging trap warnings logging 192.168.1.12 access-list 10 permit 1.2.3.5 access-list 10 permit 1.2.3.4 access-list 10 deny any log snmp-server community blah RO 10 snmp-server community bleh RW 10 snmp-server location The Moon snmp-server contact Pray snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.1.1 public-test config vlan-membership snmp radius-server host 1.2.3.4 auth-port 1812 acct-port 1813 timeout 2 key 7 testing123 radius-server host 1.2.3.5 auth-port 1812 acct-port 1813 timeout 2 key 7 testing123 radius-server source-ports 1645-1646 radius-server deadtime 1 radius-server vsa send authentication ! control-plane ! ! line con 0 login authentication MyCon line vty 0 4 access-class 10 in password 7 123546 login authentication MyVTY line vty 5 15 access-class 10 in password 7 123456 ! ntp server 192.168.1.1 end Cheers, Andi -----Original Message----- From: Jason Frisvold [mailto:[email protected]] Sent: 05 December 2013 14:39 To: [email protected] Subject: Re: [PacketFence-users] dot1x being denied on wired clients Morris, Andi wrote: > OK, the plot thickens. > > When I do the same debug on a Cisco 2950 switch I see the access-accept > packet being passed back to the switch, but I see: > > RADIUS: no appropriate authorization type for user. > > Could it be that my users are passing authentication, but then for some > reason failing authorization? This would explain why I'm seeing multiple > dot1x bubbles popping up and asking for credentials, but I'm not sure why it > would suddenly start occurring across different switches. Perhaps it is > something to do with Packetfence/Radius afterall?? > > Thanks to anybody that can help. Can you post your switch config? Scrubbed of course.. Just an example interface and the surrounding config for aaa, radius, etc. > Cheers, > Andi -- --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
