I've spent all day today trying to get this working. I've got it working perfectly on a Cisco 3750-G but can't get it to work on a Nexus 5548. I'm simply configuring 802.1x MAC Authentication Bypass with a FreeRADIUS server running 2.2.6. I've defined the clients and users on the FreeRADIUS server. I first got this working on the 3750-G and now I'm progressing on to the Nexus 5548. Whenever I attempt to connect a device to the port that I'm using for this test (Eth2/16) it goes into an "Authorization Pending" state. I've noticed also that no packets are sent to the RADIUS server on ports 1812 or 1813 using tcpdump. On the other hand when I connect something to the 3750-G it's very clear that a request has been sent to the server. The server is running in debug mode (radiusd -X). On the switch I can enter: "test aaa server radius 192.168.101.11 50f7222df327 50f7222df327" and it comes back stating it's successful. And when I use that command I do indeed see a request come into the RADIUS server. Just never when I attempt to plug a device into the port.
To make things a little more complicated I've got TACACS+ running on the same server; but that is working fine. It's just some extra configuration settings on the switch that hopefully won't cause confusion.
Here's the relevant configuration settings I've applied to the switch:
feature dot1x
tacacs-server host 192.168.101.11 key 7 "XXXX"
aaa group server tacacs+ SSVR
server 192.168.101.11
source-interface Vlan101
radius-server host 192.168.101.11 key 7 "XXXX" authentication accounting
aaa group server radius NetMan1
server 192.168.101.11
source-interface Vlan101
aaa authentication login default group SSVR local
aaa authentication login console group SSVR local
aaa authorization config-commands default group SSVR local
aaa authorization commands default group SSVR local
aaa authentication dot1x default group NetMan1
aaa accounting default group SSVR
aaa authentication login error-enable
vlan 40
name Workstations
vlan 101
name Servers
vlan 118
name Dot1x_Clients
interface Vlan101
no shutdown
ip address 192.168.101.2/24
interface Ethernet2/16
description 802.1x Test
dot1x port-control auto
dot1x pae authenticator
dot1x mac-auth-bypass
no cdp enable
switchport access vlan 40
speed 1000
ip radius source-interface Vlan101
On the FreeRADIUS server I have the following defined in the Clients.conf file:
client 192.168.101.1 {
secret = XXXX
}
client 192.168.101.2 {
secret = XXXX
}
In the Users file is have:
50f7222df327 Cleartext-Password := "50f222df327"
Service-Type = "Framed-User",
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 118
What weirds me out about Nexus is that I can't define an authentication priority (mab first) like I could with the IOS switch. What's also weird is that I can't seem to define a guest-vlan on the interface either; it's not an available option on the interface.
If anything jumps out at you please let me know. Thanks!
No comments:
Post a Comment