HPE Community
Switches, Hubs, and Modems
1825787 Members
2116 Online
109687 Solutions
New Discussion

IDM and Freeradius problem

 
Jarosław Opalka
Occasional Advisor

‎01-13-2009 04:51 AM

‎01-13-2009 04:51 AM

IDM and Freeradius problem

Hello.

I'm trying to run IDM with Freeradius. I want to use MAC authentication. Users are imported from AD.

When i connect device in radius log i got:
----------------
Login incorrect (rlm_chap: Clear text password not available)

rlm_chap: login attempt by "00-08-02-d7-f1-15" with CHAP password
rlm_chap: Could not find clear text password for user 00-08-02-d7-f1-15
modcall[authenticate]: module "chap" returns invalid for request 1
modcall: leaving group CHAP (returns invalid) for request 1
auth: Failed to validate the user.
----------------

How can i solve this problem ??

0 Kudos
3 REPLIES 3
Jeff Carrell
Honored Contributor

‎01-14-2009 07:37 AM

‎01-14-2009 07:37 AM

Re: IDM and Freeradius problem

basic note, if you want to use full IDM capability, using the IDM agent on a radius server, the IDM agent is -only- supported on:
o - w2k0/w2k3-IAS
o - w28k-NAP
o - freeradius on SuSe and redhat - and only specific versions of those - which versions can be found in the IDM release notes...

basic 802.1X authentication can work with freeradius, if you have appropriate switch config......to verify that component, plz reply with your 'sh ru' so we can check its config......altho i don't know this exact error message, it looks to me like a switch-to-radius mis-config...

and for mac-auth, UID/PW must both be the mac addr of the device, and typically in lowercase, and you may have to have the switch format the mac addr output different than its std of "no dilimeter" to "xx-xx"...

hth...jeff
0 Kudos
Jarosław Opalka
Occasional Advisor

‎01-15-2009 03:37 AM

‎01-15-2009 03:37 AM

Re: IDM and Freeradius problem

I'm FreeRadius on CentOS 5.2 (it's very similar to RedHat).

My switch config:
-------------------
...
radius-server host 10.100.0.203 key 'xxxx'
...
aaa port-access mac-based 27
aaa port-access mac-based addr-format multi-dash
-------------------

In my switch log i don't see any messagess, that swich can't reach radius server.

In attachment is my full radius log.
0 Kudos
Jeff Carrell
Honored Contributor

‎01-15-2009 07:08 AM

‎01-15-2009 07:08 AM

Re: IDM and Freeradius problem

you are missing a switch command:

aaa authentication port-access chap-radius

-----
3. Configure the 802.1X Authentication Method
This task specifies how the switch authenticates the credentials provided by
a supplicant connected to a switch port configured as an 802.1X authenticator
You can configure chap-radius or eap-radius as the primary password
authentication method for the port-access method.

this is in the advanced security guide (ASG)
----------

that might do it...

and you'll have to check with procurve, but i don't think the idm agent will worj on centos...

hth...jeff
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.