Hey experts!!
I am having another dilemma here. I am trying to configure MAC authentication bypass feature on my Cisco 3750 switch to authenticate some devices which don't support 802.1x. The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with "00:a0:08". I want a logic like: If a request is for a user with first 3 octets like the above one, use its MAC address (in this case will be also its username) as the password and grant the access. Is it possible to do it in FreeRadius 2.1.6?? I have attached the output of a success authentication for a device with MAC: 00a0080806bd. Of course I manually added this user in my users file. My users file looks like: 00a0080806bd Cleartext-Password := "00a0080806bd" I appreciate any advice!! Thank you guys!! Difan Zhao, CCNP Network Engineer difan.z...@guest-tek.com www.guest-tek.com <http://www.guest-tek.com/> Office: 403-509-1010 ext 3048 Cell: 403-689-7514
<<image001.jpg>>
rad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=32,
length=127
Acct-Session-Id = "0000001C"
Acct-Authentic = RADIUS
Acct-Terminate-Cause = Lost-Carrier
Acct-Session-Time = 4093
Acct-Input-Octets = 16040
Acct-Output-Octets = 384527
Acct-Input-Packets = 169
Acct-Output-Packets = 2946
Acct-Status-Type = Stop
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
Service-Type = Framed-User
NAS-IP-Address = 172.17.254.100
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID
MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address =
172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id = "0000001C",'
[acct_unique] Acct-Unique-Session-ID = "8ac0763679e7418b".
++[acct_unique] returns ok
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/172.17.254.100/detail-20091218
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/172.17.254.100/detail-20091218
[detail] expand: %t -> Fri Dec 18 16:10:23 2009
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} ->
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} ->
++[attr_filter.accounting_response] returns noop
Sending Accounting-Response of id 32 to 172.17.254.100 port 1646
Finished request 0.
Cleaning up request 0 ID 32 with timestamp +10
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=90,
length=157
User-Name = "00a0080806bd"
User-Password = "00a0080806bd"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Message-Authenticator = 0xd8bb55e55d3239af2a93e5db8df80960
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry 00a0080806bd at line 28
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "00a0080806bd"
[pap] Using clear text password "00a0080806bd"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli
00-A0-08-08-06-BD)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 90 to 172.17.254.100 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=33,
length=143
Acct-Session-Id = "0000001D"
User-Name = "00a0080806bd"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Service-Type = Framed-User
NAS-IP-Address = 172.17.254.100
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address =
172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id =
"0000001D",User-Name = "00a0080806bd"'
[acct_unique] Acct-Unique-Session-ID = "4585a9d529826ee7".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/172.17.254.100/detail-20091218
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/172.17.254.100/detail-20091218
[detail] expand: %t -> Fri Dec 18 16:10:46 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 00a0080806bd
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 00a0080806bd
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 33 to 172.17.254.100 port 1646
Finished request 2.
Cleaning up request 2 ID 33 with timestamp +33
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 1 ID 90 with timestamp +32
Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
