Hey experts!!
I am having another dilemma here. I am trying to configure MAC authentication bypass feature on my Cisco 3750 switch to authenticate some devices which don't support 802.1x. The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with "00:a0:08". I want a logic like: If a request is for a user with first 3 octets like the above one, use its MAC address (in this case will be also its username) as the password and grant the access. Is it possible to do it in FreeRadius 2.1.6?? I have attached the output of a success authentication for a device with MAC: 00a0080806bd. Of course I manually added this user in my users file. My users file looks like: 00a0080806bd Cleartext-Password := "00a0080806bd" I appreciate any advice!! Thank you guys!! Difan Zhao, CCNP Network Engineer difan.z...@guest-tek.com www.guest-tek.com <http://www.guest-tek.com/> Office: 403-509-1010 ext 3048 Cell: 403-689-7514
<<image001.jpg>>
rad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=32, length=127 Acct-Session-Id = "0000001C" Acct-Authentic = RADIUS Acct-Terminate-Cause = Lost-Carrier Acct-Session-Time = 4093 Acct-Input-Octets = 16040 Acct-Output-Octets = 384527 Acct-Input-Packets = 169 Acct-Output-Packets = 2946 Acct-Status-Type = Stop NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = "FastEthernet1/0/2" Service-Type = Framed-User NAS-IP-Address = 172.17.254.100 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address = 172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id = "0000001C",' [acct_unique] Acct-Unique-Session-ID = "8ac0763679e7418b". ++[acct_unique] returns ok [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] returns ok ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail] expand: %t -> Fri Dec 18 16:10:23 2009 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> ++[attr_filter.accounting_response] returns noop Sending Accounting-Response of id 32 to 172.17.254.100 port 1646 Finished request 0. Cleaning up request 0 ID 32 with timestamp +10 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=90, length=157 User-Name = "00a0080806bd" User-Password = "00a0080806bd" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1D-E5-9C-29-04" Calling-Station-Id = "00-A0-08-08-06-BD" Message-Authenticator = 0xd8bb55e55d3239af2a93e5db8df80960 NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = "FastEthernet1/0/2" NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry 00a0080806bd at line 28 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "00a0080806bd" [pap] Using clear text password "00a0080806bd" [pap] User authenticated successfully ++[pap] returns ok Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00-A0-08-08-06-BD) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 90 to 172.17.254.100 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "20" Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=33, length=143 Acct-Session-Id = "0000001D" User-Name = "00a0080806bd" Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = "FastEthernet1/0/2" Called-Station-Id = "00-1D-E5-9C-29-04" Calling-Station-Id = "00-A0-08-08-06-BD" Service-Type = Framed-User NAS-IP-Address = 172.17.254.100 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address = 172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id = "0000001D",User-Name = "00a0080806bd"' [acct_unique] Acct-Unique-Session-ID = "4585a9d529826ee7". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail] expand: %t -> Fri Dec 18 16:10:46 2009 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 00a0080806bd ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> 00a0080806bd attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 33 to 172.17.254.100 port 1646 Finished request 2. Cleaning up request 2 ID 33 with timestamp +33 Going to the next request Waking up in 3.9 seconds. Cleaning up request 1 ID 90 with timestamp +32 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html