I've been looking at this for a day now and it seems like I'm close, but something is not right. I have a freeradius server with an openldap backend for MAC auth bypass. This system is just for test, but it is an essential first step in my project.
I'm using freeradius2-2.1.7-7.el5, freeradius2-ldap-2.1.7-7.el5, openldap-servers-2.3.43-12.el5_6.7, and I am currently using a Cisco labled linksys SFE-2000 switch. Since I have been reading docs and trying different things all day I'm thinking there is something I've just messed up on and overlooked while going over the files. I have tried creating the MAC address in LDAP several ways, as a cn(objectclass=device), as a uid(with and without a password.) Here are the files I've mod'd: ********************************** raddb/modules/ldap: ********************************** ldap { cache = no server = "localhost" identity = "uid=radauth,ou=radius,dc=CSPKRB" password = password basedn = "ou=radius,dc=CSPKRB" filter = "(cn=%{User-Name})" tls { start_tls = no } default_profile = "uid=radauth,ou=radius,dc=CSPKRB" profile_attribute = "radiusProfileDn" access_attr = "cn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = radius_users groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 set_auth_type = no } ********************************** raddb/site-enabed/inner-tunnel: ********************************** server inner-tunnel { authorize { preprocess ldap pap update control { Proxy-To-Realm := LOCAL } } eap { ok = return } } authenticate { Auth-Type PAP { pap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } ********************************** clients.conf ********************************** client localhost { ipaddr = 127.0.0.1 secret = SharedSecret require_message_authenticator = no } client 192.168.0.0/16 { require_message_authenticator = no secret = SharedSecret nastype = other } ********************************** debug output: ********************************** rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0, length=99 NAS-IP-Address = 192.168.1.254 NAS-Port-Type = Ethernet NAS-Port = 24 User-Name = "0010182b9065" Acct-Session-Id = "0500002B" EAP-Message = 0x0200001101303031303138326239303635 Message-Authenticator = 0x57f15349b978ec4c8dcdda92f6cc6fed +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20110621 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20110621 [auth_log] expand: %t -> Tue Jun 21 16:38:24 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for 0010182b9065 [ldap] expand: (cn=%{User-Name}) -> (cn=0010182b9065) [ldap] expand: ou=radius,dc=CSPKRB -> ou=radius,dc=CSPKRB rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius,dc=CSPKRB, with filter (cn=0010182b9065) [ldap] checking if remote access for 0010182b9065 is allowed by cn rlm_ldap: performing search in uid=radauth,ou=radius,dc=CSPKRB, with filter (objectclass=radiusprofile) rlm_ldap: object not found [ldap] default_profile/user-profile search failed [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user 0010182b9065 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.254 port 49154 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc26dceefc26cdb5c17fcb167e47515a3 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0, length=134 Cleaning up request 4 ID 0 with timestamp +348 NAS-IP-Address = 192.168.1.254 NAS-Port-Type = Ethernet NAS-Port = 24 User-Name = "0010182b9065" Acct-Session-Id = "0500002B" State = 0xc26dceefc26cdb5c17fcb167e47515a3 EAP-Message = 0x0201002204103007f2c1a22a920adc933106b4a62923303031303138326239303635 Message-Authenticator = 0xf9ba8e6f27790169ab8ee1b280fbb4e9 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20110621 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20110621 [auth_log] expand: %t -> Tue Jun 21 16:38:24 2011 ++[auth_log] returns ok [suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 34 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for 0010182b9065 [ldap] expand: (cn=%{User-Name}) -> (cn=0010182b9065) [ldap] expand: ou=radius,dc=CSPKRB -> ou=radius,dc=CSPKRB rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius,dc=CSPKRB, with filter (cn=0010182b9065) [ldap] checking if remote access for 0010182b9065 is allowed by cn rlm_ldap: performing search in uid=radauth,ou=radius,dc=CSPKRB, with filter (objectclass=radiusprofile) rlm_ldap: object not found [ldap] default_profile/user-profile search failed [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user 0010182b9065 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] Response appears to match, but EAP type is wrong. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [0010182b9065] (from client 192.168.0.0/16 port 24) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0010182b9065 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 0 to 192.168.1.254 port 49154 Waking up in 4.9 seconds. Cleaning up request 5 ID 0 with timestamp +348 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4511949.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html