Hi!
I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate
failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not
reject them to the guest VLAN. My config looks like this:
authorize {
....
# we don't know the MAC .... reject it to the guest net
if (!ok) {
update control {
MACAU-Reason := "MAC address not in DB"
}
reject
}
# if not 802.1x its only MAC auth
if (!EAP-Message) {
# mac has already been checked, accept (it gets into the
remediation VLAN)
update control {
Auth-Type := Accept
MACAU-Reason := "only MAC, no 802.1x"
}
}
else {
# we're in the 802.1x path .... continued in the authenticate
section
eap
}
....
}
authenticate {
....
Auth-Type EAP {
eap {
handled = 1
invalid = 1
}
if (ok) {
# update VLAN to production client network
# this part works perfectly
}
else {
# EAP didn't work
if (EAP-Type == "NAK") {
update control {
MACAU-Reason := "unsupported EAP typ --> Client
misconfiguration"
Auth-Type := Accept
}
}
else {
update control {
MACAU-Reason := "certificate invalid (e.g.
revoked/expired)"
Auth-Type := Accept
}
}
ok <----- does not work
}
I just need an accept here, the VLAN which will be returned is already the
remediation VLAN (as it is the same as if the client uses only MAC
authentication). Currently the client gets rejected if e.g. the certificate is
expired as the client has not been in the network for some time. MACAU-Reason
is logged to the DB in post-auth.
This is the log:
Mon May 27 15:17:55 2013 : Info: [tls] eaptls_process returned 4
Mon May 27 15:17:55 2013 : Info: [eap] Handler failed in EAP/tls
Mon May 27 15:17:55 2013 : Info: [eap] Failed in EAP select
Mon May 27 15:17:55 2013 : Info: ++[eap] returns invalid
Mon May 27 15:17:55 2013 : Info: ++? if (ok)
Mon May 27 15:17:55 2013 : Info: ? Evaluating (ok) -> FALSE
Mon May 27 15:17:55 2013 : Info: ++? if (ok) -> FALSE
Mon May 27 15:17:55 2013 : Info: ++- entering else else {...}
Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == "NAK")
Mon May 27 15:17:55 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE
Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE
Mon May 27 15:17:55 2013 : Info: +++- entering else else {...}
Mon May 27 15:17:55 2013 : Info: ++++[control] returns invalid
Mon May 27 15:17:55 2013 : Info: +++- else else returns invalid
Mon May 27 15:17:55 2013 : Info: ++- else else returns invalid
Mon May 27 15:17:55 2013 : Info: Failed to authenticate the user.
Mon May 27 15:17:55 2013 : Auth: Login incorrect (TLS Alert
write:fatal:certificate unknown): [host/xxxxxxxxxxxxx/<via Auth-Type = Accept>]
(from client xxxxxxxx port xxxx cli xxxxxxxxxxxxxxx)
Mon May 27 15:17:55 2013 : Info: Using Post-Auth-Type Reject
I hope someone can help me. Thx!
Mit freundlichen Grüßen
Robert Penz
--------------------------------------------------------------
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 74 3355
E-Mail: robert.p...@tirol.gv.at
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
