Re: MAc-Auth with EAP
Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. 'Tunde Ogedengbe On 8 Feb 2013 13:18, "Phil Mayers" wrote: > On 08/02/13 12:52, Tunde Ogedengbe wrote: > > see from the log that the MAC addresses is checked and OK. But there is >> an [eap] returns reject just after the mac address was successfully >> checked. I guess I need a way to get radius to force an EAP accept >> after successful checking of the MAC addresses. >> > > This doesn't work. You can't "force accept" of an EAP session. The > protocol is challenge/response and must complete correctly at both ends. > > Your approach won't work. > > Instead, you must configure pre-login 802.1x authentication correct on the > Windows side, either using machine credentials or user creds. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAc-Auth with EAP
I am setting up our Freeradius to do authentication for MAC address for
windows PC. This is to enable PCs to connect to the AD to access Domain
information just before Windows User Logon Screen. The PC is already
connected to a Cisco switch port which has been configured 802.1x.
I have stored list of authorized MAC addresses in a file called
authorized_macs in Freeradius confdir. I have also set up appropriate
commands in Authorize and Authentication sections of sites-enabled/default
file for authorization and authentication. I can see from the log that the
MAC addresses is checked and OK. But there is an [eap] returns reject just
after the mac address was successfully checked. I guess I need a way to
get radius to force an EAP accept after successful checking of the MAC
addresses.
Below is my Auth-Type statement which gets the system to do MAC address
checking for PCs connecting with the hint “thehive”. The else statement is
to cause all other requests to requests to be processed normally using
mschap_ad (which is a function that calls ntlm_auth).
Auth-Type MS-CHAP {
if ( Hint == "validmac") {
authorized_macs
update control {
Auth-Type := Accept
}
}
else {
mschap_ad
}
}
Below is the extract of the log highlighting successful mac address
checking but still returned [eap] returns reject
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if (outer.Hint == "validmac")
[mschapv2] ? Evaluating (outer.Hint == "validmac") -> TRUE
[mschapv2] ++? if (outer.Hint == "validmac") -> TRUE
[mschapv2] ++- entering if (outer.Hint == "validmac") {...}
[authorized_macs] expand: %{Calling-Station-ID} -> 00-1a-a0-b8-3b-73
+++[authorized_macs] returns noop
++- if (outer.Hint == "thehive") returns noop
++ ... skipping else for request 14: Preceding "if" was taken
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/hive-rjm2.library.networcs.net] (from client
193.62.48.37 port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000
[peap] Tunneled authentication was rejected.
--
'Tunde Ogedengbe
"But thanks be to God, who gives me the VICTORY through my Lord Jesus
CHRIST" - 1 Corinthians 15:57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
