Re: MAc-Auth with EAP
Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. 'Tunde Ogedengbe On 8 Feb 2013 13:18, "Phil Mayers" wrote: > On 08/02/13 12:52, Tunde Ogedengbe wrote: > > see from the log that the MAC addresses is checked and OK. But there is >> an [eap] returns reject just after the mac address was successfully >> checked. I guess I need a way to get radius to force an EAP accept >> after successful checking of the MAC addresses. >> > > This doesn't work. You can't "force accept" of an EAP session. The > protocol is challenge/response and must complete correctly at both ends. > > Your approach won't work. > > Instead, you must configure pre-login 802.1x authentication correct on the > Windows side, either using machine credentials or user creds. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAc-Auth with EAP
I am setting up our Freeradius to do authentication for MAC address for windows PC. This is to enable PCs to connect to the AD to access Domain information just before Windows User Logon Screen. The PC is already connected to a Cisco switch port which has been configured 802.1x. I have stored list of authorized MAC addresses in a file called authorized_macs in Freeradius confdir. I have also set up appropriate commands in Authorize and Authentication sections of sites-enabled/default file for authorization and authentication. I can see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. Below is my Auth-Type statement which gets the system to do MAC address checking for PCs connecting with the hint “thehive”. The else statement is to cause all other requests to requests to be processed normally using mschap_ad (which is a function that calls ntlm_auth). Auth-Type MS-CHAP { if ( Hint == "validmac") { authorized_macs update control { Auth-Type := Accept } } else { mschap_ad } } Below is the extract of the log highlighting successful mac address checking but still returned [eap] returns reject # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschapv2] ++? if (outer.Hint == "validmac") [mschapv2] ? Evaluating (outer.Hint == "validmac") -> TRUE [mschapv2] ++? if (outer.Hint == "validmac") -> TRUE [mschapv2] ++- entering if (outer.Hint == "validmac") {...} [authorized_macs] expand: %{Calling-Station-ID} -> 00-1a-a0-b8-3b-73 +++[authorized_macs] returns noop ++- if (outer.Hint == "thehive") returns noop ++ ... skipping else for request 14: Preceding "if" was taken [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [host/hive-rjm2.library.networcs.net] (from client 193.62.48.37 port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000 [peap] Tunneled authentication was rejected. -- 'Tunde Ogedengbe "But thanks be to God, who gives me the VICTORY through my Lord Jesus CHRIST" - 1 Corinthians 15:57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html