Re: mac authentication, log rejected device in radius.log
On 10/18/2013 11:00 AM, Alan DeKok wrote: Bertalan Voros wrote: I have one question, I would like to log a message in radius.log when a device is rejected based on its mac address. I would like to put a message saying that the device was unauthorised and the Calling-Station-Id into the radius.log logfile. See the radiusd.conf, the log subsection. There are limited possibilities for customizing the log messages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use a modified module for syslog based off exec for this type of thing (on a UNIX system): exec syslog-portauth { wait = no program = /usr/bin/logger -p local3.info -t portauth switch %{NAS-IP-Address} port %{NAS-Port-Id} %{NAS-Port} - User %{sql_start2: select determineUserFromMac('%{User-Name}')} on MAC %{User-Name} assigned to %{reply:Tunnel-Private-Group-Id} input_pairs = request packet_type = Access-Accept shell_escape = no } Granted, you might need to execute this on an Access-Reject but you can log anything you want with that. I even grab some values from my database (MySQL functions actually) to include in the log line. - JohnD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication succeeds, port stays unauthorized (allied telesis)
On Fri, 07 Jun 2013 17:40:04 +0200, David Mitton da...@mitton.com wrote: Best to check the error log on the NAS. When the link goes up the following debug message appear on the NAS: 2013 Jun 10 15:22:56 system.information awplus pcfg: Egress Broadcast(1):Milticast(1):Unicast(1) port1.0.5 2013 Jun 10 15:22:56 system.information awplus mac: MAC Addr[90:b1:1c:65:eb:d4] Vlan[2] not found [2] 2013 Jun 10 15:22:21 system.information awplus pcfg: Egress Broadcast(1):Milticast(1):Unicast(1) port1.0.5 2013 Jun 10 15:22:21 system.information awplus pcfg: Egress Broadcast(0):Milticast(0):Unicast(1) port1.0.5 2013 Jun 10 15:22:21 system.emergency awplus psec: Set security mode failed for port[5] mode[4] [100794371] 2013 Jun 10 15:22:21 system.information awplus pcfg: Link UP on port 1.0.5 I find it strange that it can't find VLAN2 as it is defined on the switch When the link goes down the following appears on the NAS: 2013 Jun 10 15:25:44 admin.information awplus mac: Delete Dynamic MAC by port 1.0.5 succeeded 2013 Jun 10 15:25:44 admin.information awplus mac: Delete Dynamic MAC by port 1.0.5 succeeded 2013 Jun 10 15:25:44 admin.information awplus pcfg: Link DOWN on port 1.0.5 Regards Stijn Dave. Quoting Stijn D'haese maill...@stijn-dhaese.be: Hi, I'm trying to do MAC based authentication on our switches, but for some strange reason the port doesn't want to authenticate, even though the radius server sends an Access-Accept package to the port. I did a capture on the port and the Access-Accept package is received by the port, but it port status stays unauthorized. I'm running FreeRADIUS Version 2.2.0 and the switch is an Allied Telesis AT-9000/28 Any ideas where I need to start looking? Regards Stijn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authentication succeeds, port stays unauthorized (allied telesis)
Hi, I'm trying to do MAC based authentication on our switches, but for some strange reason the port doesn't want to authenticate, even though the radius server sends an Access-Accept package to the port. I did a capture on the port and the Access-Accept package is received by the port, but it port status stays unauthorized. I'm running FreeRADIUS Version 2.2.0 and the switch is an Allied Telesis AT-9000/28 Any ideas where I need to start looking? Regards Stijn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication succeeds, port stays unauthorized (allied telesis)
Stijn D'haese wrote: Any ideas where I need to start looking? The RADIUS server sent the right answer. The NAS ignored it. Blame the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication succeeds, port stays unauthorized (allied telesis)
The NAS device is the final arbiter of allowing access. Even if the authentication succeeds, there may be other things about the connection and the NAS policies that are not met by the port user. Best to check the error log on the NAS. Dave. Quoting Stijn D'haese maill...@stijn-dhaese.be: Hi, I'm trying to do MAC based authentication on our switches, but for some strange reason the port doesn't want to authenticate, even though the radius server sends an Access-Accept package to the port. I did a capture on the port and the Access-Accept package is received by the port, but it port status stays unauthorized. I'm running FreeRADIUS Version 2.2.0 and the switch is an Allied Telesis AT-9000/28 Any ideas where I need to start looking? Regards Stijn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac Authentication and Port Authentication
Hi All, I would like to use the free-radius server for mac-authentication and port authentication. Please let me know the configuration stuff for the same. Thanks, RajaSekhar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Authentication and Port Authentication
rajasekar bonthala wrote: I would like to use the free-radius server for mac-authentication and port authentication. Please let me know the configuration stuff for the same. Documentation for this already exists. See the Wiki, among other places. i.e. If you don't have time to read the documentation, we don't have time to cut paste it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
On 28 Feb 2013, at 10:02, Bouchra Badri bouchra.ba...@gmail.com wrote: Hello, Sorry to bring this up again. I tried to do as you said, and added this line : VMPS-VLAN-Name = %{sql:select radius.maclist.vlanname from radius.maclist where radius.maclist.mac='%{VMPS-Mac}'} as well as this one : $INCLUDE /etc/raddb/sql.conf ( don't know why, just told my self it made sense if I want the above line to be queried) I took the vmps file to sites-enabled so it runs as a virtual server. I followed just what I needed from this link http://wiki.freeradius.org/guide/SQL%20HOWTO to create the database and grant privileges... However when I run radiusd I get this ( in the image) I know it's probably elementary, but it's that English isn't my forte so I don't get what the debug says or why At a guess i'd say you're not using the SQL module anywhere else in the server, and you need to add it to radiusd.conf in instantiate so it actually gets loaded... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
Your guess is correct. I really hope that's the only thing wrong with the config. I'll try it as soon as I have access to the server. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Authentication with FreeRadius
Hi, 1 - I was wondering if going through the tuto in wiki.freeradius is necessary to be able to authenticate using the mac address ? For one, that rewrite_calling_station_id generates an error at the run of freeradius, plus I've seen some tutos that say that cisco Mac-auth-Bypass can do the trick... Can you confirm it please? Because it doesn't work either :( 2 - I can probably do it using the vmps and mac2vlan files supplied by FreeRad, but in mac2vlan they say that radiusd.conf shows how to use it in detail, but that's not the case ! So can you please provide a clear tutorial on how to use vmps with freeradius? Thank you ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
Hi, 1 - I was wondering if going through the tuto in wiki.freeradius is necessary to be able to authenticate using the mac address ? For one, that rewrite_calling_station_id generates an error at the run of freeradius, plus I've seen some tutos that say that cisco Mac-auth-Bypass can do the trick... Cisco MAB is a *method* you configure on the switch. it still needs a backend to send the request to - eg a RADIUS server 2 - I can probably do it using the vmps and mac2vlan files supplied by FreeRad, but in mac2vlan they say that radiusd.conf shows how to use it in detail, but that's not the case ! So can you please provide a clear tutorial on how to use vmps with freeradius? the example VMPS stuff provided gives a clear start. you can either have a flat list of MACs or stick then into a DB and have the VMPS module query the DB. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
Hello, thanks for the quick answer Cisco MAB is a *method* you configure on the switch. it still needs a backend to send the request to - eg a RADIUS server Yes, of course I'll have to use a Radius server, and many forums say that if you put the Mac address in both username and password, it will authenticate if - in the switch - you use Mab... And that's exactly what I tried to do, but it did not authenticate... Am I doing sth wrong? the example VMPS stuff provided gives a clear start. you can either have a flat list of MACs or stick then into a DB and have the VMPS module query the DB. So correct me if i'm wrong : I'll have to uncomment the mac2vlan on vmps file, add MAC-ADD,VLAN-NAME to mac2vlan, change the listening port to 1598 and the auth type to vmps on radiusd.conf, and that's that? It's just that... I don't exactly see how dynamic vlan assignment works if you only use a flat list, vmps only shows how to query the DB.. Thank you Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
Hi, Yes, of course I'll have to use a Radius server, and many forums say that if you put the Mac address in both username and password, it will authenticate if - in the switch - you use Mab... And that's exactly what I tried to do, but it did not authenticate... Am I doing sth wrong? you need to check the format that the requests come through as, basically you need to just ACCEPT on that user-name So correct me if i'm wrong : I'll have to uncomment the mac2vlan on vmps file, add MAC-ADD,VLAN-NAME to mac2vlan, change the listening port to 1598 and the auth type to vmps on radiusd.conf, and that's that? It's just that... I don't exactly see how dynamic vlan assignment works if you only use a flat list, vmps only shows how to query the DB.. you dont need to change any listener etc in radiusd.conf - there is a VMPS virtual-server you need to activate. THAT has the listening port. if you want to use eg dynamic VLAN assignments then you need to do the cleve stuff in the database. in the same vmps virtual server you will see an 'example' in the update reply{} section - commented out by default #VMPS-VLAN-Name = %{sql:select ... where mac='%{VMPS-Mac}'} so, if a MAC has been banned, you ensure its eg 'vlan' value is changed in your DB so the query will return. we dont use this method, instead we call a PERL module which has all of our logic/checks/bans etc in it - this was originally migrated from openvmpsd (which was a good system but not multi-threaded and couldnt handle eg simultaneous queries from 48 port switches... VMPS is dumb it just updates ALL ports unlike MAB/802.1X which are on seperate timers). when FR supported VMPS I got very excited...and we migrated overnight alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
Great. Thank you good sir. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Open+ MAC authentication failed.
Hello, I'm trying to have a WiFi client to be authenticated in the OPEN+MAC method The AP is already known as a client of the Freeradius and any other form of Radius authentication i tried worked so far (WPA, WPA2) I'm using PEAP and the clients are Windows XP (if it makes any difference) I created a new user with the MAC address of the client as the user and password : (this is a none internet connected client) ###this is for OPEN+MAC AUTH 00C0CA32A157 Cleartext-Password := 00C0CA32A157 ### and i keep getting this error when it's trying to get the IP from the DHCP Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.3 port 55965, id=5, length=128 User-Name = 00c0ca32a157 User-Password = 00c0ca32a157 Calling-Station-Id = 00-C0-CA-32-A1-57 NAS-IP-Address = 10.10.10.3 Called-Station-Id = 00-18-25-02-11-D2:103-mac Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Framed-MTU = 1400 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 00c0ca32a157, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 00c0ca32a157 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 5 to 10.10.10.3 port 55965 Waking up in 4.9 seconds. Cleaning up request 0 ID 5 with timestamp +12 Ready to process requests. what am i missing? or (however unlikely) freeradius does not support this type of authentication any more? Thank you -- Sometimes you just glow in the dark... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open+ MAC authentication failed.
Tzvika Gelber wrote: I created a new user with the MAC address of the client as the user and password : ... 00C0CA32A157 Cleartext-Password := 00C0CA32A157 ... User-Name = 00c0ca32a157 User-Password = 00c0ca32a157 You do realize that they are different, right? The comparisons in the users file are case-sensitive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: open with mac authentication.
Thank you very much. Tzvika Gelber wrote: I created a new user with the MAC address of the client as the user and password : ... 00C0CA32A157 Cleartext-Password := 00C0CA32A157 ... User-Name = 00c0ca32a157 User-Password = 00c0ca32a157 You do realize that they are different, right? The comparisons in the users file are case-sensitive. Alan DeKok. -- Message: 3 Date: Sun, 9 Dec 2012 09:38:03 -0600 From: Dan Letkeman danletke...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: computer authentication Message-ID: CAPY== jnnw7fuhhpb1fvqpqmu8gqtuferp_9wmwv__n7svqe...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 Thank you Matthew for the clarification I could successfully get the windows 7 client to try and make a request (you defiantly need to have the certs imported into exactly the correct spots). But now my debug log says that its failing. This is a default 2.1.12 install with the switch added to the clients.conf file. rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204, length=180 User-Name = host/u...@example.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 9C-AF-CA-F4-40-10 Calling-Station-Id = 64-31-50-7D-72-DE EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = GigabitEthernet0/16 NAS-IP-Address = 10.11.200.73 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm example.com for User-Name = host/ u...@example.com [suffix] Found realm example.com [suffix] Adding Stripped-User-Name = host/user [suffix] Adding Realm = example.com [suffix] Proxying request from user host/user to realm example.com [suffix] Preparing to proxy authentication request to realm example.com ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = host/user Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 9C-AF-CA-F4-40-10 Calling-Station-Id = 64-31-50-7D-72-DE EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = GigabitEthernet0/16 NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = host/user Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 9C-AF-CA-F4-40-10 Calling-Station-Id = 64-31-50-7D-72-DE EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = GigabitEthernet0/16 NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231, length=171 User-Name = host/user Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 9C-AF-CA-F4-40-10 Calling-Station-Id = 64-31-50-7D-72-DE EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd NAS-Port-Type = Ethernet NAS-Port = 50016 NAS-Port-Id = GigabitEthernet0/16 NAS-IP-Address = 10.11.200.73 Proxy-State = 0x323034 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = host/user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail
802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! We've currently a MAC authentication running with dynamic VLANs via SQL for wired clients. We return the wished VLAN for the client by using the SQL function authorize_reply_query. We now want to add 802.1x EAP-TLS as supported authentication method. I got the setup sofar that I'm able to authenticated a client which supports it via 802.1x and the others as fallback with MAC. With MAC auth everything works but with 802.1x I'm not able to return the VLAN the switch should use. How can I tell freeradius to make a sql lookup for the reply values? And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct? The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help! I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config authorize { eap { ok = return } redundant { sql do_not_respond #send nothing to the switch if sql fails, another server will take over } if (ok) { update control { Auth-Type := Accept } # 'handled' does not work here ok = return } } Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! Thx for the fast response! But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize. Or would it be anyway a better Idea to have more than one issuers and I return the VLAN data based on that? E.g. one issuer for the PC net and one for the printer net? Can I use the issuer in a SQL query? As I've different switch types which need different responses. I use a SQL lookup with the NAS IP with a switch type table to get the correct response. Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Matthew Newton Gesendet: Donnerstag, 22. März 2012 15:48 An: FreeRadius users mailing list Betreff: Re: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs Hi, On Thu, Mar 22, 2012 at 03:24:41PM +0100, PENZ Robert wrote: And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct? Common Name of the cert is in TLS-Client-Cert-Common-Name, but only available in post-auth. However, that should be OK to update the reply to set a VLAN. I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config You'll need to upgrade to 2.1.12. This is too old and doesn't have the above attribute. The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help! Calling-Station-Id, as usual. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi, On Thu, Mar 22, 2012 at 04:27:14PM +0100, PENZ Robert wrote: But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize. Sorry, can't help here. I've never done any SQL in FreeRADIUS. But my previous comments apply. You can set any VLANs based on calling-station-id or other normal attributes in authorize or post-auth, but if you want to set VLANs based on the certificate subject special attributes, you'll need to upgrade to 2.1.12 and do it in post-auth. When 3.x arrives, there is a new feature that lets you do it in an eap-tls virtual server authorize section, but that's not available yet. Still, there should be no need for that unless you want to reject connections based on TLS certificate data, rather than just set the VLAN. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
On 22/03/12 15:27, PENZ Robert wrote: Hi! Thx for the fast response! But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize. Like this: post-auth { if (TLS-Client-Cert ~ /.../) { update reply { Tunnel-Private-Group-Id := %{sql:query goes here} } } } You can run any SQL query you like as part of an expansion. The SQL query can reference any attributes you like, using standard attribute expansion. See man unlang. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
Jim Rice wrote: The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX Which isn't the format recommended by the RFCs sigh. It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that. There isn't much benefit... but both are bad ideas. but had to set Auth-Type := Accept. Hmm... that's probably not the best way to do it, but if it works... Is there a best (or better) way? Not really, unfortunately. Do I need to be concerned with MAC spoofing? Of course. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
On Wed, Feb 02, 2011 at 02:00:52PM -0600, Gary Gatten wrote: On shared medium, I don't *think* dupe macs will cause much problem, unless maybe a congestion algorithm tweaks traffic to/from that mac. I'm not an expert in that area, just speaking from experience. Layer 1 --- I have little experience with radio, and if it's a single radio cell with omnidirectional antenna it might not make much difference (*). Layer 2 --- With switches: they learn which port owns the MAC address, and then only send traffic to the latest seen port. If it keeps changing, there will be substantial packet loss. Layer 3 --- If two people are on the same IP address then of course that will mess things up royally, so one will have to manually choose a different one. Now, if two different IPs share the same MAC address, it will usually work unless one of the devices has IP forwarding enabled. If they do, then when terminal A sees frames for B's IP address will forward them to its default route. The router will then re-send the packet to B, and hence you will get a storm of duplicate packets (multiplied by the TTL). Regards, Brian. (*) If the radio station has multiple antennas to beam the signal in the correct direction, I imagine it might not work well if it sees the same client in two places at once. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Authentication - Bad Idea?
Greetings, Still a newbie, but getting there... (Alan, do you ever sleep?) I have been asked to implement MAC authentication for a local service provider with a Canopy radio network and MikroTik routers. No, really. I was able to test this and received Accept-Accept after placing the MAC address in the UserName (Password is ), but had to set Auth-Type := Accept. I haven't found much in the way of documentation regarding MAC authentication in some of the dated books I have on Radius and 802.1x, nor in the FreeRadius docs. The goal is to provide for different classes of service, bandwidth management, accounting, etc. I imagine some of this can be done through vendor specific attributes to dynamically configure the routers (VLANs, data rates, priority queues and such), based on which group a user belongs. Dumb question #1: Just because you can do a thing, it doesn't mean you should. Can someone give me the you idiot speech and talk me out of this? Deploying client certificates to every device in their network seems an administrative nightmare. Using usernames/passwords doesn't make sense since most devices will always be connected. In the days of dial-up, users understood having to login to connect. Today, not so much. So, are there better alternatives? Or am I still just a clueless newbie? Thanks for your patience, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
Jim Rice wrote: Still a newbie, but getting there... (Alan, do you ever sleep?) In a word: no. I have been asked to implement MAC authentication for a local service provider with a Canopy radio network and MikroTik routers. No, really. I was able to test this and received Accept-Accept after placing the MAC address in the UserName (Password is ), but had to set Auth-Type := Accept. Hmm... that's probably not the best way to do it, but if it works... I'd like to write a MAC auth howto guide for NAS implementors. It will mostly say you're doing it wrong. Which isn't much of surprise, I guess. I haven't found much in the way of documentation regarding MAC authentication in some of the dated books I have on Radius and 802.1x, nor in the FreeRadius docs. It all depends on what the NAS sends, unfortunately. And every NAS sends something different. The goal is to provide for different classes of service, bandwidth management, accounting, etc. I imagine some of this can be done through vendor specific attributes to dynamically configure the routers (VLANs, data rates, priority queues and such), based on which group a user belongs. Dumb question #1: Just because you can do a thing, it doesn't mean you should. Can someone give me the you idiot speech and talk me out of this? Do MAC auth. Really. It's not hard, and it's useful. The main thing is to normalize the MACs from the NAS before you look them up in the DB. Again, every NAS sends something different. Deploying client certificates to every device in their network seems an administrative nightmare. Using usernames/passwords doesn't make sense since most devices will always be connected. In the days of dial-up, users understood having to login to connect. Today, not so much. So, are there better alternatives? Or am I still just a clueless newbie? Do MAC auth. Wait 2-3 years, upgrade to 802.1X everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
Thanks, Alan. The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that. but had to set Auth-Type := Accept. Hmm... that's probably not the best way to do it, but if it works... Is there a best (or better) way? Do I need to be concerned with MAC spoofing? Thanks again, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC Authentication - Bad Idea?
What about ppp based auth? Many providers in the US still use this for xDSL service. If the CPE supports it, it's usually transparent to the users. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Jim Rice Sent: Wednesday, February 02, 2011 1:15 PM To: FreeRadius users mailing list Subject: Re: MAC Authentication - Bad Idea? Thanks, Alan. The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that. but had to set Auth-Type := Accept. Hmm... that's probably not the best way to do it, but if it works... Is there a best (or better) way? Do I need to be concerned with MAC spoofing? Thanks again, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
Hi, Do I need to be concerned with MAC spoofing? of course. theres also the issue that the link-layer is completely open and unencrypted to any eavedropping/dodgy activity alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
We implemented MAC authentication with netreg at http://netreg.sourceforge.net. We used DHCP/DNS/HTTP piece from netreg. It's essence is DHCP/DHS/HTTP on one server. Basically there will be a vlan we called sandbox with ip helper-address pointing to sandbox.foo.edu. The DHCP is configured to have DNS pointing to sandbox.foo.edu too. bind is configured to resolve everything to sandbox.foo.edu. HTTP is configured with dynamic webpage as explained later on. The logic is like the following if (mac not in your database ) { send back a sandbox vlan #user open any webpage will get redirected to single server } else if (mac in your database) { if (user blocked ) { sendback sandbox VLAN } send back regular vlan name with additional attribute as you want } On the web server, if you are here, you are either unregistered or registered but blocked. We have dynamic webpage to do the following things #mac not registered #user webpage to get IP, then use IP to get MAC from DHCP lease file if (MAC not in database ) { webportal of login with (ldap, ssh, ftp) backend, mac address will be populated in the database. } #mac in database but blocked else { display the mac is blocked and call helpdesk } We use this to gain a lot of knowledge/experience on dot1x, and are now moving toward 802.1x. Schilling On Wed, Feb 2, 2011 at 2:15 PM, Jim Rice jmrice6...@yahoo.com wrote: Thanks, Alan. The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that. but had to set Auth-Type := Accept. Hmm... that's probably not the best way to do it, but if it works... Is there a best (or better) way? Do I need to be concerned with MAC spoofing? Thanks again, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
On Wed, Feb 02, 2011 at 11:15:13AM -0800, Jim Rice wrote: Do I need to be concerned with MAC spoofing? It's easy to do, so it will probably happen; this risk is weighed against providing a service which is easy for your customers to use. What happens if two people try to use the same MAC address simultaneously on your wireless network? I suspect it will break service for both of them, which means that it's actually not very useful for freeloading. They'd have to coordinate to use it at different times. You could also look for simultaneous users in your RADIUS accounting logs. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
On shared medium, I don't *think* dupe macs will cause much problem, unless maybe a congestion algorithm tweaks traffic to/from that mac. I'm not an expert in that area, just speaking from experience. - Original Message - From: Brian Candler [mailto:b.cand...@pobox.com] Sent: Wednesday, February 02, 2011 01:53 PM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MAC Authentication - Bad Idea? On Wed, Feb 02, 2011 at 11:15:13AM -0800, Jim Rice wrote: Do I need to be concerned with MAC spoofing? It's easy to do, so it will probably happen; this risk is weighed against providing a service which is easy for your customers to use. What happens if two people try to use the same MAC address simultaneously on your wireless network? I suspect it will break service for both of them, which means that it's actually not very useful for freeloading. They'd have to coordinate to use it at different times. You could also look for simultaneous users in your RADIUS accounting logs. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
Thanks for the tip, Schilling. We wanted to provide a splash page for unauthenticated access attempts. This helps to answer a whole other list of questions on how to do that. Jim --- On Wed, 2/2/11, schilling schilling2...@gmail.com wrote: From: schilling schilling2...@gmail.com Subject: Re: MAC Authentication - Bad Idea? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Wednesday, February 2, 2011, 11:32 AM We implemented MAC authentication with netreg at http://netreg.sourceforge.net. We used DHCP/DNS/HTTP piece from netreg. It's essence is DHCP/DHS/HTTP on one server. Basically there will be a vlan we called sandbox with ip helper-address pointing to sandbox.foo.edu. The DHCP is configured to have DNS pointing to sandbox.foo.edu too. bind is configured to resolve everything to sandbox.foo.edu. HTTP is configured with dynamic webpage as explained later on. The logic is like the following if (mac not in your database ) { send back a sandbox vlan #user open any webpage will get redirected to single server } else if (mac in your database) { if (user blocked ) { sendback sandbox VLAN } send back regular vlan name with additional attribute as you want } On the web server, if you are here, you are either unregistered or registered but blocked. We have dynamic webpage to do the following things #mac not registered #user webpage to get IP, then use IP to get MAC from DHCP lease file if (MAC not in database ) { webportal of login with (ldap, ssh, ftp) backend, mac address will be populated in the database. } #mac in database but blocked else { display the mac is blocked and call helpdesk } We use this to gain a lot of knowledge/experience on dot1x, and are now moving toward 802.1x. Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
I think it depends on the OS, if a OS is trusting and accepts everything up the stack from Layer 2 if the MAC address matches it could start to get confused and cause all sorts of issues. If the device keeps some kind of state table for connections and rejects all others there may not be to much of an issue. Naturally in the switched environment it would not work at all. As far a Mac auth, we do that here as well, basically for printers and such and as you stated you just enter the MAC address for the password then push out the tunnel Group ID, tunnelmediumtype and tunnel-type. Of course this is on a switched network but for our Wireless it works remarkably similar yet again we use username/password authentication on that. We do not have to worry to much about session hijacking or MAC spoofing on the wireless side because we use WPA2 with AES and dot1x on the auth side. One thing you may want to do is have a default unprotected vlan that is the default network, have it go directly web page with instructions on connecting with a secure connection. If you care anything about your users/customers I would say at least offer them some kind of protection, it is just to easy to sniff unprotected wireless networks. -- Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 02, 2011 at 12:00 PM, in message 8860_1296676852_4D49B7F4_8860_589_1_D9B37353831173459FDAA836D3B43499AF0FA683@WA PMBXV0.waddell.com, Gary Gatten ggat...@waddell.com wrote: On shared medium, I don't *think* dupe macs will cause much problem, unless maybe a congestion algorithm tweaks traffic to/from that mac. I'm not an expert in that area, just speaking from experience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
Thanks for your responses. I tried SQL XLAT yesterday but I had the next radiusd -X errors: /usr/local/etc/raddb/sites-enabled/default[598]: Failed to parse if subsection. /usr/local/etc/raddb/sites-enabled/default[485]: Errors parsing post-auth section. I think it is not possible to that with SQL XLAT. Is it possible to store the return code of a sql query with SQL XLAT? I'll try with sql.authorize. Thanks. Regards, David 2010/11/23 EasyHorpak.com i...@easyhorpak.com On 22/11/2553 22:41, David Seira wrote: Hi Alan. Thanks for your time. In the authorize section I have the next instructions for authorize users in a mac file: if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-Id}$/i)){ update control { Auth-Type = 'CSID' } } I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request. Another thing is that I don't know why the authorization is made in post-auth section. Thanks for your help. Regards, David 2010/11/22 Alan DeKok al...@deployingradius.com David Seira wrote: I don't know where put the sql instruction for read macs from database. Read raddb/sites-available/default. Look for sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html try %{sql: SELECT Value from radcheck WHERE Value='%{User-Name}' and Attribute='Cleartext-Password' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
David Seira wrote: Thanks for your responses. I tried SQL XLAT yesterday but I had the next radiusd -X errors: /usr/local/etc/raddb/sites-enabled/default[598]: Failed to parse if subsection. The next logical step would be to post *that line* from the file, and ask What is wrong about it? Or, to look at the 2-3 previous error messages above that one, which likely tell you *what* is wrong. I think it is not possible to that with SQL XLAT. Nonsense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
The next logical step would be to post *that line* from the file, and ask What is wrong about it? Yes, but I think it is not possible with SQL XLAT. For that reason, finally, I try with sql.authorize, as Arran advised me, and I think I've achieved the solution. The problem was I didn't understand the rlm_mysql module; I didn't know the authorize function of rlm_mysql. The solution for my scenario is: sql.authorize if(notfound){ reject } else{ ok } This configuration works for me if the NAS sends username and Calling-Station-Id. But I don't know if all comercial NAS send these attributes or only Calling-Station-Id. What do you know about it? Thanks for all. Regards, David 2010/11/23 Alan DeKok al...@deployingradius.com David Seira wrote: Thanks for your responses. I tried SQL XLAT yesterday but I had the next radiusd -X errors: /usr/local/etc/raddb/sites-enabled/default[598]: Failed to parse if subsection. The next logical step would be to post *that line* from the file, and ask What is wrong about it? Or, to look at the 2-3 previous error messages above that one, which likely tell you *what* is wrong. I think it is not possible to that with SQL XLAT. Nonsense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC-Authentication from Mysql
Hi list. I'm trying to implement MAC-Authentication directly from a Mysql database. I follow the wiki page http://wiki.freeradius.org/Mac-Auth for authenticate macs from a file. I want to authenticate macs reading the authorized macs from a mysql database. I understand that in the radcheck table I need to put the macs like this: username attribute op value === == == 00:11:22:33:44:55 Cleartext-Password := 00:11:22:33:44:55 I don't know where put the sql instruction for read macs from database. Is in the post-auth section? How can I do this? Regards, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
David Seira wrote: I don't know where put the sql instruction for read macs from database. Read raddb/sites-available/default. Look for sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
Hi Alan. Thanks for your time. In the authorize section I have the next instructions for authorize users in a mac file: if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-Id}$/i)){ update control { Auth-Type = 'CSID' } } I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request. Another thing is that I don't know why the authorization is made in post-auth section. Thanks for your help. Regards, David 2010/11/22 Alan DeKok al...@deployingradius.com David Seira wrote: I don't know where put the sql instruction for read macs from database. Read raddb/sites-available/default. Look for sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request. Another thing is that I don't know why the authorization is made in post-auth section. Because technically authorisation should be performed after authentication, and the server really has it the wrong way round. Just change the files call in post-auth to be sql.authorize and check for the correct return code... Or use SQL XLAT... post-auth{ if(%{sql:SELECT COUNT(*) FROM `authorized_macs` WHERE `mac_address` == %{Calling-Station-ID}} 0){ ok } else{ reject } } You'll have to build the tables yourself, but thats not hard... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Authentication from Mysql
On 22/11/2553 22:41, David Seira wrote: Hi Alan. Thanks for your time. In the authorize section I have the next instructions for authorize users in a mac file: if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-Id}$/i)){ update control { Auth-Type = 'CSID' } } I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request. Another thing is that I don't know why the authorization is made in post-auth section. Thanks for your help. Regards, David 2010/11/22 Alan DeKok al...@deployingradius.com David Seira wrote: I don't know where put the sql instruction for read macs from database. ?Read raddb/sites-available/default. ?Look for "sql". ?Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html try "%{sql: SELECT Value from radcheck WHERE Value='%{User-Name}' and Attribute='Cleartext-Password'" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac authentication
I am attempting to edit the ldap module to pass the mac address from the wireless client as the user. I have changed the basedn, but not sure how to change the filter. Here is what I have : ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = localhost #identity = cn=admin,o=My Org,c=UA #password = mypass basedn = ou=machines,dc=isd2190,dc=org filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) I would like to run radtest against the mac address too, so I can be sure things are working before adding in the wireless AP. It is erring out because I am not using a password ??? Raymond - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac authentication
Raymond Norton wrote: I have a working set up using wpa2 with freeradius and ldap. I need to set up host authentication instead of user authentication. I am using LAM to manage ldap and have added a couple host accounts, but I keep getting a login page from the hotspot. The problem could be a config issue on any device, but I am curious if there is a config change I need to make on freeradius to accommodate passing mac addresses to ldap rather than user credentials? Edit the file raddb/modules/ldap Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac authentication
I have a working set up using wpa2 with freeradius and ldap. I need to set up host authentication instead of user authentication. I am using LAM to manage ldap and have added a couple host accounts, but I keep getting a login page from the hotspot. The problem could be a config issue on any device, but I am curious if there is a config change I need to make on freeradius to accommodate passing mac addresses to ldap rather than user credentials? (I want to use ldap for authentication instead of adding the host info to the config of freeradius.) Raymond - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
Hi, I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
Hi, I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The only way I can think of it working was if using Cisco's local MAC list on the AP itself. I tried testing briefly with EAP and MAC set FR only. In about a minute or so, I received about 2K EAP requests all returning Access-Reject. If I get a few spare moments to test, I'll try adding my MAC to the local list and tell the AP to use the local list for MAC and FR for EAP. I have a feeling this might work, but I am certainly not going back to maintaining MAC lists on all of our APs (both because I'd have to modify the APs again to have enough storage space to hold the MAC list and because it's a pain to keep that many lists in sync) and I think using a check in FR is a much cleaner solution in many ways. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The only way I can think of it working was if using Cisco's local MAC list on the AP itself. I tried testing briefly with EAP and MAC set FR only. In about a minute or so, I received about 2K EAP requests all returning Access-Reject. If I get a few spare moments to test, I'll try adding my MAC to the local list and tell the AP to use the local list for MAC and FR for EAP. I have a feeling this might work, but I am certainly not going back to maintaining MAC lists on all of our APs (both because I'd have to modify the APs again to have enough storage space to hold the MAC list and because it's a pain to keep that many lists in sync) and I think using a check in FR is a much cleaner solution in many ways. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org Yes, when checking the MAC against the local list, it works. It checks the MAC against the local list before attempting to forward any packets to FR for EAP. When using a lightweight AP instead of an autonomous AP, I suppose this list is kept on the controller and distributed to the APs. This is the only way that seems like it would be of any use. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
-Original Message- John McDonnell wrote: I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption? It never hurts. You can do *both* EAP MAC auth at the same time. I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization? It stops people who share their passwords. If you do login tracking, you can see if two MACs have logged in at the same time, too. This was why I was originally going to enable both EAP and MAC but then wondered if it would just be overhead since I plan on going the certificate route. Right now, the only laptops we want to allow on the wireless network are the ones that we received from the Classrooms for the Future (CFF) grant. This summer I will be touching each of these computers (I'll be imaging all of the student laptops and updating the teacher ones individually) and will install the certificates during the procedure. This stops a large percentage of bad behavior. If you're *not* tracking MACs right now, you have no idea who's on your network. Alan DeKok. We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web. The goal of my updates to the wireless network over the summer is to make the network more secure without our users actually having to do anything different. Whether that's installing certificates or using PEAP with the username/password saved on the laptop, we don't currently want to make things more difficult for the teachers/students. Hopefully one of the updates my boss will be doing over the summer will be to get LDAP working properly at which point switching to TTLS or PEAP will become much more attractive than they currently are. I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated. -- John McDonnell Penn Cambria School District mcdon...@pcam.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
John McDonnell wrote: I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization? Yes. Having AP's implement policies is a recipe for disaster. We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web. I'm trying to find time to finish the book. :( I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated. raddb/modules/mac* They're not examples for RADIUS, but the principles should be the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
John McDonnell wrote: I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption? It never hurts. You can do *both* EAP MAC auth at the same time. It stops people who share their passwords. If you do login tracking, you can see if two MACs have logged in at the same time, too. This stops a large percentage of bad behavior. If you're *not* tracking MACs right now, you have no idea who's on your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and MAC Authentication
First a little information on our setup. When I first started working here, the wireless network had been in place for a year already and was rather small, only 3 access points and ~90 laptops. My boss set it up as static WEP (I don't know why WEP instead of WPA) and used the AP's (Cisco 1121 series) authorized MAC list to restrict access to our laptops. When I came on board, we just received about 250 new laptops from the grant and the AP's couldn't fit all of the MAC addresses in the space allocated in the flash as simulated NVRAM. For a quick fix, I changed how much NVRAM was simulated in order for the AP's to hold the info when rebooted. Of course, maintaining the MAC list on all of these AP's (we got an additional 8 or 9 AP's at that time) was a nightmare, plus the AP's seemed a bit sluggish with authenticating laptops. I convinced my boss to let me configure a FreeRADIUS server to do the authentication, removing all of the MAC addresses from the AP's and resetting the ! NVRAM to its default size. We now have about 15 AP's and ~400 laptops. Some AP's are overloaded while others have no load at all, though this has little to do with FR other than the fact the AP's lose packets to FR from time to time, through no fault of FR at all. This summer, due to budget cuts, we won't be getting in much new equipment which frees me up to do some long needed adjustments to the wireless network. I am going to be converting from WEP to WPA finally. I don't want to use WPA-PSK so I am looking at doing EAP-TLS. I have a test server up that I've gotten to work with EAP-TLS using the snake-oil certificates. On the AP's, there is the option of doing EAP and MAC authentication. This leads to my question. Does doing MAC authentication really accomplish anything when using EAP-TLS? The certificates can't be copied from the laptop they are installed onto as far as I know. They're running XP SP3 and when installing the certificates, the option to export them will not be checked. This should mean that if it has a valid certificate, it is one of our laptops and not someone who somehow stole a cert and installed it on their laptop. I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption? The only thing I can see enabling MAC authentication for is if we switch at some point to EAP-TTLS or EAP-PEAP to verify that the user is logging in with one of our laptops and not one they brought in from home/cell phone/etc. Or if I can convince my boss to authenticate all the wired connections so that no one brings in a laptop from home and plugs it into the network. (We've had at least some substitute teachers do this apparently, not sure if any full-time staff has done this.) While I might end up creating temporary users for when we have presenters and use EAP-[TTLS|PEAP] for them, I'd have to not do MAC authentication for them as finding out the MAC address in advance seems rather unlikely to happen. Sorry for being so long winded, but I wanted to make sure I got everything relevant about our setup and what I'm trying to do across. And as I finish my proof-reading, I realize that regardless of if I do MAC authentication or not, it seems rather pointless to enable the option on the AP as the MAC address would be sent regardless of if I set it or not. (Which really makes me wonder why they even included it, unless I'm misunderstanding something.) I think the proper solution would be to do a check in FR to ensure when the user requests access, that the requesting MAC is from one of our machines. Regardless, could someone let me know if there is any need to do MAC authentication when doing EAP-TLS? -- John McDonnell Penn Cambria School District mcdon...@pcam.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Difan Zhao wrote: So radiusd -X won't show whether a check attribute was updated or not? No. There are a LOT of things that can happen when the server runs. It doesn't print out all of them. It’s supposed to update the “auth-type” value but nothing is shown whether the value has been successfully updated or not… Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Hey guys, I am still waiting for a possible solution for this problem that I have... Please let me know even there is no easy fix. To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the users file takes precedence than sites-available/default. Whenever there is a default entry in the users file, freeradius server doesn't try to run the module/function in the authentication section... I have attached the debug for the both cases. Please take a look whenever you can. Thank you! Difan From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Wednesday, December 30, 2009 12:19 PM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses?? Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a Default line at the bottom of the users file, like: ... DEFAULTAuth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a Default line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == %{request:User-Password}) { ok } else{ reject } } } Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 38 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} - 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding if was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - TRUE expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Difan Zhao wrote: To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the “users” file takes precedence than “sites-available/default”. No. You are setting Auth-Type = ... in the users file, and then trying to se Auth-Type = ... *again* elsewhere. See man unlang for the meaning of the operators. If you want to over-ride a previous value, use :=, not =. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Lol Alan you found the problem again! I just read the manual of users and unlang again and now I know clearly what the problem was... Thank you very much for the help! So radiusd -X won't show whether a check attribute was updated or not? Here is my radiusd -X output. It's the same no matter I use : or := ... ... ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ... It's supposed to update the auth-type value but nothing is shown whether the value has been successfully updated or not... Is this about right or it's actually showing at somewhere else and I am looking at the wrong place?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Monday, January 04, 2010 4:10 PM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses?? Difan Zhao wrote: To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the users file takes precedence than sites-available/default. No. You are setting Auth-Type = ... in the users file, and then trying to se Auth-Type = ... *again* elsewhere. See man unlang for the meaning of the operators. If you want to over-ride a previous value, use :=, not =. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recall: MAC authentication bypass --- How?am?Isupposedto?edit?theusersfile to include multiple MAC addresses??
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? Yep, only works if you have a MS Exchange server apparently (maybe it works with Outlook-Outlook). Meanwhile the rest of the world just laughs and smiles. :) Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses??
So I assume that none of you guys use MS Exchange server then... Do you guys all hate MS and support open source?? I am a windows guy but I am on your side!! Arran, you found the problem! Now it works! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alexander Clouter Sent: Wednesday, December 30, 2009 5:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses?? Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? Yep, only works if you have a MS Exchange server apparently (maybe it works with Outlook-Outlook). Meanwhile the rest of the world just laughs and smiles. :) Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses??
On 30/12/2009 09:12, Difan Zhao wrote: So I assume that none of you guys use MS Exchange server then... Do you guys all hate MS and support open source?? I am a windows guy but I am on your side!! I believe it's being forced on staff at my previous employers site, but it's not there yet. My current employer uses exchange. Personally I believe people should always use the tools that allow for best productivity in their environment. Obviously there is inefficiency in running multiple services to support esoteric client configurations, so standards based protocols should be used wherever possible to ensure maximum compatibility. Arran, you found the problem! Now it works! Thank you! Left operand can either be a reference to a variable or a string. Right operand can only be a string. When a double quoted string is being parsed (expanded) the encapsulating curly braces %{var} tell the server than this part of the string should not be interpreted literally, but should instead be replaced with the result of the operation described by the text between the curly braces. The use of %{} outside of double quotes is invalid. If you'd wrapped both the operands in double quotes it'd have worked; just using the variable reference as the left operand is slightly faster. -Arran Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alexander Clouter Sent: Wednesday, December 30, 2009 5:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses?? Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? Yep, only works if you have a MS Exchange server apparently (maybe it works with Outlook-Outlook). Meanwhile the rest of the world just laughs and smiles. :) Cheers signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a Default line at the bottom of the users file, like: ... DEFAULTAuth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a Default line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == %{request:User-Password}) { ok } else{ reject } } } Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 38 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} - 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding if was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - TRUE expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ++- if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=00a0080806bd [ntlm_auth] expand: --password=%{User-Password} - --password=00a0080806bd Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00a0080806BD) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 00a0080806bd attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1
RE: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I rewrite it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my if conditions are all matched during the process however they all returned noop instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := %{User-Name} } chap } else{ ok } } } It seems to me that the last ok authenticated the device, instead of using chap and the Cleartext-Password that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=45, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0x7e1fb3874de8f8f7c98b237aa1778647 NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} - 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding if was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - TRUE expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ++- if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop Found Auth-Type = Auth-NHSTB +- entering group Auth-NHSTB {...} ++? if (Chap-Password) ? Evaluating (Chap-Password) - FALSE ++? if (Chap-Password) - FALSE ++- entering else else {...} +++[ok] returns ok ++- else else returns ok Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00a0080806BD) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id
Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
I apologize for the previous spam! I kind of figured out my problem. Then I tried to fix it and now I have a new problem!! So I want to authenticate devices when both User-Name and User-Password are the same and are both the MAC of the device. My default files look like: authorize { ... if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } ... authenticate { Auth-Type Auth-NHSTB { if(%{request:User-Password} == %{request:User-Name}) { ok } else{ noop } } } However when I try to run Radius I keep getting this error: Expected regular expression at: request:User-Password) /etc/raddb/sites-enabled/default[308]: Failed to parse if subsection. Errors initializing modules I also tried I lot other syntax and different operators as well but the error is still there... What is the right syntax?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Tuesday, December 29, 2009 11:09 AM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses?? Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I rewrite it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my if conditions are all matched during the process however they all returned noop instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := %{User-Name} } chap } else{ ok } } } It seems to me that the last ok authenticated the device, instead of using chap and the Cleartext-Password that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Should be: if(request:User-Password == %{request:User-Name}) { However when I try to run Radius I keep getting this error: Expected regular expression at: request:User-Password) /etc/raddb/sites-enabled/default[308]: Failed to parse if subsection. Errors initializing modules I also tried I lot other syntax and different operators as well but the error is still there… What is the right syntax?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 *From:* freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] *On Behalf Of *Difan Zhao *Sent:* Tuesday, December 29, 2009 11:09 AM *To:* FreeRadius users mailing list *Subject:* RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses?? Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius –X output (which I attached here) it doesn’t seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the *User-Name* (or *Calling-station-ID*, since I *“rewrite”* it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my *“if”* conditions are all matched during the process however they all returned *“noop”* instead of *updating* the information I wanted it to. Here are the *configurations* I made in the *policy.conf* and */sites-avaliable/default* files *Policy.conf:* * * policy { … rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } *Default:* authorize { … rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { … Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := %{User-Name} } chap } else{ *ok* } } } It seems to me that the last *“ok”* authenticated the device, instead of using *“chap”* and the *“Cleartext-Password”* that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao wrote: ... if(%{request:User-Password} == %{request:User-Name}) { Please read man unlang. It documents the accepted syntax. The example above is not correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposedto?edit?theusers file to include multiple MAC addresses??
Hey guys, So I finally started configuring this MAC auth bypass thing... I am editing the raddb/policy.conf to include the rewrite_calling_station_id function/module however when I am trying to run the radiusd -X I got this error: /etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file. rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } else { noop } } My Calling-Station-Id is MAC addresses which are made of numbers and capital letters and - between octets. However my User-Name is all lower case letters and numbers and there is no - or :. I want to rewrite the calling station id to be the same as the User-Name. Am I doing it right? How can I convert it to lower cases or do I need to do it at all?? PS the MAC addresses will all start with 00-A0-08. Thank you and merry Christmas!! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposedto?edit?theusers file to include multiple MAC addresses??
Difan Zhao wrote: Hey guys, So I finally started configuring this *MAC auth bypass* thing... I am editing the *raddb/policy.conf* to include the *rewrite_calling_station_id* function/module however when I am trying to run the *radiusd –X* I got this error: /etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file. Curly braces need to be inline... don't assume the parser is clever. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses??
Lol Thank you Arran... You found the problem! Now it's good. Thanks again! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, December 24, 2009 1:13 PM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses?? Difan Zhao wrote: Hey guys, So I finally started configuring this *MAC auth bypass* thing... I am editing the *raddb/policy.conf* to include the *rewrite_calling_station_id* function/module however when I am trying to run the *radiusd -X* I got this error: /etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file. Curly braces need to be inline... don't assume the parser is clever. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??
So..., Alan suggested using unlang. I am actually reading un-language (5). If I use it, where or what file do I put your script in? =Script that Alan wrote authorise { if(%{User-Name} =~ /[0-9a-z]{12}/i %{Huntgroup-Name} == MAB-switches){ update control { Auth-Type := MAB } ok = return } } authenticate { Auth-Type MAB { ok } } I do understand that I need to revise it to make it only authenticate the right MAC addresses and only respond if the request meets certain criteria or have certain attributes. Can I include these logics in unlang such as User-Name == Calling-Station-Id or Service-Type == Call-Check? In addition, I want to assign these devices to a specific VLAN. Can I add the attributes here as well? Is this vlan assignment part of authentication or authorization? Alexander, I did read the links you gave me very carefully and I guess I understand the logic... However it seems that I have to edit many files. I am new to the FreeRadius and I don't have any programming experience... Is there a document which can tell me briefly what these files are for and how FreeRadius is using them? I don't really want to edit those files when I don't know enough about them... Thank you both for your advice! Difan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??
Alexander, I did read the links you gave me very carefully and I guess I understand the logic... However it seems that I have to edit many files. I am new to the FreeRadius and I don't have any programming experience... Is there a document which can tell me briefly what these files are for and how FreeRadius is using them? I don't really want to edit those files when I don't know enough about them... As suggested in main README - doc/README. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers?file to include multiple MAC addresses??
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: the real answer is to get the vendors to sort their cheap shoddy kit out ;-) Ahem *Vendor :P - - Sorry I have to do it or they beat me :( dare I ask why you do not use you new 'formal' email address? ;) Cheers -- Alexander Clouter .sigmonster says: Oh no, not again. -- Manoj Srivastava - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??
Hi, yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-) Not when you say !EAP-Message too :) ...and how does that stop, lets just say for example, some user coming along with 802.1X configured on their wired interface and logging it with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-) Bah, I wrote a you have to jump this high to connect to the Intertubes document for work. The venduhs cannot even get past the tendering phase now :) Although it does nothing about the legacy guff, it stops new guff connecting. thats true in so much that it controls those things...but lets more evil people on due to it being a nice new hole. oh well. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??
On 21/12/2009 09:15, Alan Buxey wrote: Hi, yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-) Not when you say !EAP-Message too :) ...and how does that stop, lets just say for example, some user coming along with 802.1X configured on their wired interface and logging it with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-) Last time I checked EAP-MD5-Response was still carried in the EAP-Message attribute, and the documentation in the wiki suggests that the username and Calling-Station-ID are canonicalized and compared before attempting Mac-Auth, so you need to fake the mac-address in your EAPOL frames too. Although it does nothing about the legacy guff, it stops new guff connecting. thats true in so much that it controls those things...but lets more evil people on due to it being a nice new hole. oh well. Well no. You need to know the Mac-Address of a target machine before you can connect to the network/VLAN. In order to find out the Mac-Address you need to physically locate yourself at a terminal, if you can physically locate yourself at a terminal, you generally have access to the network connection of the terminal anyway. The only thing it lets you do which you could do before, is to do your cracking in a cafe instead of in a cluster room :). The real danger is someone gaining access to the uplink from one your switches... which is why 802.1X-REV/Mac-Sec is so frickin awesome! -Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers?file to include multiple MAC addresses??
On 21/12/2009 09:05, Alexander Clouter wrote: Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: the real answer is to get the vendors to sort their cheap shoddy kit out ;-) Ahem *Vendor :P - - Sorry I have to do it or they beat me :( dare I ask why you do not use you new 'formal' email address? ;) Because i'm not on site, they've not worked out how to do webmail outside of the intranet, and they've disabled the entourage connector in exchange. arran.cudbard-b...@popular british manufacturer of tomatoe and brown sauce.com Should be back for January *sigh*. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??
Hi, If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? for using AD - not without difficulty because it will want both bits. you could use FreeRADIUS itself and a bit of unlang...for example. if you really dont care about the actual MAC address? in which case you could use unlang to check if its a MAC address ..and that its come from a particular group of switches eg something like authorise { if(%{User-Name} =~ /[0-9a-z]{12}/i %{Huntgroup-Name} == MAB-switches){ update control { Auth-Type := MAB } ok = return } } authenticate { Auth-Type MAB { ok } } you can then add the bits into unlang for post-auth for returning the correct VLAN. with older MAB you could do simple User-Name == Cleartext-Password - but with MD5 now in play I think you then enter the world of PERL or python on the FR box to deal with that. PS my example was just roughly typed up - there may well be errors and it'll only work if you've got eg MAB-switches NAS-IP-Address == 172.16.1.4 MAB-switches NAS-IP-Address == 172.16.1.5 MAB-switches NAS-IP-Address == 172.16.1.6 in the raddb/huntgroups file (and ensure preprocess module is called before the unlang in authorise section! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to edit?theusers file to include multiple MAC addresses??
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? for using AD - not without difficulty because it will want both bits. you could use FreeRADIUS itself and a bit of unlang...for example. if you really dont care about the actual MAC address? in which case you could use unlang to check if its a MAC address ..and that its come from a particular group of switches eg something like authorise { if(%{User-Name} =~ /[0-9a-z]{12}/i some would say that is a controversial MAC address regexp, but I guess you just do things differently 'up north' eh? :) 'cheese112233xxyyzzTASTY' would even match that :) For detecting if MAC auth is being requested, I recommend something like what I described for Cisco kit in: http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00423.html I think it was Aaron who wrote the following: http://wiki.freeradius.org/Mac-Auth Between the two you should be able to do something for your kit; I recommend you have a play with tcpdump/wireshark so work out what your NAS is actually sending. Other than Alan's interesting regexp, I would suggest a number of NAS 'sanitisers' to put in policy.conf: rewrite.called_station_id { if( %{request:Called-Station-Id} =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})(:(.+))?$/i ){ # does it have an SSID componment? if ( %{7} ) { update request { Called-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6}%{7} } } else { update request { Called-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } } else { noop } } rewrite.calling_station_id { if( %{request:Calling-Station-Id} =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ){ update request { Calling-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } else { noop } } Then in your authorize section, after you have called 'preprocess', you call 'rewrite.called_station_id' and 'rewrite.calling_station_id' to RFC-ise those attributes. It means you do not have to add kludges for NAS's that use ':' seperated MAC's, or Cisco IOS style MACS. It is all translated to the '00-11-22-33-44-55' RFC 'approved' format. Another hint is just before you make your SQL/LDAP query, use something like this (MAC-Address-Trimmed is something I have put in my /etc/freeradius/dictionary file for local use only): if (Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i) { update control { MAC-Address-Trimmed := %{1}%{2}%{3}%{4}%{5}%{6} } } Then all MAC addresses in your database are just in the format '001122334455'. Just a recommendation. Another hint is when it comes to SQL logging (*strongly* recommended) you use some SQL syntax to force the RFC format MAC address lowercase before it gets INSERTed. This means later on why you are looking through your logs you are not running into case-sensitive issues (LDAP lookups are not case sensitive so for authorisation, it does not matter). Cheers -- Alexander Clouter .sigmonster says: Don't get even -- get odd! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to edit?theusers file to include multiple MAC addresses??
Hi, some would say that is a controversial MAC address regexp, but I guess you just do things differently 'up north' eh? :) hey, it was a quick hackup example to deal with the question. 'cheese112233xxyyzzTASTY' would even match that :) yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-) thats why some decent stuff needs to be done elsewhereI dont like Mac auth bypass. not a fan of it at all - its a horrible kludge to deal with devices that cant do 802.1X the real answer is to get the vendors to sort their cheap shoddy kit out ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to edit?theusers file to include multiple MAC addresses??
On 20/12/2009 22:44, Alan Buxey wrote: Hi, some would say that is a controversial MAC address regexp, but I guess you just do things differently 'up north' eh? :) hey, it was a quick hackup example to deal with the question. 'cheese112233xxyyzzTASTY' would even match that :) yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-) Hmm yes, maybe add a !EAP-Message condition somewhere in there... thats why some decent stuff needs to be done elsewhereI dont like Mac auth bypass. not a fan of it at all - its a horrible kludge to deal with devices that cant do 802.1X the real answer is to get the vendors to sort their cheap shoddy kit out ;-) Ahem *Vendor :P - - Sorry I have to do it or they beat me :( -Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: 'cheese112233xxyyzzTASTY' would even match that :) yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-) Not when you say !EAP-Message too :) thats why some decent stuff needs to be done elsewhereI dont like Mac auth bypass. not a fan of it at all - its a horrible kludge to deal with devices that cant do 802.1X the real answer is to get the vendors to sort their cheap shoddy kit out ;-) Bah, I wrote a you have to jump this high to connect to the Intertubes document for work. The venduhs cannot even get past the tendering phase now :) Although it does nothing about the legacy guff, it stops new guff connecting. Cheers -- Alexander Clouter .sigmonster says: A sinking ship gathers no moss. -- Donald Kaul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??
Hi, The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn’t support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote 00a0080806bd (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address! That brings my dilemma! I have like 200 devices like this. I don’t want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with “00:a0:08”. I want a logic like: many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bdCleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??
Hi Alan, Thank you very much for quick response! Actually you are right. The password is in MD5 hash, not in clear text! I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other devices! For these 00a008 device, my real purpose actually is NOT to Authenticate them but rather assign them to a specific VLAN by using dynamic vlan assignment feature of the switch. I have figured it out and tested it. I just have to put in special attributes under each user (in this case the MAC of the device) in the users file. If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? BTW I'd rather not to use the SQL because I know pretty much nothing about it lol I appreciate your advice! Thank you! Difan From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org on behalf of Alan Buxey Sent: Sat 12/19/2009 2:34 AM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses?? Hi, The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote 00a0080806bd (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with 00:a0:08. I want a logic like: many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bdCleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??
Hey experts!! I am having another dilemma here. I am trying to configure MAC authentication bypass feature on my Cisco 3750 switch to authenticate some devices which don't support 802.1x. The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with 00:a0:08. I want a logic like: If a request is for a user with first 3 octets like the above one, use its MAC address (in this case will be also its username) as the password and grant the access. Is it possible to do it in FreeRadius 2.1.6?? I have attached the output of a success authentication for a device with MAC: 00a0080806bd. Of course I manually added this user in my users file. My users file looks like: 00a0080806bdCleartext-Password := 00a0080806bd I appreciate any advice!! Thank you guys!! Difan Zhao, CCNP Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image001.jpgrad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=32, length=127 Acct-Session-Id = 001C Acct-Authentic = RADIUS Acct-Terminate-Cause = Lost-Carrier Acct-Session-Time = 4093 Acct-Input-Octets = 16040 Acct-Output-Octets = 384527 Acct-Input-Packets = 169 Acct-Output-Packets = 2946 Acct-Status-Type = Stop NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 Service-Type = Framed-User NAS-IP-Address = 172.17.254.100 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address = 172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id = 001C,' [acct_unique] Acct-Unique-Session-ID = 8ac0763679e7418b. ++[acct_unique] returns ok [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] returns ok ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail]expand: %t - Fri Dec 18 16:10:23 2009 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - ++[attr_filter.accounting_response] returns noop Sending Accounting-Response of id 32 to 172.17.254.100 port 1646 Finished request 0. Cleaning up request 0 ID 32 with timestamp +10 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=90, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0xd8bb55e55d3239af2a93e5db8df80960 NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry 00a0080806bd at line 28 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 00a0080806bd [pap] Using clear text password 00a0080806bd [pap] User authenticated successfully ++[pap] returns ok Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00-A0-08-08-06-BD) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 90 to 172.17.254.100 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 20 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from
FreeRADIUS 2.1.6 and Cisco 802.1x MAC Authentication with mac-auth-bypass
Hello! I am struggling with a mac-auth-bypass problem with my Cisco 6509s and my FreeRADIUS server. The 6509 sends the radius server the request, FreeRADIUS authenticates it as OK, but yet my port remains in the authfail state on the switch. Does anyone have any ideas? Here is my debug output from the radius box: The first part is the debug output / freeradius startup, the 2nd part is a request I get from my switch to authenticate some azbycx user, so I just added it to users for now, and then the 3rd part is the request/response for my MAC address to be authenticated. Thanks for your help! (r...@nms) % ./radiusd -X FreeRADIUS Version 2.1.6, for host i386-unknown-freebsd7.2, built on Aug 6 2009 at 16:34:56 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/freeradius/etc/raddb/radiusd.conf including configuration file /usr/local/freeradius/etc/raddb/proxy.conf including configuration file /usr/local/freeradius/etc/raddb/clients.conf including files in directory /usr/local/freeradius/etc/raddb/modules/ including configuration file /usr/local/freeradius/etc/raddb/modules/acct_unique including configuration file /usr/local/freeradius/etc/raddb/modules/always including configuration file /usr/local/freeradius/etc/raddb/modules/attr_filter including configuration file /usr/local/freeradius/etc/raddb/modules/attr_rewrite including configuration file /usr/local/freeradius/etc/raddb/modules/chap including configuration file /usr/local/freeradius/etc/raddb/modules/checkval including configuration file /usr/local/freeradius/etc/raddb/modules/counter including configuration file /usr/local/freeradius/etc/raddb/modules/detail including configuration file /usr/local/freeradius/etc/raddb/modules/detail.example.com including configuration file /usr/local/freeradius/etc/raddb/modules/detail.log including configuration file /usr/local/freeradius/etc/raddb/modules/digest including configuration file /usr/local/freeradius/etc/raddb/modules/echo including configuration file /usr/local/freeradius/etc/raddb/modules/etc_group including configuration file /usr/local/freeradius/etc/raddb/modules/exec including configuration file /usr/local/freeradius/etc/raddb/modules/expiration including configuration file /usr/local/freeradius/etc/raddb/modules/expr including configuration file /usr/local/freeradius/etc/raddb/modules/files including configuration file /usr/local/freeradius/etc/raddb/modules/inner-eap including configuration file /usr/local/freeradius/etc/raddb/modules/ippool including configuration file /usr/local/freeradius/etc/raddb/modules/krb5 including configuration file /usr/local/freeradius/etc/raddb/modules/ldap including configuration file /usr/local/freeradius/etc/raddb/modules/linelog including configuration file /usr/local/freeradius/etc/raddb/modules/logintime including configuration file /usr/local/freeradius/etc/raddb/modules/mac2ip including configuration file /usr/local/freeradius/etc/raddb/modules/mac2vlan including configuration file /usr/local/freeradius/etc/raddb/modules/mschap including configuration file /usr/local/freeradius/etc/raddb/modules/otp including configuration file /usr/local/freeradius/etc/raddb/modules/pam including configuration file /usr/local/freeradius/etc/raddb/modules/pap including configuration file /usr/local/freeradius/etc/raddb/modules/passwd including configuration file /usr/local/freeradius/etc/raddb/modules/perl including configuration file /usr/local/freeradius/etc/raddb/modules/policy including configuration file /usr/local/freeradius/etc/raddb/modules/preprocess including configuration file /usr/local/freeradius/etc/raddb/modules/radutmp including configuration file /usr/local/freeradius/etc/raddb/modules/realm including configuration file /usr/local/freeradius/etc/raddb/modules/smbpasswd including configuration file /usr/local/freeradius/etc/raddb/modules/smsotp including configuration file /usr/local/freeradius/etc/raddb/modules/sql_log including configuration file /usr/local/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/freeradius/etc/raddb/modules/sradutmp including configuration file /usr/local/freeradius/etc/raddb/modules/unix including configuration file /usr/local/freeradius/etc/raddb/modules/wimax including configuration file /usr/local/freeradius/etc/raddb/eap.conf including configuration file /usr/local/freeradius/etc/raddb/policy.conf including files in directory /usr/local/freeradius/etc/raddb/sites-enabled/ including configuration file /usr/local/freeradius/etc/raddb/sites-enabled/default including configuration file /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel including configuration file
Re: MAC Authentication
OK, it took a server reboot for FR to see the change in the users file. Case does count. Brain dead, thanks for giving me the nudge... it's all good now, onto MySQL and Daloradius... - Original Message - From: Kenneth Grady k...@lanl.gov To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, June 11, 2009 12:50:26 PM GMT -05:00 US/Canada Eastern Subject: Re: MAC Authentication case counts, try adding the entry in your users file with lowercase. Steve Wu wrote: Everyone - I'm being a bit brain dead most likely. I have been tinkering with Freeradius and MAC authentication successfully. Now I have a real server to build FR on so I proceeded to build the new server. After going through the *same* steps to build FR, duplicating the clients.conf and users file, I can't get the auth to work again. In my notes these were the two files I touched to get it going, but I'm hoping I missed something simple. My -Xy output looks like this: --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.10.18.208:1030, id=16, length=53 User-Name = 000e35-84610a User-Password = 000e35-84610a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = 000e35-84610a, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 1 seconds... My users file: 000E35-84610A Cleartext-Password := 000E35-84610A Any help to recover from my brain lapse would be greatly appreciated. Did I miss some other config tweak so it's looking at the user file? Thx in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS MAC Authentication
Jacob Baloul wrote: I have several NAS / Hotspots installed behind a NAT. They are all WRT54GL routers with OpenWRT + Chili and authenticating against FreeRadius + DaloRadius which is NOT in this NAT. Meaning FreeRadius sees all of the WRT's as coming from the same public IP, which also happens to be dynamic. My question is, can I authenticate and maintain session based on the NAS MAC address as apposed to the public dynamic ip address? The server doesn't support this. Running multiple NASes behind a NAT is a really bad idea. The simplest solution is to put a RADIUS proxy inside the NAT, and proxy the RADIUS packets over IPSec to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Authentication
Everyone - I'm being a bit brain dead most likely. I have been tinkering with Freeradius and MAC authentication successfully. Now I have a real server to build FR on so I proceeded to build the new server. After going through the *same* steps to build FR, duplicating the clients.conf and users file, I can't get the auth to work again. In my notes these were the two files I touched to get it going, but I'm hoping I missed something simple. My -Xy output looks like this: --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.10.18.208:1030, id=16, length=53 User-Name = 000e35-84610a User-Password = 000e35-84610a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = 000e35-84610a, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 1 seconds... My users file: 000E35-84610A Cleartext-Password := 000E35-84610A Any help to recover from my brain lapse would be greatly appreciated. Did I miss some other config tweak so it's looking at the user file? Thx in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication
case counts, try adding the entry in your users file with lowercase. Steve Wu wrote: Everyone - I'm being a bit brain dead most likely. I have been tinkering with Freeradius and MAC authentication successfully. Now I have a real server to build FR on so I proceeded to build the new server. After going through the *same* steps to build FR, duplicating the clients.conf and users file, I can't get the auth to work again. In my notes these were the two files I touched to get it going, but I'm hoping I missed something simple. My -Xy output looks like this: --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.10.18.208:1030, id=16, length=53 User-Name = 000e35-84610a User-Password = 000e35-84610a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = 000e35-84610a, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 1 seconds... My users file: 000E35-84610A Cleartext-Password := 000E35-84610A Any help to recover from my brain lapse would be greatly appreciated. Did I miss some other config tweak so it's looking at the user file? Thx in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication
Thanks, tried that, still no go. How does FR know to look at the users file? Should I see something in the debug that's it's looking for local (users) authentication? Seems like it's missing that step. Thx - Steve - Original Message - From: Kenneth Grady k...@lanl.gov To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, June 11, 2009 12:50:26 PM GMT -05:00 US/Canada Eastern Subject: Re: MAC Authentication case counts, try adding the entry in your users file with lowercase. Steve Wu wrote: Everyone - I'm being a bit brain dead most likely. I have been tinkering with Freeradius and MAC authentication successfully. Now I have a real server to build FR on so I proceeded to build the new server. After going through the *same* steps to build FR, duplicating the clients.conf and users file, I can't get the auth to work again. In my notes these were the two files I touched to get it going, but I'm hoping I missed something simple. My -Xy output looks like this: --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.10.18.208:1030, id=16, length=53 User-Name = 000e35-84610a User-Password = 000e35-84610a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = 000e35-84610a, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 1 seconds... My users file: 000E35-84610A Cleartext-Password := 000E35-84610A Any help to recover from my brain lapse would be greatly appreciated. Did I miss some other config tweak so it's looking at the user file? Thx in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication
I'm being a bit brain dead most likely. I have been tinkering with Freeradius and MAC authentication successfully. Now I have a real server to build FR on so I proceeded to build the new server. After going through the *same* steps to build FR, duplicating the clients.conf and users file, I can't get the auth to work again. In my notes these were the two files I touched to get it going, but I'm hoping I missed something simple. rad_recv: Access-Request packet from host 10.10.18.208:1030, id=16, length=53 User-Name = 000e35-84610a User-Password = 000e35-84610a ... My users file: 000E35-84610A Cleartext-Password := 000E35-84610A That password is not going to match. Any help to recover from my brain lapse would be greatly appreciated. Did I miss some other config tweak so it's looking at the user file? It is looking in the users file: modcall[authorize]: module files returns notfound for request 1 ... but your user entry isn't there (or username/pass are *not* correct). Have a look at the server startup debug and see if the users file you are changing is the one server is using. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS MAC Authentication
Hi All, I have several NAS / Hotspots installed behind a NAT. They are all WRT54GL routers with OpenWRT + Chili and authenticating against FreeRadius + DaloRadius which is NOT in this NAT. Meaning FreeRadius sees all of the WRT's as coming from the same public IP, which also happens to be dynamic. My question is, can I authenticate and maintain session based on the NAS MAC address as apposed to the public dynamic ip address? Moving the Radius server into the NAT is not an option as it is being hosted in a different country. Thanks for the help, Jacob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR Using MAC Authentication
Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
On Fri, May 08, 2009 at 11:35:20AM -0400, Steve Wu wrote: Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. That is what MAC authentication is, if the MAC is in the list it can connect. Cheers, Ken Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Am 08.05.2009 um 17:35 schrieb Steve Wu: Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius Try to assign ( := ) the password instead of comparing ( == ) it. When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR Using MAC Authentication
Steve, Your wireless access point is sending the MAC address as the username and password. Change the username and password in the users file and the authentication will work. rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d --- This came from the wireless access point User-Password = 00215c-08b25d--- This came from the wireless access point Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of Steve Wu Sent: Friday, May 08, 2009 8:35 AM To: freeradius-users@lists.freeradius.org Subject: FR Using MAC Authentication Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Steve Wu wrote: I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius Those entries are wrong, even in 1.1.7. You should use: 000E35-84610A Cleartext-Password := 000E35-84610A ... When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Which doesn't match the password you put into the users file. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Maybe you're not clear on what's happening. The *NAS* is sending the packet containing that User-Password attribute. The RADIUS server has no control over that. The RADIUS server is supposed to look at that password, and see if it's valid. The configuration I showed above will tell the server to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Hi Tim - Thanks Tim, that worked, although is that up to each AP manf as to what it sends? I have HP420s. I changed the password field to match the MAC and it authenticated (I think), but I didn't get an IP. The 420 I'm using hands out an IP fine when I turn off the MAC auth and have it wide open, so it's talking to my DHCP server fine. Any more ideas would be greatly appreciated! Thx - Steve Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 10.10.18.241:9000, id=4, length=138 Acct-Delay-Time = 0 NAS-Identifier = Enterprise AP User-Name = 000e35-84610a Acct-Status-Type = Start Acct-Session-Id = 000e35-84a0414e5 Acct-Authentic = RADIUS NAS-IP-Address = 10.10.18.241 NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 000e3584610a Called-Station-Id = 001321ad8e4e Service-Type = Framed-User Processing the preacct section of radiusd.conf modcall: entering group preacct for request 1 modcall[preacct]: module preprocess returns noop for request 1 rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 10.10.18.241,NAS-IP-Address = 10.10.18.241,Acct-Session-Id = 000e35-84a0414e5,User-Name = 000e35-84610a' rlm_acct_unique: Acct-Unique-Session-ID = 3107f7faaae62984. modcall[preacct]: module acct_unique returns ok for request 1 rlm_realm: No '@' in User-Name = 000e35-84610a, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 1 modcall[preacct]: module files returns noop for request 1 modcall: leaving group preacct (returns ok) for request 1 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 1 radius_xlat: '/var/log/freeradius/radacct/10.10.18.241/detail-20090508' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.18.241/detail-20090508 modcall[accounting]: module detail returns ok for request 1 modcall[accounting]: module unix returns ok for request 1 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: '000e35-84610a' modcall[accounting]: module radutmp returns ok for request 1 modcall: leaving group accounting (returns ok) for request 1 Sending Accounting-Response of id 4 to 10.10.18.241 port 9000 Finished request 1 - Original Message - From: Tim Sylvester tim.sylves...@networkradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, May 8, 2009 11:42:29 AM GMT -05:00 US/Canada Eastern Subject: RE: FR Using MAC Authentication Steve, Your wireless access point is sending the MAC address as the username and password. Change the username and password in the users file and the authentication will work. rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d --- This came from the wireless access point User-Password = 00215c-08b25d --- This came from the wireless access point Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of Steve Wu Sent: Friday, May 08, 2009 8:35 AM To: freeradius-users@lists.freeradius.org Subject: FR Using MAC Authentication Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR -- sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == esradius 00215C-08B25D Auth-Type := Local, User-Password == esradius When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = 00215c-08b25d User-Password = 00215c-08b25d Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Thanks Tim, that worked, although is that up to each AP manf as to what it sends? Yes. I changed the password field to match the MAC and it authenticated (I think), but I didn't get an IP. The 420 I'm using hands out an IP fine when I turn off the MAC auth and have it wide open, so it's talking to my DHCP server fine. Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 10.10.18.241:9000, id=4, length=138 Acct-Delay-Time = 0 NAS-Identifier = Enterprise AP User-Name = 000e35-84610a Acct-Status-Type = Start Acct-Session-Id = 000e35-84a0414e5 Acct-Authentic = RADIUS NAS-IP-Address = 10.10.18.241 NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 000e3584610a Called-Station-Id = 001321ad8e4e Service-Type = Framed-User The fact that IP is not in the Start record is not that unusual. Have a look at the Stop record. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Steve Wu wrote: Thanks Tim, that worked, although is that up to each AP manf as to what it sends? Pretty much. I have HP420s. I changed the password field to match the MAC and it authenticated (I think), but I didn't get an IP. So... did you run the server in debugging mode? The log you showed below is for *accounting* packets, not *authentication* packets. Go run it in debugging mode, and read the output. It will tell you WHY the request was rejected, or WHY the request was authenticated. If it's authenticated, and you don't get an IP, blame the DHCP server for not handing out an IP, or maybe the NAS for not forwarding traffic after the Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik radius-mac-authentication
Does Mikrotik support CoA? If it does, this can be done (Disconnect-Request blah,blah). Ivan Kalik Kalik Informatika ISP -Original Message- From: freeradius-users-bounces+tnt=kalik@lists.freeradius.org [mailto:freeradius-users-bounces+tnt=kalik@lists.freeradius.org] On Behalf Of Adi_T Sent: 16 April 2009 13:39 To: freeradius-users@lists.freeradius.org Subject: Mikrotik radius-mac-authentication I'm using Freeradius to control the access to my Mikrotik APs. In the radius database I've put at the radcheck table all the mac-addresses of my clients. When I put accept as a value, the clients connects immediately, but when I put reject the clients that are connected do not disconnect. I have to disable radius-mac-authentication at the security profile of the wireless interface and enable it again so that the connected clients that are declared as rejected disconnect from the APs and do not reconnect again. Is there anything I can do to automatically block even the connected clients when I put reject as a value Thanks in advance Adi -- View this message in context: http://www.nabble.com/Mikrotik-radius-mac-authentication-tp23077135p23077135 .html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.57/2060 - Release Date: 04/15/09 19:52:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html