FreeRADIUS › Users

[FreeRadius] Mac Authen with Centos

Classic

List

Threaded

4 messages Options

yesi

[FreeRadius] Mac Authen with Centos

Hi,

I am trying to install FreeRadius to do the Mac Auth.
I followed this guide :
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
<https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x>.

Here are the elements :

- server :
CentOS Linux release 7.9.2009 (Core)
SELinux is disabled.

rpm -qa |egrep freeradius
freeradius-utils-3.0.13-15.el7.x86_64
freeradius-3.0.13-15.el7.x86_64

- client : a Huawei switch

#
authentication-profile name ACCESS-MAC
  mac-access-profile MAC
  authentication mode multi-authen max-user 100
  access-domain toto force
#
radius-server template TOTO
  radius-server shared-key cipher tata
  radius-server authentication 10.x.x.x 1812 vpn-instance management
weight 80
#
authentication-scheme TOTO
   authentication-mode radius
#
domain toto
   authentication-scheme TOTO
   accounting-scheme default
   radius-server TOTO
#

---
cat /etc/raddb/users
bob     Auth-Type := Accept, Cleartext-Password := "toto"
         Reply-Message := "Hello, %{User-Name}"
DEFAULT Group == "disabled", Auth-Type := Reject
                 Reply-Message = "Your account has been disabled."
DEFAULT         Auth-Type := Reject
                 Reply-Message = "\_o< Acces refuse."
DEFAULT Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
         Framed-Protocol = SLIP,
         Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
         Framed-Protocol = SLIP

---
cat /etc/raddb/authorized_macs
xx-xx-xx-xx-xx-xx
         Reply-Message = "Device with MAC Address %{Calling-Station-Id}
authorized for network access"

---
cat /etc/raddb/sites-enabled/default
...
authorize {
         filter_username
         preprocess
          rewrite_calling_station_id
         authorized_macs
         if (!ok) {
                 reject
         }
         else {
                 update control {
                         Auth-Type := Accept
                 }
         }
        auth_log
         chap
         mschap
         digest
         suffix
         eap {
                 ok = return
         }
         files
         -sql
         -ldap
         expiration
         logintime
         pap
}

I did not modified policy.d/canonicalization from the package

cat /etc/raddb/mods-available/files
files {
         moddir = ${modconfdir}/${.:instance}
         filename = ${moddir}/authorize
         acctusersfile = ${moddir}/accounting
         preproxy_usersfile = ${moddir}/pre-proxy
}
files authorized_macs {
         key = "%{Calling-Station-ID}"
         usersfile = ${confdir}/authorized_macs
#        compat = no -------> if not commented, Configuration item
"compat" is deprecated
}

Here is the message from the switch client :
Status : Pre-authen

There is no more message.
From the switch a test with test user "bob" is ok.
In the debug mode, "radiusd -X", there is no message when a machine
tried to connect to the switch.

Any help would be appreciated.

y.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Michael Schwartzkopff-3

Re: [FreeRadius] Mac Authen with Centos

On 04.12.20 18:25, yesi wrote:

> Hi,
>
> I am trying to install FreeRadius to do the Mac Auth.
> I followed this guide :
> https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
> <https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x>.
>
> Here are the elements :
>
> - server :
> CentOS Linux release 7.9.2009 (Core)
> SELinux is disabled.
>
> rpm -qa |egrep freeradius
> freeradius-utils-3.0.13-15.el7.x86_64
> freeradius-3.0.13-15.el7.x86_64
>
>
> - client : a Huawei switch
>
> #
> authentication-profile name ACCESS-MAC
> mac-access-profile MAC
> authentication mode multi-authen max-user 100
> access-domain toto force
> #
> radius-server template TOTO
> radius-server shared-key cipher tata
> radius-server authentication 10.x.x.x 1812 vpn-instance management
> weight 80
> #
> authentication-scheme TOTO
> authentication-mode radius
> #
> domain toto
> authentication-scheme TOTO
> accounting-scheme default
> radius-server TOTO
> #
>
> ---
> cat /etc/raddb/users
> bob     Auth-Type := Accept, Cleartext-Password := "toto"
>         Reply-Message := "Hello, %{User-Name}"
> DEFAULT Group == "disabled", Auth-Type := Reject
>                 Reply-Message = "Your account has been disabled."
> DEFAULT         Auth-Type := Reject
>                 Reply-Message = "\_o< Acces refuse."
> DEFAULT Framed-Protocol == PPP
>         Framed-Protocol = PPP,
>         Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "CSLIP"
>         Framed-Protocol = SLIP,
>         Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "SLIP"
>         Framed-Protocol = SLIP
>
> ---
> cat /etc/raddb/authorized_macs
> xx-xx-xx-xx-xx-xx
>         Reply-Message = "Device with MAC Address %{Calling-Station-Id}
> authorized for network access"
>
> ---
> cat /etc/raddb/sites-enabled/default
> ...
> authorize {
>         filter_username
>         preprocess
>          rewrite_calling_station_id
>         authorized_macs
>         if (!ok) {
>                 reject
>         }
>         else {
>                 update control {
>                         Auth-Type := Accept
>                 }
>         }
>        auth_log
>         chap
>         mschap
>         digest
>         suffix
>         eap {
>                 ok = return
>         }
>         files
>         -sql
>         -ldap
>         expiration
>         logintime
>         pap
> }
>
> I did not modified policy.d/canonicalization from the package
>
> cat /etc/raddb/mods-available/files
> files {
>         moddir = ${modconfdir}/${.:instance}
>         filename = ${moddir}/authorize
>         acctusersfile = ${moddir}/accounting
>         preproxy_usersfile = ${moddir}/pre-proxy
> }
> files authorized_macs {
>         key = "%{Calling-Station-ID}"
>         usersfile = ${confdir}/authorized_macs
> #        compat = no -------> if not commented, Configuration item
> "compat" is deprecated
> }
>
>
> Here is the message from the switch client :
> Status : Pre-authen
>
> There is no more message.
> From the switch a test with test user "bob" is ok.
> In the debug mode, "radiusd -X", there is no message when a machine
> tried to connect to the switch.
>
> Any help would be appreciated.
>
> y.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

I assume this is a problem of the switch. If it does not send out RADIUS
packets, then the RADIUS server cannot receive any.

Did you assign the profile to interfaces?

Mit freundlichen Grüßen,

--

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment

yesi

Re: [FreeRadius] Mac Authen with Centos

On 12/4/20 6:28 PM, Michael Schwartzkopff wrote:
> I assume this is a problem of the switch. If it does not send out RADIUS
> packets, then the RADIUS server cannot receive any.
>
>
> Did you assign the profile to interfaces?
>
> Mit freundlichen Grüßen,
To put in the context, here are the added informations :

* radius server IP : a.a.a.a
* switch Huawei IP : b.b.b.b
* client network IP range e.g. VLAN 25 : c.c.c.c

A client is configured with an IP in the vlan 25.

When connected to a switch port for the MAC Authen, the client can't
ping the gateway of the VLAN 25.

On the switch,

switch > display access-user

------------------------------------------------------------------------------------------------------
  UserID Username               IP
address                               MAC            Status
  ------------------------------------------------------------------------------------------------------

16      toto-account x.x.x.x                              -
Success
2070    client_mac_address           client_ip_address
                           client_mac_address   Pre-authen
  ------------------------------------------------------------------------------------------------------

On the Radius server, a local test is OK.

From the Huawei switch, a test with a test user "bob" is OK. In the
debug mode, "radiusd -X", we see the packets. When a machine tried to
connect to the switch, in the debug mode, "radiusd -X", there is no
message. There are no packets from the capture on the radius server when
: tcpdump -vnni ens160 src "port 1812 or port 1813" tcpdump -vnni ens160
src "host b.b.b.b or host c.c.c.c"

For the Huawei Network engineer, the conf on the switch is ok...

I have no idea where to look at.

y.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok-2

Re: [FreeRadius] Mac Authen with Centos

On Dec 9, 2020, at 6:12 AM, yesi <[hidden email]> wrote:
> From the Huawei switch, a test with a test user "bob" is OK. In the debug mode, "radiusd -X", we see the packets. When a machine tried to connect to the switch, in the debug mode, "radiusd -X", there is no message. There are no packets from the capture on the radius server when : tcpdump -vnni ens160 src "port 1812 or port 1813" tcpdump -vnni ens160 src "host b.b.b.b or host c.c.c.c"

Then the problem is the switch. It's not sending packets. So no amount of poking FreeRADIUS will change anything.

> For the Huawei Network engineer, the conf on the switch is ok...

It's not.

I mean, this isn't difficult. The switch is supposed to send packets for MAC auth. But the switch does NOT send packets for MAC auth. So... the switch is broken.

> I have no idea where to look at.

The switch.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html