Help needed configuring MAB on FreeRADIUS and Cisco switch

Kaya Saman kayasaman at gmail.com
Mon Jul 16 16:44:14 CEST 2012


On Mon, Jul 16, 2012 at 2:33 PM, alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> > rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162
>> >         User-Name = "0015c5537baa"
>> >         User-Password = "0015c5537baa"
>
> note those 2 lines - the USer-Name is the MAC address in that format. the passwors is
> the same.
>
>> > [eap] No EAP-Message, not doing EAP
>> > ++[eap] returns noop
>> > ++[files] returns noop
>> > ++[expiration] returns noop
>> > ++[logintime] returns noop
>> > [pap] WARNING! No "known good" password found for the user.
>> > Authentication may fail because of this.
>> > ++[pap] returns noop
>> > ERROR: No authenticate method (Auth-Type) found for the request:
>
> so, you havent got any module configured for this request - either in users file,
> or SQL et (in fact, you arent even calling SQL - so if the SQL is all set up, then its not
> being used....edit your default virtual server to enable SQL functionality..and
> the dialup.conf with appropriate settings).
>
> quick test
>
> put this at the top of the 'users' file and restart the server
>
>
> 0015c5537baa Cleartext-Password := "0015c5537baa"
>          Tunnel-Type:0 = VLAN,
>          Tunnel-Medium-Type:0 = IEEE-802,
>          Tunnel-Private-Group-Id:0 = "3",
>          Tunnel-Preference = 0x000000
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Poking around in the radiusd.conf file I checked the section modules
which looks like this:

[...]
# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
	#
	#  Each module has a configuration as follows:
	#
	#	name [ instance ] {
	#		config_item = value
	#		...
	#	}
	#
	#  The 'name' is used to load the 'rlm_name' library
	#  which implements the functionality of the module.
	#
	#  The 'instance' is optional.  To have two different instances
	#  of a module, it first must be referred to by 'name'.
	#  The different copies of the module are then created by
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
	#
	#  The instance names can then be used in later configuration
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
	#  for an example.
	#

	#
	#  As of 2.0.5, most of the module configurations are in a
	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/
	#  are loaded.  The modules are initialized ONLY if they are
	#  referenced in a processing section, such as authorize,
	#  authenticate, accounting, pre/post-proxy, etc.
	#
	$INCLUDE ${confdir}/modules/

	#  Extensible Authentication Protocol
	#
	#  For all EAP related authentications.
	#  Now in another file, because it is very large.
	#
	$INCLUDE eap.conf

	#  Include another file that has the SQL-related configuration.
	#  This is another file only because it tends to be big.
	#
	$INCLUDE sql.conf

	#
	#  This module is an SQL enabled version of the counter module.
	#
	#  Rather than maintaining seperate (GDBM) databases of
	#  accounting info for each counter, this module uses the data
	#  stored in the raddacct table by the sql modules. This
	#  module NEVER does any database INSERTs or UPDATEs.  It is
	#  totally dependent on the SQL module to process Accounting
	#  packets.
	#
#	$INCLUDE sql/mysql/counter.conf

	#
	#  IP addresses managed in an SQL table.
	#
#	$INCLUDE sqlippool.conf
}
[...]


The modules look like so:

raddb]# ls modules/
acct_unique   counter             dynamic_clients  files      mac2vlan
      pap         realm                       unix
always        cui                 echo             inner-eap  mschap
      passwd      smbpasswd                   wimax
attr_filter   detail              etc_group        ippool
ntlm_auth      perl        smsotp
attr_rewrite  detail.example.com  exec             linelog
opendirectory  policy      sqlcounter_expire_on_login
chap          detail.log          expiration       logintime  otp
      preprocess  sql_log
checkval      digest              expr             mac2ip     pam
      radutmp     sradutmp


I don't see a mysql module in there.


By placing the entry you suggested at the top of the /etc/raddb/users
file and restarting the server I got this:


 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
	type = "auth"
	ipaddr = 127.0.0.1
	port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=162
	User-Name = "0015c5537baa"
	User-Password = "0015c5537baa"
	Service-Type = Call-Check
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-8F-60-AB-8D"
	Calling-Station-Id = "00-15-C5-53-7B-AA"
	Message-Authenticator = 0x8a054d90202217a1e4d81aa3e5e61f2f
	NAS-Identifier = "1"
	NAS-Port-Type = Ethernet
	NAS-Port = 50013
	NAS-Port-Id = "GigabitEthernet0/13"
	NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 0015c5537baa
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 104 to 10.0.0.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 104 with timestamp +13
Ready to process requests.



I am assuming that

"Tunnel-Private-Group-Id:0 = "3","

means VLAN 3??

If so I should change it to 20 as that's what has been configured on the switch!


Regards,


Kaya


More information about the Freeradius-Users mailing list