Authorized MAC users stopped authenticating

Alan DeKok aland at deployingradius.com
Thu Dec 28 16:17:11 CET 2017 

On Dec 28, 2017, at 9:53 AM, R.Geller <rg1 at robertgeller.net> wrote:
> 
> I'm Running 3.0.13 for a while now.  I set it up to support cert
> authentication, as well as authorized MACs.  I didn't deploy any clients
> using certs, only set up with user/pass and authorized MACs.

  It may be good then to disable EAP.  Especially if you're not using it.

> Sometime last week, users couldn't authenticate.  I see errors in debug
> stated there are 2 auth types, I can see the MAC auth is working, but users
> are failing to authenticate because of EAP failure.  At this point, I want
> to be able to use both MAC / user+pass auth, and if in the future we decide
> to deploy certs, than allow that too.  If we need to disable EAP or certs
> to get this working, that is an option too.  Not sure why it stopped
> working out of the blue.  The radius server hasn't been touched since the
> initial working config.

  If the RADIUS server did't change, then something else did.

> Any ideas?
> 
> 
> (0) Received Access-Request Id 168 from 10.2.1.53:41523 to 10.2.2.35:1812
> length 218
> (0)   User-Name = "rbadani"
> (0)   NAS-Identifier = "pakedge"
> (0)   Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Service-Type = Framed-User
> (0)   NAS-Port = 0
> (0)   Calling-Station-Id = "34-F3-9A-86-59-57"
> (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (0)   Acct-Session-Id = "196EB9DAB87DC1A9"
> (0)   Acct-Multi-Session-Id = "A7617A3B4E8A4349"
> (0)   WLAN-Pairwise-Cipher = 1027076
> (0)   WLAN-Group-Cipher = 1027076
> (0)   WLAN-AKM-Suite = 1027073
> (0)   Framed-MTU = 1400
> (0)   EAP-Message = 0x02e1000c0172626164616e69

  Is this user supposed to be doing EAP?  If so, fix your configuration to allow EAP and MAC auth.

  If not... talk to the user and ask him what he thinks he's doing.


> (0) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
> (0)     [authorized_macs] = ok
> (0)     if (!ok) {
> (0)     if (!ok)  -> FALSE
> (0)     else {
> (0)       update control {
> (0)         Auth-Type := Accept

  You can't do this for EAP.

  Your "allow MAC auth" rule has to check for EAP, too.  i.e. do:

	authorized_macs
	if (!ok) {
		reject	# reject unauth MACs, even if they do EAP
	}

	if (!EAP-Message) {
		update control {
			Auth-Type := Accept
		}
	}

> (0) Found Auth-Type = Accept
> (0) Found Auth-Type = eap
> (0) ERROR: Warning:  Found 2 auth-types on request for user 'rbadani'

  Exactly.  The default configuration doesn't have this error.  So it's something you added locally.

> (2) eap: Peer sent packet with method EAP PEAP (25)

  Is the user supposed to be doing PEAP?

  Alan DeKok.

More information about the Freeradius-Users mailing list