freeradius with Active Directory via winbind or MAC address access
Alan DeKok
aland at deployingradius.com
Wed Nov 29 15:59:07 CET 2017
On Nov 29, 2017, at 9:04 AM, Vieri via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I would like to allow access when user authentication is approved by AD through winbind, OR when the MAC address is in a local file.
That should be possible.
> I'm trying to follow this guide:
>
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
>
> but also this other guide:
>
> https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
The problem is you can't just follow *both* guides, and expect them to not interact.
i.e. you have to decide when you want to do AD, and when you want Mac Auth. Then, configure that...
> My software versions:
> freeradius-3.0.14
> samba-4.5.10
All of that information isn't really useful or needed. We ask for the debug output for a reason: that's what we need.
>
> Radius log:
> (0) Received Access-Request Id 181 from 10.215.144.92:39653 to 10.215.144.91:1812 length 132
> (0) User-Name = "user"
> (0) NAS-IP-Address = 10.215.144.92
> (0) NAS-Port = 0
> (0) Message-Authenticator = 0x1905f61891b983253895b1d8d33976d8
> (0) MS-CHAP-Challenge = 0x5e0a69983fa65564
> (0) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) policy rewrite_calling_station_id {
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
> (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy rewrite_calling_station_id = noop
> (0) if (!EAP-Message) {
> (0) if (!EAP-Message) -> TRUE
> (0) if (!EAP-Message) {
> (0) authorized_macs: EXPAND %{Calling-Station-ID}
> (0) authorized_macs: -->
> (0) [authorized_macs] = noop
Which is fine, because it's not a MAC auth packet.
> (0) if (!ok) {
> (0) if (!ok) -> TRUE
> (0) if (!ok) {
> (0) [reject] = reject
> (0) } # if (!ok) = reject
> (0) } # if (!EAP-Message) = reject
> (0) } # authorize = reject
So... when you you want it to do AD auth?
i.e. what is in the *Access-Request packet* that lets you know it should do AD auth?
> Why is my radtest above not getting an Access-Accept?
Because you didn't tell the server to do AD auth for that user.
How do you tell the two packets apart? As always, look at the debug log to see what's different between them.
Then, do (roughly)
if it's an AD packet
set AD auth
else if it's a Mac auth packet
do mac auth
Expand that with the *detailed packet contents*, as seen in the debug output. If you're not sure, post them here.
Alan DeKok.
More information about the Freeradius-Users
mailing list