Authorized MAC users stopped authenticating

Alan Buxey alan.buxey at gmail.com
Thu Jan 4 12:12:39 CET 2018 

If you want to enforce client cert then EAP-TLS is your only widely viable
option. Disable other EAP methods.

Do you want to do 'client cert AND MAC' or 'client cert or MAC' ?  You
cannot just accept if the conversation is EAP - how are the MAC auths being
done?

alan

On 4 Jan 2018 5:07 am, "R.Geller" <rg1 at robertgeller.net> wrote:

> Hi Alan,
>
> I blew away all my configs, and running vanilla 3.0.13 from yum install.  I
> am using out-of-the-box configs, and created users and clients file.  I
> created certificate files, and I also tested with eapol_test
>
>
> I can authenticate with windows 10 client with no issues at this point.  I
> created certificates based on README instructions with new install, and
> verified that I can connect with eap_test using ttls-eap-mschapv2 and
> others (ttls-pap)...
>
> At this point, I would like to lock down the authentication so that either
> the client cert is required, or authorized MAC.  I did configure the
> authorized mac previously which was working, but stopped working, and I
> think the reason it stopped working prior had nothing to do with the MAC
> configs, but because the CA/CERTs I created expired.  They are not expired
> now since I created them with a new EXPIRE date, but what is happening is
> that the clients/supplicant I am testing with can authenticate without the
> root/client certs installed.  I would rather authenticate with
> certificates, and not rely on authorized MACs at this point...
>
> Can you point me in the direction of how to configure the radius server to
> only authenticate if the client certificate is installed?
>
> Thanks I'm advance...
>
> -Rob
>
>
>
>
> >
> > I'm Running 3.0.13 for a while now.  I set it up to support cert
> > authentication, as well as authorized MACs.  I didn't deploy any clients
> > using certs, only set up with user/pass and authorized MACs.
>
>   It may be good then to disable EAP.  Especially if you're not using it.
>
> > Sometime last week, users couldn't authenticate.  I see errors in debug
> > stated there are 2 auth types, I can see the MAC auth is working, but
> users
> > are failing to authenticate because of EAP failure.  At this point, I
> want
> > to be able to use both MAC / user+pass auth, and if in the future we
> decide
> > to deploy certs, than allow that too.  If we need to disable EAP or certs
> > to get this working, that is an option too.  Not sure why it stopped
> > working out of the blue.  The radius server hasn't been touched since the
> > initial working config.
>
>   If the RADIUS server did't change, then something else did.
>
> > Any ideas?
> >
> >
> > (0) Received Access-Request Id 168 from 10.2.1.53:41523 to
> 10.2.2.35:1812
> > length 218
> > (0)   User-Name = "rbadani"
> > (0)   NAS-Identifier = "pakedge"
> > (0)   Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
> > (0)   NAS-Port-Type = Wireless-802.11
> > (0)   Service-Type = Framed-User
> > (0)   NAS-Port = 0
> > (0)   Calling-Station-Id = "34-F3-9A-86-59-57"
> > (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
> > (0)   Acct-Session-Id = "196EB9DAB87DC1A9"
> > (0)   Acct-Multi-Session-Id = "A7617A3B4E8A4349"
> > (0)   WLAN-Pairwise-Cipher = 1027076
> > (0)   WLAN-Group-Cipher = 1027076
> > (0)   WLAN-AKM-Suite = 1027073
> > (0)   Framed-MTU = 1400
> > (0)   EAP-Message = 0x02e1000c0172626164616e69
>
>   Is this user supposed to be doing EAP?  If so, fix your configuration to
> allow EAP and MAC auth.
>
>   If not... talk to the user and ask him what he thinks he's doing.
>
>
> > (0) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
> > (0)     [authorized_macs] = ok
> > (0)     if (!ok) {
> > (0)     if (!ok)  -> FALSE
> > (0)     else {
> > (0)       update control {
> > (0)         Auth-Type := Accept
>
>   You can't do this for EAP.
>
>   Your "allow MAC auth" rule has to check for EAP, too.  i.e. do:
>
>         authorized_macs
>         if (!ok) {
>                 reject  # reject unauth MACs, even if they do EAP
>         }
>
>         if (!EAP-Message) {
>                 update control {
>                         Auth-Type := Accept
>                 }
>         }
>
> > (0) Found Auth-Type = Accept
> > (0) Found Auth-Type = eap
> > (0) ERROR: Warning:  Found 2 auth-types on request for user 'rbadani'
>
>   Exactly.  The default configuration doesn't have this error.  So it's
> something you added locally.
>
> > (2) eap: Peer sent packet with method EAP PEAP (25)
>
>   Is the user supposed to be doing PEAP?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list