<p class="MsoNormal">I am setting
up our Freeradius to do authentication for MAC address for windows PC.
This is to enable PCs to connect to the AD to access Domain information just
before Windows User Logon Screen. The PC is already connected to a
Cisco switch port which has been configured 802.1x.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I have stored list of authorized MAC addresses in a file
called authorized_macs in Freeradius confdir. I have also set up
appropriate commands in Authorize and Authentication sections of
sites-enabled/default file for authorization and authentication. I can
see from the log that the MAC addresses is checked and OK. But there is
an [eap] returns reject just after the mac address was successfully
checked. I guess I need a way to get radius to force an EAP accept after
successful checking of the MAC addresses. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Below is my Auth-Type statement which gets the system to do
MAC address checking for PCs connecting with the hint “thehive”. The else
statement is to cause all other requests to requests to be processed normally
using mschap_ad (which is a function that calls ntlm_auth). </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">Auth-Type MS-CHAP {</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> if ( Hint
== "validmac") {</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">
authorized_macs</span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> update control {</span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> Auth-Type := Accept</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> }</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> }</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> else {</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">
mschap_ad</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> }</span></p>
<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif"> }</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Below is the extract of the log highlighting successful
mac address checking but still returned [eap] returns reject</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">#
Executing group from file /etc/freeradius/sites-enabled/inner-tunnel</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">+-
entering group authenticate {...}</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]
Request found, released from the list</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]
EAP/mschapv2</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]
processing type mschapv2</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]
+- entering group MS-CHAP {...}</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]
++? if (outer.Hint == "validmac")</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]
? Evaluating (outer.Hint == "validmac") -> TRUE</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]
++? if (outer.Hint == "</span><span style="font-family:Arial,sans-serif">validmac</span><span style="font-family:Arial,sans-serif">") -> TRUE</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]
++- entering if (outer.Hint == "</span><span style="font-family:Arial,sans-serif">validmac</span><span style="font-family:Arial,sans-serif">") {...}</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[authorized_macs]
expand: %{Calling-Station-ID} -> 00-1a-a0-b8-3b-73</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">+++[authorized_macs]
returns noop</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">++-
if (outer.Hint == "thehive") returns noop</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">++
... skipping else for request 14: Preceding "if" was taken</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]
Freeing handler</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">++[eap]
returns reject</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Failed
to authenticate the user.</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Login
incorrect: [host/<a href="http://hive-rjm2.library.networcs.net/" target="_blank">hive-rjm2.library.networcs.net</a>] (from client 193.62.48.37
port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel)</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">}
# server inner-tunnel</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[peap]
Got tunneled reply code 3</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">
EAP-Message = 0x04080004</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">
Message-Authenticator = 0x00000000000000000000000000000000</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[peap]
Got tunneled reply RADIUS code 3</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">
EAP-Message = 0x04080004</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">
Message-Authenticator = 0x00000000000000000000000000000000</span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[peap]
Tunneled authentication was rejected.</span></p><div><br></div>-- <br>'Tunde Ogedengbe<br><br>"But thanks be to God, who gives me the VICTORY through my Lord Jesus CHRIST" - 1 Corinthians 15:57<br>