
<p class="MsoNormal">I am setting

up our Freeradius to do authentication for MAC address for windows PC. 

This is to enable PCs to connect to the AD to access Domain information just

before Windows User Logon Screen.   The PC is already connected to a

Cisco switch port which has been configured 802.1x.</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">I have stored list of authorized MAC addresses in a file

called authorized_macs in Freeradius confdir.   I have also set up

appropriate commands in Authorize and Authentication sections of

sites-enabled/default file for authorization and authentication.  I can

see from the log that the MAC addresses is checked and OK.  But there is

an [eap] returns reject just after the mac address was successfully

checked.  I guess I need a way to get radius to force an EAP accept after

successful checking of the MAC addresses.  </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">Below is my Auth-Type statement which gets the system to do

MAC address checking for PCs connecting with the hint “thehive”.  The else

statement is to cause all other requests to requests to be processed normally

using mschap_ad (which is a function that calls ntlm_auth).  </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">Auth-Type MS-CHAP {</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">               if ( Hint

== "validmac") {</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                 

      authorized_macs</span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                        update control {</span></p><p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                                    Auth-Type := Accept</span></p>

<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                        }</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                }</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                else {</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                 

      mschap_ad</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">                }</span></p>


<p class="MsoNormal"><span style="font-size:12pt;font-family:Arial,sans-serif">        }</span></p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">Below is the extract of the log highlighting  successful

mac address checking but still returned [eap] returns reject</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">#

Executing group from file /etc/freeradius/sites-enabled/inner-tunnel</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">+-

entering group authenticate {...}</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]

Request found, released from the list</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]

EAP/mschapv2</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]

processing type mschapv2</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]

# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]

+- entering group MS-CHAP {...}</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]

++? if (outer.Hint == "validmac")</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]

? Evaluating (outer.Hint == "validmac") -> TRUE</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]

++? if (outer.Hint == "</span><span style="font-family:Arial,sans-serif">validmac</span><span style="font-family:Arial,sans-serif">") -> TRUE</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[mschapv2]

++- entering if (outer.Hint == "</span><span style="font-family:Arial,sans-serif">validmac</span><span style="font-family:Arial,sans-serif">") {...}</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[authorized_macs]

      expand: %{Calling-Station-ID} -> 00-1a-a0-b8-3b-73</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">+++[authorized_macs]

returns noop</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">++-

if (outer.Hint == "thehive") returns noop</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">++

... skipping else for request 14: Preceding "if" was taken</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[eap]

Freeing handler</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">++[eap]

returns reject</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Failed

to authenticate the user.</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Login

incorrect: [host/<a href="http://hive-rjm2.library.networcs.net/" target="_blank">hive-rjm2.library.networcs.net</a>] (from client 193.62.48.37

port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel)</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">}

# server inner-tunnel</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[peap]

Got tunneled reply code 3</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif"> 

      EAP-Message = 0x04080004</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif"> 

      Message-Authenticator = 0x00000000000000000000000000000000</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[peap]

Got tunneled reply RADIUS code 3</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif"> 

      EAP-Message = 0x04080004</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif"> 

      Message-Authenticator = 0x00000000000000000000000000000000</span></p>


<p class="MsoNormal"><span style="font-family:Arial,sans-serif">[peap]

Tunneled authentication was rejected.</span></p><div><br></div>-- <br>'Tunde Ogedengbe<br><br>"But thanks be to God, who gives me the VICTORY through my Lord Jesus CHRIST" - 1 Corinthians 15:57<br>