On Nov 29, 2017, at 9:04 AM, Vieri via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I would like to allow access when user authentication is approved by AD through winbind, OR when the MAC address is in a local file.
That should be possible.
I'm trying to follow this guide:
https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
but also this other guide:
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
The problem is you can't just follow *both* guides, and expect them to not interact. i.e. you have to decide when you want to do AD, and when you want Mac Auth. Then, configure that...
My software versions: freeradius-3.0.14 samba-4.5.10
All of that information isn't really useful or needed. We ask for the debug output for a reason: that's what we need.
Radius log: (0) Received Access-Request Id 181 from 10.215.144.92:39653 to 10.215.144.91:1812 length 132 (0) User-Name = "user" (0) NAS-IP-Address = 10.215.144.92 (0) NAS-Port = 0 (0) Message-Authenticator = 0x1905f61891b983253895b1d8d33976d8 (0) MS-CHAP-Challenge = 0x5e0a69983fa65564 (0) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_calling_station_id = noop (0) if (!EAP-Message) { (0) if (!EAP-Message) -> TRUE (0) if (!EAP-Message) { (0) authorized_macs: EXPAND %{Calling-Station-ID} (0) authorized_macs: --> (0) [authorized_macs] = noop
Which is fine, because it's not a MAC auth packet.
(0) if (!ok) { (0) if (!ok) -> TRUE (0) if (!ok) { (0) [reject] = reject (0) } # if (!ok) = reject (0) } # if (!EAP-Message) = reject (0) } # authorize = reject
So... when you you want it to do AD auth? i.e. what is in the *Access-Request packet* that lets you know it should do AD auth?
Why is my radtest above not getting an Access-Accept?
Because you didn't tell the server to do AD auth for that user. How do you tell the two packets apart? As always, look at the debug log to see what's different between them. Then, do (roughly) if it's an AD packet set AD auth else if it's a Mac auth packet do mac auth Expand that with the *detailed packet contents*, as seen in the debug output. If you're not sure, post them here. Alan DeKok.