If you want to enforce client cert then EAP-TLS is your only widely viable option. Disable other EAP methods. Do you want to do 'client cert AND MAC' or 'client cert or MAC' ? You cannot just accept if the conversation is EAP - how are the MAC auths being done? alan On 4 Jan 2018 5:07 am, "R.Geller" <rg1@robertgeller.net> wrote:
Hi Alan,
I blew away all my configs, and running vanilla 3.0.13 from yum install. I am using out-of-the-box configs, and created users and clients file. I created certificate files, and I also tested with eapol_test
I can authenticate with windows 10 client with no issues at this point. I created certificates based on README instructions with new install, and verified that I can connect with eap_test using ttls-eap-mschapv2 and others (ttls-pap)...
At this point, I would like to lock down the authentication so that either the client cert is required, or authorized MAC. I did configure the authorized mac previously which was working, but stopped working, and I think the reason it stopped working prior had nothing to do with the MAC configs, but because the CA/CERTs I created expired. They are not expired now since I created them with a new EXPIRE date, but what is happening is that the clients/supplicant I am testing with can authenticate without the root/client certs installed. I would rather authenticate with certificates, and not rely on authorized MACs at this point...
Can you point me in the direction of how to configure the radius server to only authenticate if the client certificate is installed?
Thanks I'm advance...
-Rob
I'm Running 3.0.13 for a while now. I set it up to support cert authentication, as well as authorized MACs. I didn't deploy any clients using certs, only set up with user/pass and authorized MACs.
It may be good then to disable EAP. Especially if you're not using it.
Sometime last week, users couldn't authenticate. I see errors in debug stated there are 2 auth types, I can see the MAC auth is working, but users are failing to authenticate because of EAP failure. At this point, I want to be able to use both MAC / user+pass auth, and if in the future we decide to deploy certs, than allow that too. If we need to disable EAP or certs to get this working, that is an option too. Not sure why it stopped working out of the blue. The radius server hasn't been touched since the initial working config.
If the RADIUS server did't change, then something else did.
Any ideas?
(0) Received Access-Request Id 168 from 10.2.1.53:41523 to 10.2.2.35:1812 length 218 (0) User-Name = "rbadani" (0) NAS-Identifier = "pakedge" (0) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 0 (0) Calling-Station-Id = "34-F3-9A-86-59-57" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "196EB9DAB87DC1A9" (0) Acct-Multi-Session-Id = "A7617A3B4E8A4349" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x02e1000c0172626164616e69
Is this user supposed to be doing EAP? If so, fix your configuration to allow EAP and MAC auth.
If not... talk to the user and ask him what he thinks he's doing.
(0) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8 (0) [authorized_macs] = ok (0) if (!ok) { (0) if (!ok) -> FALSE (0) else { (0) update control { (0) Auth-Type := Accept
You can't do this for EAP.
Your "allow MAC auth" rule has to check for EAP, too. i.e. do:
authorized_macs if (!ok) { reject # reject unauth MACs, even if they do EAP }
if (!EAP-Message) { update control { Auth-Type := Accept } }
(0) Found Auth-Type = Accept (0) Found Auth-Type = eap (0) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
Exactly. The default configuration doesn't have this error. So it's something you added locally.
(2) eap: Peer sent packet with method EAP PEAP (25)
Is the user supposed to be doing PEAP?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html