On Fri, 2015-04-17 at 15:19 +0000, Stefan Paetow wrote:
I googled for radtest and Calling-Station-Id and found a Ubuntu man page that had -g for it. I know sometimes distros have different functions in
Ahh, this one:
http://manpages.ubuntu.com/manpages/gutsy/man1/radtest.1.html - This is provided by yardradius, not FreeRADIUS.
FreeRADIUS ships with a radtest utility of its own.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
so, some success and some more confusion. i have a virtual server configured, /etc/raddb/sites-available/mac-auth-bypass. when i link that file into /etc/raddb/sites-enabled and run radiusd -X, i am able to do some rudimentary Mac Auth Bypassing. if the mac is in the directory, the access is granted. but i need clarification around a couple of items. first, i am trying to have the directory reply with some items for VLAN assignment. the below attributes are set for the mac i am testing with: radiusservicetype: Framed-User radiustunnelmediumtype: IEEE-802 radiustunnelprivategroupid: 1 radiustunneltype: VLAN i can only assume that because of the rudimentary state of my virtual server, the items are not being acted upon or given out by the virtual server. a plain ldapsearch returns these items. i assume there is a piece i am missing, to have this done. where do i find more about what piece i am missing? second, when the virtual server is enabled, the authentication that i do to log into a switch does not work. if i disable the virtual server the auth works again. how do i setup things so that both user auth and mac auth bypass work at the same time? mac-auth-bypass virtual server: ------------------------------- server mac-auth-bypass { listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } authorize { if (EAP-Message) { #use colons (:), not dashes(-), for ldap lookups rewrite_calling_station_id_ldap if ("%{ldap:ldap:///ou=DHCP\ SubClasses,cn=DHCP\ Config,ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn= %{Calling-Station-Id}))}") { # in the future, assign to VLAN_Y update control { Auth-Type := Accept } } else { # in the future, assign to VLAN_Z update control { Auth-Type := Reject } } } else { # in the future, 802.1x stuff update control { control:Auth-Type := ldap #Auth-Type := Reject } } } authenticate { Auth-Type ldap { ldap } } } my switch (cisco sg500) will identify that a client does not support .1x and will provide the mac address as the username and password in an EAP message. because it is an EAP message, i can leverage the Calling-Station-Id attribute, and distinguish user auth vs. mac auth bypass with the "if (EAP-Message)" statement. i assume the mods-available/ldap file is not appropriate for this logic, as i tried to add an authorize section to it and i got an error saying that was not an appropriate place for an "if" statement. ultimately, i am looking to have user auth, mac auth bypass and full .1x work side-by-side-by-side, and this is an interim step. i am not sure how to get user auth and mac auth bypass working at the same time, when both are intended to use ldap for lookups. any pointers are appreciated. brendan