Hi I want to deploy MAC based RADIUS authentication (only - non responsive hosts). To be honest, I don't want to authenticate users at all, all I want is to assign hosts dynamically to different VLANS according to their MAC address. The one side is done by a Juniper EX series switch, which is - I think - configured appropriately and forwards requests to my RADIUS server (freeradius 2.1.9+dfsg-1+b on Debian Squeeze/Testing). My radiusd.conf is: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes client switch { ipaddr = 10.10.10.254 secret = juniper require_message_authenticator = no nastype = other } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } authorize { preprocess files } authenticate { } You can see, I disabled any authentication method beside of files. The users file is this: aa00007f9c90 Auth-Type := "EAP", Cleartext-Password == aa00007f9c90 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "110" Now I start auth: root@EX4200-VC> restart dot1x-protocol Port based Network Access Control started, pid 25579 {master:0} root@EX4200-VC> show dot1x interface 802.1X Information: Interface Role State MAC address User ge-1/0/4.0 Authenticator Connecting ge-1/0/5.0 Authenticator Connecting and on the radius server: root@data:~# freeradius -X FreeRADIUS Version 2.1.9, for host x86_64-pc-linux-gnu, built on Jun 18 2010 at 03:16:00 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/eap.conf main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### ... radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. If I now try to communicate through the interface to be authenticated I get: Hi I want to deploy MAC based RADIUS authentication (only - non responsive hosts). To be honest, I don't want to authenticate users at all, all I want is to assign hosts dynamically to different VLANS according to their MAC address. The one side is done by a Juniper EX series switch, which is - I think - configured appropriately and forwards requests to my RADIUS server (freeradius 2.1.9+dfsg-1+b on Debian Squeeze/Testing). My radiusd.conf is: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes client switch { ipaddr = 10.10.10.254 secret = juniper require_message_authenticator = no nastype = other } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } authorize { preprocess files } authenticate { } You can see, I disabled any authentication method beside of files. The users file is this: aa00007f9c90 Auth-Type := "EAP", Cleartext-Password == aa00007f9c90 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "110" Now I start auth: root@EX4200-VC> restart dot1x-protocol Port based Network Access Control started, pid 25579 {master:0} root@EX4200-VC> show dot1x interface 802.1X Information: Interface Role State MAC address User ge-1/0/4.0 Authenticator Connecting ge-1/0/5.0 Authenticator Connecting and on the radius server: root@data:~# freeradius -X FreeRADIUS Version 2.1.9, for host x86_64-pc-linux-gnu, built on Jun 18 2010 at 03:16:00 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/eap.conf main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### ... radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. If I now try to communicate through the interface to be authenticated I get: Hi I want to deploy MAC based RADIUS authentication (only - non responsive hosts). To be honest, I don't want to authenticate users at all, all I want is to assign hosts dynamically to different VLANS according to their MAC address. The one side is done by a Juniper EX series switch, which is - I think - configured appropriately and forwards requests to my RADIUS server (freeradius 2.1.9+dfsg-1+b on Debian Squeeze/Testing). My radiusd.conf is: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes client switch { ipaddr = 10.10.10.254 secret = juniper require_message_authenticator = no nastype = other } thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } authorize { preprocess files } authenticate { } You can see, I disabled any authentication method beside of files. The users file is this: aa00007f9c90 Auth-Type := "EAP", Cleartext-Password == aa00007f9c90 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "110" Now I start auth: root@EX4200-VC> restart dot1x-protocol Port based Network Access Control started, pid 25579 {master:0} root@EX4200-VC> show dot1x interface 802.1X Information: Interface Role State MAC address User ge-1/0/4.0 Authenticator Connecting ge-1/0/5.0 Authenticator Connecting and on the radius server: root@data:~# freeradius -X FreeRADIUS Version 2.1.9, for host x86_64-pc-linux-gnu, built on Jun 18 2010 at 03:16:00 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/eap.conf main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### ... radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on proxy address * port 1814 Ready to process requests. If I now try to communicate through the interface to be authenticated I get: rad_recv: Access-Request packet from host 10.10.10.254 port 58798, id=45, length=118 User-Name = "aa00007f9c90" NAS-Port = 119 EAP-Message = 0x0200001101616130303030376639633930 Message-Authenticator = 0x4ab3cccda64e92e76dfa2a97172cebca Acct-Session-Id = "8O2.1x81eb00c2" NAS-Identifier = "EX4200-VC" NAS-Port-Type = Virtual +- entering group authorize {...} ++[preprocess] returns ok ++[files] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 45 to 10.10.10.254 port 58798 Waking up in 4.9 seconds. Cleaning up request 0 ID 45 with timestamp +62 Ready to process requests. and on the switch it remains on: ge-1/0/4.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Strict: Enabled Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: aa00007f9c90, AA:00:00:7F:9C:90 Operational state: Authenticating Authentcation method: Radius Authenticated VLAN: configured/default Reauthentication due in 0 seconds Any clues? freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt kostenlose E-Mail-Adresse mit 1 GB Speicher und Profi-Spamschutz sichern! Sofort anmelden!