802.1x and MAC Authentication
Hi All, I am attempting to setup my server so that it now checks a MAC address and then provided the MAC address is ok it then moves on to performing EAP authentication. This seems to be working fine but I noticed something in the logs that I wanted to query. I am using this guide <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x>. Whenever the RADIUS server sends an Access-Challenge, it still sends the usual EAP-Message, Message-Authenticator, and State attributes, however it now also sends a Reply-Message on the line above these in the format of the one in the aforementioned guide: Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" Doesn't seem like something to worry about just wondered if there was any way around this? Further to this the guide says: if (!ok) { # Reject if the MAC address was not permitted. reject } # If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept Unless I am misunderstanding this is saying, "check the MAC address, if this isn't correct then continue. If it is correct but someone isn't using EAP then just allow them through". Surely unless someone were to comment out all authentication modules besides EAP in the default server, this would just allow someone to get onto the network with a correct MAC even if they don't have auth credentials? Kind regards, Connor
Hi Connor Sorry, not yet able to provide you any help on your question at the moment, but I am in the middle of implementing the same use case at this exact moment: 1. MAC authentication with a REST API call to Infoblox first 2. 802.1X / PEAP authentication, only first auth above was successful Are you authorizing the mac addresses against the authorized_macs file on FreeRADIUS server or towards something else (eg. SQL, REST API, something else)? Regards Dominic Am 23.09.24, 16:43 schrieb "Freeradius-Users im Auftrag von Connor Herring" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von connorrjherring@gmail.com <mailto:connorrjherring@gmail.com>>: Hi All, I am attempting to setup my server so that it now checks a MAC address and then provided the MAC address is ok it then moves on to performing EAP authentication. This seems to be working fine but I noticed something in the logs that I wanted to query. I am using this guide <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x> <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x;>. Whenever the RADIUS server sends an Access-Challenge, it still sends the usual EAP-Message, Message-Authenticator, and State attributes, however it now also sends a Reply-Message on the line above these in the format of the one in the aforementioned guide: Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" Doesn't seem like something to worry about just wondered if there was any way around this? Further to this the guide says: if (!ok) { # Reject if the MAC address was not permitted. reject } # If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept Unless I am misunderstanding this is saying, "check the MAC address, if this isn't correct then continue. If it is correct but someone isn't using EAP then just allow them through". Surely unless someone were to comment out all authentication modules besides EAP in the default server, this would just allow someone to get onto the network with a correct MAC even if they don't have auth credentials? Kind regards, Connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Hi Dominic, Using the authorized_macs file. Was going to attempt SQL but I couldn't see a guide anywhere so wanted to give this a try first. Seems to be working fine but I was just unsure on some of the nuances. I have also removed the 'else' from the below section. Didn't know if this was a bad thing to do but it seems to work? If I then put the else back in and wrap the rest of the Authorize section in the else it doesn't work at all so not sure on that one. if (!ok) { # Reject if the MAC address was not permitted. reject } # If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept } } else { # Normal FreeRADIUS virtual server config goes here e.g. eap } } Kind regards, Connor On Mon, Sep 23, 2024 at 3:52 PM <dominic.stalder@unibe.ch> wrote:
Hi Connor
Sorry, not yet able to provide you any help on your question at the moment, but I am in the middle of implementing the same use case at this exact moment:
1. MAC authentication with a REST API call to Infoblox first
2. 802.1X / PEAP authentication, only first auth above was successful
Are you authorizing the mac addresses against the authorized_macs file on FreeRADIUS server or towards something else (eg. SQL, REST API, something else)?
Regards Dominic
Am 23.09.24, 16:43 schrieb "Freeradius-Users im Auftrag von Connor Herring" <freeradius-users-bounces+dominic.stalder= unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von connorrjherring@gmail.com <mailto:connorrjherring@gmail.com>>:
Hi All,
I am attempting to setup my server so that it now checks a MAC address and then provided the MAC address is ok it then moves on to performing EAP authentication. This seems to be working fine but I noticed something in the logs that I wanted to query. I am using this guide <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x> < https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x;>.
Whenever the RADIUS server sends an Access-Challenge, it still sends the usual EAP-Message, Message-Authenticator, and State attributes, however it now also sends a Reply-Message on the line above these in the format of the one in the aforementioned guide:
Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
Doesn't seem like something to worry about just wondered if there was any way around this?
Further to this the guide says:
if (!ok) { # Reject if the MAC address was not permitted. reject }
# If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept
Unless I am misunderstanding this is saying, "check the MAC address, if this isn't correct then continue. If it is correct but someone isn't using EAP then just allow them through". Surely unless someone were to comment out all authentication modules besides EAP in the default server, this would just allow someone to get onto the network with a correct MAC even if they don't have auth credentials?
Kind regards,
Connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html < http://www.freeradius.org/list/users.html>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi All, Is someone able to take a look at this for me please? As mentioned I just need to know if: Removing else from the aforementioned statement would cause any issues further down the line currently the statement looks like this * if (!ok) { # Reject if the MAC address was not permitted. reject } # If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept } }* and once this is complete it just continues through to EAP auth and then to the inner tunnel server based on the debug logs. So everything looks fine at a glance but thought I'd check since this isn't how it's configured in the documentation. If you need any further information please let me know. Kind regards, Connor On Mon, Sep 23, 2024 at 3:42 PM Connor Herring <connorrjherring@gmail.com> wrote:
Hi All,
I am attempting to setup my server so that it now checks a MAC address and then provided the MAC address is ok it then moves on to performing EAP authentication. This seems to be working fine but I noticed something in the logs that I wanted to query. I am using this guide <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x>.
Whenever the RADIUS server sends an Access-Challenge, it still sends the usual EAP-Message, Message-Authenticator, and State attributes, however it now also sends a Reply-Message on the line above these in the format of the one in the aforementioned guide:
Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
Doesn't seem like something to worry about just wondered if there was any way around this?
Further to this the guide says:
if (!ok) { # Reject if the MAC address was not permitted. reject }
# If this is NOT 802.1x, mac-auth if (!EAP-Message) { # MAC address has already been checked, so accept update control { Auth-Type := Accept
Unless I am misunderstanding this is saying, "check the MAC address, if this isn't correct then continue. If it is correct but someone isn't using EAP then just allow them through". Surely unless someone were to comment out all authentication modules besides EAP in the default server, this would just allow someone to get onto the network with a correct MAC even if they don't have auth credentials?
Kind regards,
Connor
participants (2)
-
Connor Herring -
dominic.stalder@unibe.ch