pap + mac auth authentication problem
Hello, I’m in the following situation : - I have switches that share either wifi and wired connexions. - on wifi connexion I have an eap/peap authentication - what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration. I have a working wifi configuration on a first server I have a working wired configuration on a second server Is there any way to mix both on a single server ? Server version is 3.0.17 The wifi configuration is : authorize { preprocess mschap suffix eap files ldap } authenticate { Auth-Type MS-CHAP { mschap } eap } The wired configuration is : authorize { filter_username rewrite.called_station_id_ipb rewrite.calling_station_id_ipb preprocess suffix update control { Auth-Type := Accept Tunnel-Private-Group-Id :=" %{ldap:ldap://ldap.xxx/ou=hosts,dc=xxx,dc=xxx?radiusTunnelPrivateGroupId?sub?(&(objectClass=radiusProfile)(macAddress=%{Calling-Station-ID}))}" } if (!"%{control:Tunnel-Private-Group-ID}") { reject } expiration logintime } authenticate { } post-auth { update { &reply: += &session-state: } -sql update reply { &Tunnel-Private-Group-Id := "%{control:Tunnel-Private-Group-Id}" &Tunnel-Medium-Type := "IEEE-802" &Tunnel-Type := "VLAN" } remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject } Post-Auth-Type Challenge { } }
On Oct 30, 2018, at 10:45 AM, Frédéric Goudal <frederic.goudal@bordeaux-inp.fr> wrote:
I’m in the following situation : - I have switches that share either wifi and wired connexions. - on wifi connexion I have an eap/peap authentication - what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration.
I have a working wifi configuration on a first server I have a working wired configuration on a second server
Is there any way to mix both on a single server ?
Yes.
The wifi configuration is :
Please don't post configurations to the list. We don't need to see them. We're also not going to edit the configurations for you, or create the custom configuration you want. What you have to do is look for differences in the packets, and then key off of those differences. For WiFi, this means looking for EAP-Message: authorize { if (EAP-Message) { ... WiFi stuff ... } else { ... MAC auth stuff... } } Alan DeKok.
Le 30 oct. 2018 à 16:51, Alan DeKok <aland@deployingradius.com> a écrit :
On Oct 30, 2018, at 10:45 AM, Frédéric Goudal <frederic.goudal@bordeaux-inp.fr> wrote:
I’m in the following situation : - I have switches that share either wifi and wired connexions. - on wifi connexion I have an eap/peap authentication - what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration.
I have a working wifi configuration on a first server I have a working wired configuration on a second server
Is there any way to mix both on a single server ?
Yes.
The wifi configuration is :
Please don't post configurations to the list. We don't need to see them.
Different mailing list different usages, I don’t have them all in mind… some want the configuration some like this one don’t…
We're also not going to edit the configurations for you, or create the custom configuration you want.
:) Did I ask for that ? No. (Answer of a tired admin sys that have been digging in what is self-called a documentation for several days)
What you have to do is look for differences in the packets, and then key off of those differences. For WiFi, this means looking for EAP-Message:
authorize { if (EAP-Message) { ... WiFi stuff ... } else { ... MAC auth stuff... } }
Thanks. f.g.
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient. What is the correct way to build a request with an EAP-Message ? f.g.
What you have to do is look for differences in the packets, and then key off of those differences. For WiFi, this means looking for EAP-Message:
authorize { if (EAP-Message) { ... WiFi stuff ... } else { ... MAC auth stuff... } }
Thanks.
f.g.
On 30-10-18 18:05, Frédéric Goudal wrote:
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient. What is the correct way to build a request with an EAP-Message ?
Use eapol_test: http://deployingradius.com/scripts/eapol_test/ -- Herwin Weststrate
Le 30 oct. 2018 à 18:09, Herwin Weststrate <herwin@quarantainenet.nl> a écrit :
On 30-10-18 18:05, Frédéric Goudal wrote:
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient. What is the correct way to build a request with an EAP-Message ?
Use eapol_test: http://deployingradius.com/scripts/eapol_test/
Thans for your answer, it works BUT (and I know it is not a freeradius issue, but I think this info can help) - the 2.6 version does NOT complile on ubuntu 18.4 (__bitwise multiple defined). - the 2.5 version does NOT compile on ubuntu 18.4 : ../src/crypto/crypto_openssl.c: In function ‘openssl_digest_vector’: ../src/crypto/crypto_openssl.c:68:13: error: storage size of ‘ctx’ isn’t known I had to switch to an old jessie distro AND - use 2.5 - remove the -Werror from the Makefile f.g.
On 31-10-18 09:53, Frédéric Goudal wrote:
Le 30 oct. 2018 à 18:09, Herwin Weststrate <herwin@quarantainenet.nl> a écrit :
On 30-10-18 18:05, Frédéric Goudal wrote:
By the way, I don’t find in the doc or man pages how to create an EAP-Message with radtest or radclient. What is the correct way to build a request with an EAP-Message ?
Use eapol_test: http://deployingradius.com/scripts/eapol_test/
Thans for your answer, it works BUT (and I know it is not a freeradius issue, but I think this info can help) - the 2.6 version does NOT complile on ubuntu 18.4 (__bitwise multiple defined). - the 2.5 version does NOT compile on ubuntu 18.4 : ../src/crypto/crypto_openssl.c: In function ‘openssl_digest_vector’: ../src/crypto/crypto_openssl.c:68:13: error: storage size of ‘ctx’ isn’t known
I had to switch to an old jessie distro AND - use 2.5 - remove the -Werror from the Makefile
That looks as if the source has not been updated to work correctly with newer OpenSSL versions. I don't have a recent Ubuntu system at hand, but it might be worth to try to fetch the apt source and using the patch in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700870 instead. I'm not sure if it works without changes on the Ubuntu repository. -- Herwin Weststrate
On Oct 30, 2018, at 11:57 AM, Frédéric Goudal <frederic.goudal@bordeaux-inp.fr> wrote:
Please don't post configurations to the list. We don't need to see them.
Different mailing list different usages, I don’t have them all in mind… some want the configuration some like this one don’t…
When you join this mailing list, you get an email pointing you to documentation about the mailing list. That document says what to post, and what not to post. If you're not going to read the documentation, you'll have a very bad time.
We're also not going to edit the configurations for you, or create the custom configuration you want.
:) Did I ask for that ? No. (Answer of a tired admin sys that have been digging in what is self-called a documentation for several days)
The documentation describes how FreeRADIUS works. If you want to know more, ask questions. And no, we *don't* document how to do every possible thing. This is RADIUS. Everyone wants to do something slightly different. So that list of things is near-infinite. We really on people *reading the documentation*, and then *asking questions*. Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely. Alan DeKok.
Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.
Well, your anwer was harsh… what did you expect from a sysadmin who has been fighting against your documentation ? An answer on the same style. Ok, let’s take an example : - in your configuration file there are -ldap stanza… - in your documentation where is the minus sign documented ? - how do I find it if I don’t know ? Ok let’s start : - it’s found on a server configuration file so I go there : https://wiki.freeradius.org/config/Configuration-files Ok no syntax item… let’s dig Ohhh site configuration https://wiki.freeradius.org/config/Sites-configuration Ohh no syntax I have to go to virtual server https://wiki.freeradius.org/config/Virtual-server Ohhh still no syntax, some examples, none with the ‘-ldap’ stanza… And nowhere to go… after more than an hour digging… still not found. So… what do you expect from a sysadmin who has a lot of work and has to spend hours not to find the correct answer. You know I’m a senior sysadmin, I have been dealing with hundreds of products and documentation for more than 25 years I KNOW what is a good documentation. I have spoken with several colleague and they all say the same… so maybe you can learn to accept your users advice… f.g.
On Oct 31, 2018, at 5:16 AM, Frédéric Goudal <frederic.goudal@bordeaux-inp.fr> wrote:
Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.
Well, your anwer was harsh…
You expected that making snide comments would make us like you?
what did you expect from a sysadmin who has been fighting against your documentation ? An answer on the same style.
Ah, you start off being rude, and when I point out this isn't appropriate, you double down on your rudeness. And blame me. That shows a distinct lack of self-awareness.
Ok, let’s take an example : - in your configuration file there are -ldap stanza… - in your documentation where is the minus sign documented ? - how do I find it if I don’t know ?
Read the configuration files? Or read the debug output? Or ask on the mailing list? Here's a normal question: Q: I can't find anywhere what "-ldap" means. Can you guys tell me? Here's your question: Q: Your documentation sucks! Can you help me? Which one motivates people to help you?
So… what do you expect from a sysadmin who has a lot of work and has to spend hours not to find the correct answer.
Ask questions on the mailing list? If you've paid attention, you'll see that most questions are answered very quickly. i.e. in less than hours. i.e. you don't bother asking questions, and then blame us for how long it took to get the answer.
You know I’m a senior sysadmin, I have been dealing with hundreds of products and documentation for more than 25 years I KNOW what is a good documentation. I have spoken with several colleague and they all say the same… so maybe you can learn to accept your users advice…
You get this product for free, and all you can do is shit on the people who wrote it. Wonderful. FreeRADIUS has been going for about 20 years now. In that time, I've seen endless numbers of whiners who complain about the documentation. I can't think of a single one who has *contributed* something to make it better. You fall into the same camp. Why would I accept advice from someone who isn't giving any advice? "Your documentation sucks" isn't a productive comment. You didn't offer a patch to document the problem you had. Instead, you just made rude comments, and expected that we would be grateful. I'll make it simple for you. If you ask good questions, we can answer them. If you contribute, your contributions will be reviewed and generally accepted. If you keep complaining on the list, you will be unsubscribed, and permanently banned. Alan DeKok.
Le 31 oct. 2018 à 11:42, Alan DeKok <aland@deployingradius.com> a écrit :
On Oct 31, 2018, at 5:16 AM, Frédéric Goudal <frederic.goudal@bordeaux-inp.fr> wrote:
Making snide comments about the documentation is not really appropriate. It motivates us to ignore you entirely.
Well, your anwer was harsh…
You expected that making snide comments would make us like you?
Fact checking : I asked a question, you answered in a rude tone, than I answered you the same way. Stop blaming others to behave like you do. You’re childish… End of discution.
On Oct 31, 2018, at 8:08 AM, Frédéric Goudal <frederic.goudal@bordeaux-inp.fr> wrote: More whining. And, he's gone. It's telling that the people who complain the most don't contribute anything, and get upset when told their comments are inappropriate. Alan DeKok.
On Wed, 2018-10-31 at 08:16 -0400, Alan DeKok wrote:
On Oct 31, 2018, at 8:08 AM, Frédéric Goudal <frederic.goudal@bordeau x-inp.fr> wrote: It's telling that the people who complain the most don't contribute anything, and get upset when told their comments are inappropriate.
And it's already documented in a whole section of the module README, too. https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... Probably could be mentioned in sites-enabled/default, but it's not particularly hidden if people actually read the "README" files. -- Matthew
participants (4)
-
Alan DeKok -
Frédéric Goudal -
Herwin Weststrate -
Matthew Newton