SQL Mac-Authentication based on Call-Check
Hello. I'm currently working on my diploma thesis, and I'm sorting some things out at the moment. The task is, to authenticate mac-adresses through a cisco catalyst 6500. A pretty new feature called "mac-authentication-bypass" is available in CatOS and works well with Cisco ACS 4.0 beta. Due to our demands we want to deploy freeradius, with a mysql database. It works like that. The switch sends an Access-Request with the connecting MAC in the Caller-ID Field and Sevice Type is set to "10", hence "Call Ceck". Radius now authenticates the users on a given MAC (Caller ID) instead of a user/password. I haven't set up freeradius yet, but I'm slighty familar with the settings that have to be done. In table "radcheck" I create attribute "Calling-Station-ID" with value "MAC-Address" (f.e. ff-ee-11-22-33-44), this value will be checked against. I also have to edit the sql.conf (user, database etc) and telling radiusd.conf to use sql in the "authorise" section. I'm sticking to the Freeradius MySQL howto by Scott Bartlett for that. :) The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf? Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis. Any thoughts? Thanks in advance. Bye Florian
florian broder <flobroed@googlemail.com> wrote:
The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf?
No, it's also in the "radcheck" table.
Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis.
In radcheck, also set "Auth-Type := Accept" if the MAC & Call-Check match. Alan DeKok.
Hi. Thanks for your thoughts. On 11/23/05, Alan DeKok <aland@ox.org> wrote:
florian broder <flobroed@googlemail.com> wrote:
The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf?
No, it's also in the "radcheck" table.
Ok, instead of a password I use Atribute "Calling-Station-ID" with Value <mac-address>?
Only thing that need to be done IMO is to tell radius, that there is no
username and authentication needs to be done on a caller-id basis.
In radcheck, also set "Auth-Type := Accept" if the MAC & Call-Check match.
Can you tell me, how to do that? I mean, setting Auth-Type when it matches? radcheck: username: ?? (there isn't any! --> use DEFAULT?) attribute 1: calling-station-id value 1: mac attribute 2: service-type value2: 10 (call-check) attribute 3: auth-type value 3: accept Is that ok? But how has the authorize_check_query to be done? -- Tha Radius should be used ONLY for Mac-Authentication internally (just our LAN). Idea is, that a Switch-Port (VLAN, Access or trunk...) is configured by a script depending on the connecting mac-address. As I've said, I haven't deployed freeradius yet, so maybe the next question is really stupid... In sql.conf. "authorize_check_query" takes all values (belonging to a user-name) from radcheck and tries to match them with the attributes which have been sent?! But the Switch definitely sends NO user-name, i've checked that with Ethreal. I still don't understand, how sql-config should be done, if there _isn't_ any username, just a caller id. Thanks a lot i advance, and really sorry for stealing your time! Bye Flo
Hi. For better understanding. Here are the packets, the Catalyst sends to the radius (Cisco ACS). Captured with Ethereal. The feature (Mac-Authentication-bypass) was tested by myself, with ACS 4.0 beta and worked. The switch sends three packets like that: Radius Protocol Code: Access-Request (1) Packet identifier: 0xa9 (169) Length: 65 Authenticator: 1C3208670AF4106D1619034D1BD50526 Attribute Value Pairs AVP: l=8 t=User-Name(1): azbycx AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156 AVP: l=13 t=EAP-Message(79) Last Segment[1] AVP: l=18 t=Message-Authenticator(80): 996FDE4A9B0077AAC30FA6A8AE65BC09 They are NOT answered by the ACS-radius. Btw. WHAT is username: azbycx? Some kind of default? It is always the same username, no matter what MAC i plug into the Switch! Cisco documentation sucks big time on this! :( Why is he doing it, it was definitely not configured in CatOS. ---------------------- After that, it sends the "real" access-request: Radius Protocol Code: Access-Request (1) Packet identifier: 0x1 (1) Length: 100 Authenticator: 012E175F0CF11CB90FE21A16008B1613 Attribute Value Pairs AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156 AVP: l=6 t=NAS-Port(5): 110 AVP: l=6 t=Service-Type(6): Call-Check(10) AVP: l=19 t=Called-Station-Id(30): 00-14-1b-xx-xx-xx AVP: l=19 t=Calling-Station-Id(31): 00-0e-7f-xx-xx-xx AVP: l=6 t=NAS-Port-Type(61): Ethernet(15) AVP: l=18 t=Message-Authenticator(80): 3BF52FD5838A862CD4BFBD478515982A "Called-Station-ID" is the MAC of the Switch-Interface. "Calling-Station-ID" is the MAC that needs to be authenticated. I'd really appreciate, if someone could help me out on the freeradius mysql config, based on that scenario. Thanks. Bye Flo
Morning. No one got an idea for me? Is my question just stupid, or doesn't really nobody know what to do in this case? Maybe someone of the developers can tell me, what to do with the following: # Uncomment the next line, if you want the sql_user_name to mean: # # Use Stripped-User-Name, if it's there. # Else use User-Name, if it's there, # Else use hard-coded string "DEFAULT" as the user name. #sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}" Can I use that "DEFAULT" to tell freeradius, that there is no user-name in the access-request packet? I mean "Else use User-Name, if it's there," suggest, that the field "user-name" MAY be empty?! ANY suggestion is higly appreciated. Thanks a lot. Bye.
florian broder <flobroed@googlemail.com> wrote:
Can I use that "DEFAULT" to tell freeradius, that there is no user-name in the access-request packet? I mean "Else use User-Name, if it's there," suggest, that the field "user-name" MAY be empty?!
Yes. That's why it's there. See doc/variables.txt, which explains all of this. Even the comments you quoted explained this:
# Use Stripped-User-Name, if it's there. # Else use User-Name, if it's there, # Else use hard-coded string "DEFAULT" as the user name.
So... "DEFAULT" is only used if no User-Name existed. Alan DeKok.
participants (2)
-
Alan DeKok -
florian broder