how to setup MAC based authentication with LDAP
Hello list I am new to RADIUS and i'd like to know how to setup a mac-based authentication for my clients. Here is what i have so far: -freeradius 3.0.3 -/etc/raddb/clients.conf (setupped with the IPs of the NAS devices) Now i'm unsure how to configure the mods-enabled/ldap configuration. All the hosts are located in an OU named "hosts", the mac-address of each host has the attribute name "macAddress" within the host object (i.e cn=testdevice). My virtual server in sites-enabled/macauth looks like this: server macauth { authorize { preprocess # clean the Calling-Station-ID rewrite_calling_station_id # now authenticate against LDAP ldap if (!ok) { reject } else { # accept update control { Auth-Type := Accept } } } authenticate { Auth-Type LDAP { ldap } } # Pre-accounting. Decide which accounting type to use. preacct { preprocess # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique } # Accounting. Log the accounting data. accounting { # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. radutmp # filter attributes from the accounting response attr_filter.accounting_response } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp } } Can somebody help please? Best, Thomas -- Thomas Stather IT Services Tel: +49 6221-486 628 Fax: +49 6221-486 561 ------------------------------------------------------------------------ Max Planck Institute for Medical Research (MPImF) Jahnstrasse 29, 69120 Heidelberg Germany
On Apr 15, 2015, at 8:12 AM, Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de> wrote:
I am new to RADIUS and i'd like to know how to setup a mac-based authentication for my clients.
There's a guide on the Wiki, but your setup is a bit different.
Here is what i have so far:
-freeradius 3.0.3 -/etc/raddb/clients.conf (setupped with the IPs of the NAS devices)
Now i'm unsure how to configure the mods-enabled/ldap configuration.
All the hosts are located in an OU named "hosts", the mac-address of each host has the attribute name "macAddress" within the host object (i.e cn=testdevice).
Figure out which LDAP query will return that macAddress. Try it with ldapsearch and sample MAC address. e.g. 00:01:02:03:04:05.
My virtual server in sites-enabled/macauth looks like this: ... # now authenticate against LDAP ldap
You don't want to do that. The normal LDAP processing is for *users* in LDAP. I don't think each host has a password and other user attributes in it. So don't use "ldap". Instead, do: if (!"%{ldap:QUERY}") { reject } update control { Auth-Type := Accept } where QUERY is the LDAP query used to find the mac address. Use %{Calling-Station-Id} instead of the MAC address from the "ldapsearch" above. The only issue here is that this configuration will do ONLY mac auth. All other authentication methods will fail. If that's what you want, fine. Alan DeKok.
Hello I tried to set it up but i failed the virtual server now looks like: listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } authorize { preprocess # clean the Calling-Station-ID rewrite_calling_station_id if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept update control { Auth-Type := Accept } } } authenticate { Auth-Type ldap { ldap } } I tested with: radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10) the output on the server looks like this: Listening on auth address * port 1812 as server macauth Listening on acct address * port 1813 as server macauth Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 49440 Ready to process requests (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103 (0) User-Name = 'f0-1f-af-35-c8-10' (0) User-Password = 'f0-1f-af-35-c8-10' (0) NAS-IP-Address = 192.168.1.1 (0) NAS-Port = 10 (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth (0) authorize { (0) [preprocess] = ok (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { ERROR: (0) Failed retrieving values required to evaluate condition (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_calling_station_id = noop (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") { ERROR: (0) String passed does not look like an LDAP URL (0) EXPAND%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))} (0) --> (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") -> TRUE (0) if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") { (0) [reject] = reject (0) } # if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%(ldap:%28&%28objectClass=ieee802Device%29%28macAddress=%){Calling-Station-Id}))}") = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 126 from 127.0.0.1:1812 to 127.0.0.1:36895 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 126 with timestamp +10 Ready to process requests What have i done wrong? And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server? Best, Thomas Am 15.04.15 04:03 nachm. schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 15, 2015, at 8:12 AM, Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de> wrote:
I am new to RADIUS and i'd like to know how to setup a mac-based authentication for my clients.
There's a guide on the Wiki, but your setup is a bit different.
Here is what i have so far:
-freeradius 3.0.3 -/etc/raddb/clients.conf (setupped with the IPs of the NAS devices)
Now i'm unsure how to configure the mods-enabled/ldap configuration.
All the hosts are located in an OU named "hosts", the mac-address of each host has the attribute name "macAddress" within the host object (i.e cn=testdevice).
Figure out which LDAP query will return that macAddress. Try it with ldapsearch and sample MAC address. e.g. 00:01:02:03:04:05.
My virtual server in sites-enabled/macauth looks like this: ... # now authenticate against LDAP ldap
You don't want to do that. The normal LDAP processing is for *users* in LDAP. I don't think each host has a password and other user attributes in it. So don't use "ldap".
Instead, do:
if (!"%{ldap:QUERY}") { reject } update control { Auth-Type := Accept }
where QUERY is the LDAP query used to find the mac address. Use %{Calling-Station-Id} instead of the MAC address from the "ldapsearch" above.
The only issue here is that this configuration will do ONLY mac auth. All other authentication methods will fail. If that's what you want, fine.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 16, 2015, at 6:22 AM, Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de> wrote:
I tried to set it up but i failed
Following directions helps. Reading the debug output helps.
if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
Is that a valid LDAP query? Probably not.
radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)
Which doesn't send a Calling-Station-Id attribute.
Ready to process requests (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103 (0) User-Name = 'f0-1f-af-35-c8-10' (0) User-Password = 'f0-1f-af-35-c8-10' (0) NAS-IP-Address = 192.168.1.1 (0) NAS-Port = 10 (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth
And there's no Calling-Station-Id in the packet. How do you expect to use policies based on Calling-Station-Id when it's not in the packet? See "man radclient". Or even read the "radtest" script. It's a shell script. You need to *explicitly* add a Calling-Station-Id attribute to the packet. ... Calling-Station-Id = f0-1f-af-35-c8-10 ... Read the debug output for packets sent by the NAS. Use them as a template, and create files which radclient will read. You will then be sure that your tests match the packets sent by the NAS.
What have i done wrong?
I had given detailed instructions in my previous message. Following them would be a good idea.
And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?
You should write an LDAP query that uses "ou=hosts". I told you to write an LDAP query, and test it via "ldapsearch". You seem to have skipped that step. Why? Alan DeKok.
Hello again I have this (LDAP string has been modified because of security considerations) server macauth { authorize { preprocess # clean the Calling-Station-ID rewrite_calling_station_id # now authenticate against LDAP if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept update control { Auth-Type := Accept } } } authenticate { Auth-Type LDAP { ldap } } } When i try with echo "Calling-Station-Id=f0:1f:af:35:c8:02" | radclient -s localhost:1812 auth radiusTest2015 I get an access-accept reply. If i setup my AP and try to connect with a client where the MAC address is in LDAP i get: Ready to process requests (2) Received Access-Request Id 9 from xxxxxxxxxx:44620 to xxxxxxxxxx:1812 length 167 (2) User-Name = 'user' (2) NAS-IP-Address = xxxxxxxxxxxx (2) NAS-Identifier = '0418d66a5934' (2) NAS-Port = 0 (2) Called-Station-Id = '0A-18-D6-6B-59-34:test' (2) Calling-Station-Id = '30-75-12-EE-63-AA' (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = 'CONNECT 0Mbps 802.11b' (2) EAP-Message = 0x0276000d017473746174686572 (2) Message-Authenticator = 0x708c606acafcf02e4706c7729288354f (2) # Executing section authorize from file /etc/raddb/sites-enabled/macauth (2) authorize { (2) [preprocess] = ok (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (2) update request { (2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 30:75:12:ee:63:aa (2) &Calling-Station-Id := "30:75:12:ee:63:aa" (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (2) ... skipping else for request 2: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}"){ rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 103 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 103 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 155 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You probably need to increase "spare" rlm_ldap (ldap): Opening additional connection (8) rlm_ldap (ldap): Connecting to ldap://ldap1.xxxxxxxxxxxxx:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (2) Performing search in 'ou=hosts,dc=.......' with filter '(&(objectClass=ieee802Device)(macAddress=30:75:12:ee:63:aa))', scope 'sub' (2) Waiting for search result... rlm_ldap (ldap): Released connection (8) rlm_ldap (ldap): 0 of 1 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (9) rlm_ldap (ldap): Connecting to ldap://ldap1.xxxxxxxxxxxxx:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (2) EXPAND %{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))} (2) --> test01.mydomain.local (2) if (!"%{ldap:ldaps:///ou=hosts,dc=ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") -> FALSE (2) else { (2) update control { (2) Auth-Type := Accept (2) } # update control = noop (2) } # else = noop (2) } # authorize = updated (2) Found Auth-Type = Accept (2) Auth-Type = Accept, accepting the user (2) Sent Access-Accept Id 9 from xxxxxxxxxx:1812 to xxxxxxxxxx:44620 length 20 (2) Finished request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (2) <done>: Cleaning up request packet ID 9 with timestamp +247 Ready to process requests Is this ok from the RADIUS side? Because i still cannot get any connection using wifi (no DHCP request) and when using Windows 7 i even get prompted for my credentials. What am i doing wrong? Best,, Thomas Am 16.04.15 06:16 nachm. schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 16, 2015, at 6:22 AM, Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de> wrote:
I tried to set it up but i failed
Following directions helps. Reading the debug output helps.
if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
Is that a valid LDAP query? Probably not.
radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)
Which doesn't send a Calling-Station-Id attribute.
Ready to process requests (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103 (0) User-Name = 'f0-1f-af-35-c8-10' (0) User-Password = 'f0-1f-af-35-c8-10' (0) NAS-IP-Address = 192.168.1.1 (0) NAS-Port = 10 (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth
And there's no Calling-Station-Id in the packet. How do you expect to use policies based on Calling-Station-Id when it's not in the packet?
See "man radclient". Or even read the "radtest" script. It's a shell script. You need to *explicitly* add a Calling-Station-Id attribute to the packet.
... Calling-Station-Id = f0-1f-af-35-c8-10 ...
Read the debug output for packets sent by the NAS. Use them as a template, and create files which radclient will read. You will then be sure that your tests match the packets sent by the NAS.
What have i done wrong?
I had given detailed instructions in my previous message. Following them would be a good idea.
And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?
You should write an LDAP query that uses "ou=hosts".
I told you to write an LDAP query, and test it via "ldapsearch". You seem to have skipped that step. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, May 12, 2015 at 11:51:02AM +0200, Thomas Stather wrote:
echo "Calling-Station-Id=f0:1f:af:35:c8:02" | radclient -s localhost:1812 auth radiusTest2015
I get an access-accept reply.
OK, at least your LDAP part is working.
If i setup my AP and try to connect with a client where the MAC address is in LDAP i get:
Ready to process requests (2) Received Access-Request Id 9 from xxxxxxxxxx:44620 to xxxxxxxxxx:1812 length 167 (2) User-Name = 'user' (2) NAS-IP-Address = xxxxxxxxxxxx (2) NAS-Identifier = '0418d66a5934' (2) NAS-Port = 0 (2) Called-Station-Id = '0A-18-D6-6B-59-34:test' (2) Calling-Station-Id = '30-75-12-EE-63-AA' (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = 'CONNECT 0Mbps 802.11b' (2) EAP-Message = 0x0276000d017473746174686572
...
rlm_ldap (ldap): Bind successful (2) EXPAND %{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))} (2) --> test01.mydomain.local (2) if (!"%{ldap:ldaps:///ou=hosts,dc=ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") -> FALSE (2) else { (2) update control { (2) Auth-Type := Accept (2) } # update control = noop (2) } # else = noop (2) } # authorize = updated (2) Found Auth-Type = Accept (2) Auth-Type = Accept, accepting the user
Is this ok from the RADIUS side? Because i still cannot get any connection using wifi (no DHCP request) and when using Windows 7 i even get prompted for my credentials. What am i doing wrong?
You've got an EAP request, so you have to do EAP. You're just checking the MAC address and sending back an Access-Accept, which isn't going to work. The NAS will see the Access-Accept above and prepare to allow the wireless client on. The wireless client will never see an EAP-Success, so will drop off and retry (so you see the request for your credentials again). You need to configure and use EAP of some type, though once you're doing that, you can use the MAC address LDAP check as an additional check as part of the authentication/authorization. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
2015-05-12 11:51 GMT+02:00 Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de>:
Hello again
I have this (LDAP string has been modified because of security considerations)
server macauth {
authorize { preprocess
# clean the Calling-Station-ID rewrite_calling_station_id
# now authenticate against LDAP if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept update control { Auth-Type := Accept } } }
As Matthew wrote you're sending an Access-Accept as soon as the Calling-Station-Id is found in LDAP and that doesn't work. The easiest fix would be to send "noop" instead so that FR can continue doing it's stuff (which is required for a complete 802.1x session) and only send a reject when the Calling-Station-Id is not found in LDAP. So the above code would look like if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept noop }
2015-04-16 12:22 GMT+02:00 Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de>:
if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
if (!"%{ldap:ldap:///ou=hosts,dc=EXAMPLE,dc=COM?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { this is a working query but may not be the best one.
On Thu, 2015-04-16 at 23:29 +0200, Ben Humpert wrote:
2015-04-16 12:22 GMT+02:00 Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de>:
if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
if (!"%{ldap:ldap:///ou=hosts,dc=EXAMPLE,dc=COM?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
this is a working query but may not be the best one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
since i am trying this too, i figure i ask in this thread... i am noticing that the %{Calling-Station-Id} variable is not expanding during execution, and therefore the query against LDAP is failing. the query against LDAP when run with ldapsearch does return the value i am looking for. not sure if this is self inflicted... /etc/raddb/sites-enabled/mac-auth-bypass contents: -------------------------------------------------- # -*- text -*- server mac-auth-bypass { listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } authorize { if (!EAP-Message) { #rewrite_calling_station_id #if ("%{ldap:ldap:///ou=DHCP\ SubClasses,cn=DHCP\ Config,ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn= %{Calling-Station-Id}))}") { if ("%{ldap:ldap:///ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn=%{Calling-Station-Id}))}") { # in the future, assign to VLAN_Y update control { Auth-Type := Accept } } #else { # in the future, assign to VLAN_Z #update control { #Auth-Type := Reject #} #} } else { # in the future, 802.1x stuff update control { Auth-Type := Reject } } } authenticate { Auth-Type ldap { ldap } } } radtest command: ---------------- reset ; radtest 00-1b-ea-ce-bb-a0 00-1b-ea-ce-bb-a0 localhost 0 Np1nKFASNN7liNSRdQdUzvMbsiiMJPwnxgsCAwEAAQJAFqas7bmJgSPJxgZs7kcv 0 sg300 radtest output: --------------- Sending Access-Request Id 173 from 0.0.0.0:43364 to 127.0.0.1:1812 User-Name = '00-1b-ea-ce-bb-a0' User-Password = '00-1b-ea-ce-bb-a0' NAS-IP-Address = 192.168.248.252 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Reject Id 173 from 127.0.0.1:1812 to 127.0.0.1:43364 length 20 (0) Expected Access-Accept got Access-Reject radiusd -X output: ------------------ radiusd: FreeRADIUS Version 3.0.3, for host x86_64-redhat-linux-gnu, built on Jun 3 2014 at 12:39:33 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/krb5 including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/passwd including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/control including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/mac-auth-bypass main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "CVE-2014-0160" } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_krb5 # Instantiating module "krb5" from file /etc/raddb/mods-enabled/krb5 krb5 { keytab = "/etc/raddb/radius.keytab" service_principal = "radius/server1.bpk2.com" } Using MIT Kerberos library rlm_krb5 (krb5): Using service principal "radius/server1.bpk2.com@" rlm_krb5 (krb5): Using keytab "FILE:/etc/raddb/radius.keytab" rlm_krb5 (krb5): Initialising connection pool pool { start = 10 min = 4 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_krb5 (krb5): Opening additional connection (0) rlm_krb5 (krb5): Opening additional connection (1) rlm_krb5 (krb5): Opening additional connection (2) rlm_krb5 (krb5): Opening additional connection (3) rlm_krb5 (krb5): Opening additional connection (4) rlm_krb5 (krb5): Opening additional connection (5) rlm_krb5 (krb5): Opening additional connection (6) rlm_krb5 (krb5): Opening additional connection (7) rlm_krb5 (krb5): Opening additional connection (8) rlm_krb5 (krb5): Opening additional connection (9) # Loaded module rlm_detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_exec # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:1 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:1 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_digest # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "server1.bpk2.com,server2.bpk2.com" port = 389 password = <<< secret >>> identity = "cn=Manager,dc=bpk2,dc=com" read_clients = yes user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=domainUsers,ou=Users,dc=bpk2,dc=com" access_positive = yes } group { filter = "(objectClass=groupOfNames)" scope = "sub" base_dn = "ou=domainGroups,ou=Groups,dc=bpk2,dc=com" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid= %{%{Stripped-User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = yes } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=bpk2,dc=com" attribute { identifier = "radiusClientIdentifier" shortname = "radiusClientShortname" nas_type = "radiusClientType" secret = "radiusClientSecret" virtual_server = "radiusClientVirtualServer" require_message_authenticator = "radiusClientRequireMa" } } profile { filter = "(objectclass=radiusprofile)" attribute = "memberOf" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to server1.bpk2.com,server2.bpk2.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to server1.bpk2.com,server2.bpk2.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to server1.bpk2.com,server2.bpk2.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to server1.bpk2.com,server2.bpk2.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to server1.bpk2.com,server2.bpk2.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Loading dynamic clients rlm_ldap (ldap): Reserved connection (4) rlm_ldap (ldap): Performing search in 'dc=bpk2,dc=com' with filter '(objectClass=radiusClient)', scope 'sub' rlm_ldap (ldap): Waiting for search result... rlm_ldap (ldap): Client "radiusClientIdentifier=192.168.254.253,cn=radius,ou=Daemons,dc=bpk2,dc=com" added rlm_ldap (ldap): Client "radiusClientIdentifier=192.168.1.153,cn=radius,ou=Daemons,dc=bpk2,dc=com" added rlm_ldap (ldap): Client "radiusClientIdentifier=192.168.248.253,cn=radius,ou=Daemons,dc=bpk2,dc=com" added rlm_ldap (ldap): Client "radiusClientIdentifier=192.168.248.252,cn=radius,ou=Daemons,dc=bpk2,dc=com" added # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 1024 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-auth {...} } # server inner-tunnel server default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-auth {...} } # server default server mac-auth-bypass { # from file /etc/raddb/sites-enabled/mac-auth-bypass # Creating Auth-Type = ldap # Loading authenticate {...} # Loading authorize {...} } # server mac-auth-bypass radiusd: #### Opening IP addresses and Ports #### listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" mode = "rw" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on command file /var/run/radiusd/radiusd.sock Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address * port 1812 as server mac-auth-bypass Listening on acct address * port 1813 as server mac-auth-bypass Ready to process requests. Received Access-Request Id 7 from 127.0.0.1:56463 to 127.0.0.1:1812 length 103 User-Name = '00-1b-ea-ce-bb-a0' User-Password = '00-1b-ea-ce-bb-a0' NAS-IP-Address = 192.168.248.252 NAS-Port = 0 Message-Authenticator = 0xb8bbe0b4bd7cf43fb543535b6b5b6e08 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mac-auth-bypass (0) authorize { (0) if (!EAP-Message) (0) if (!EAP-Message) -> TRUE (0) if (!EAP-Message) { (0) if ("%{ldap:ldap:///ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn=%{Calling-Station-Id}))}") rlm_ldap (ldap): Reserved connection (3) (0) Performing search in 'ou=Daemons,dc=bpk2,dc=com' with filter '(&(objectClass=dhcpSubClass)(cn=))', scope 'sub' (0) Waiting for search result... (0) Search returned no results (0) Search returned not found rlm_ldap (ldap): Released connection (3) (0) EXPAND %{ldap:ldap:///ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn=%{Calling-Station-Id}))} (0) --> (0) if ("%{ldap:ldap:///ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn=%{Calling-Station-Id}))}") -> FALSE (0) } # if (!EAP-Message) = notfound (0) ... skipping else for request 0: Preceding "if" was taken (0) } # authorize = notfound (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user. (0) Using Post-Auth-Type Reject (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response Sending Access-Reject Id 7 from 127.0.0.1:1812 to 127.0.0.1:56463 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 7 with timestamp +5 Ready to process requests.
Look: Sending Access-Request Id 173 from 0.0.0.0:43364 to 127.0.0.1:1812 User-Name = '00-1b-ea-ce-bb-a0' User-Password = '00-1b-ea-ce-bb-a0' NAS-IP-Address = 192.168.248.252 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Reject Id 173 from 127.0.0.1:1812 to 127.0.0.1:43364 length 20 (0) Expected Access-Accept got Access-Reject Its 'not being expanded' because it's not actually being sent. Alan D has already told you this. Use the required radtest config to send a CSI or use another testing tool. Your choice. But if CSI isn't being sent then there's nothing the server can do to magically fix that! alan
I have looked at the radtest script and there is no mention of "calling" anything (case insensitive search done), so I seem to be missing a clue as to what I should be looking for in the script. The man page for radclient also does not contain the "calling" keyword. On Apr 17, 2015 2:46 AM, "Alan Buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
Look:
Sending Access-Request Id 173 from 0.0.0.0:43364 to 127.0.0.1:1812 User-Name = '00-1b-ea-ce-bb-a0' User-Password = '00-1b-ea-ce-bb-a0' NAS-IP-Address = 192.168.248.252 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Reject Id 173 from 127.0.0.1:1812 to 127.0.0.1:43364 length 20 (0) Expected Access-Accept got Access-Reject
Its 'not being expanded' because it's not actually being sent. Alan D has already told you this. Use the required radtest config to send a CSI or use another testing tool. Your choice. But if CSI isn't being sent then there's nothing the server can do to magically fix that!
alan
Yup. The -g parameter is not in the packaged fedora version of radtest. Is this a "go yell at my distro" moment? On Apr 17, 2015 7:38 AM, "brendan kearney" <bpk678@gmail.com> wrote:
I have looked at the radtest script and there is no mention of "calling" anything (case insensitive search done), so I seem to be missing a clue as to what I should be looking for in the script. The man page for radclient also does not contain the "calling" keyword. On Apr 17, 2015 2:46 AM, "Alan Buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
Look:
Sending Access-Request Id 173 from 0.0.0.0:43364 to 127.0.0.1:1812 User-Name = '00-1b-ea-ce-bb-a0' User-Password = '00-1b-ea-ce-bb-a0' NAS-IP-Address = 192.168.248.252 NAS-Port = 0 Message-Authenticator = 0x00 Received Access-Reject Id 173 from 127.0.0.1:1812 to 127.0.0.1:43364 length 20 (0) Expected Access-Accept got Access-Reject
Its 'not being expanded' because it's not actually being sent. Alan D has already told you this. Use the required radtest config to send a CSI or use another testing tool. Your choice. But if CSI isn't being sent then there's nothing the server can do to magically fix that!
alan
Yup. The -g parameter is not in the packaged fedora version of radtest. Is this a "go yell at my distro" moment?
That might be the case, yes. I suggest that you raise a bug at Fedora or RedHat. Nick should pick that up :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 17, 2015, at 8:26 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Yup. The -g parameter is not in the packaged fedora version of radtest. Is this a "go yell at my distro" moment?
That might be the case, yes. I suggest that you raise a bug at Fedora or RedHat. Nick should pick that up :-)
Huh? There's no "-g" parameter to radtest. Alan DeKok.
Huh? There's no "-g" parameter to radtest.
Sorry Alan, brainfart. Disregard it. :-( Brendan, look at Matthew Newton's example. That explanation is clearest. *crawls back under his desk* Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
I googled for radtest and Calling-Station-Id and found a Ubuntu man page that had -g for it. I know sometimes distros have different functions in their packaged pieces, so I thought this was a case of fedora not using the script that everyone else (or at least some others) were using. Not the case here, so I'll pipe the options to radclient from stdin. On Apr 17, 2015 9:44 AM, "Stefan Paetow" <Stefan.Paetow@jisc.ac.uk> wrote:
Huh? There's no "-g" parameter to radtest.
Sorry Alan, brainfart. Disregard it. :-(
Brendan, look at Matthew Newton's example. That explanation is clearest.
*crawls back under his desk*
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I googled for radtest and Calling-Station-Id and found a Ubuntu man page that had -g for it. I know sometimes distros have different functions in
Ahh, this one: http://manpages.ubuntu.com/manpages/gutsy/man1/radtest.1.html - This is provided by yardradius, not FreeRADIUS. FreeRADIUS ships with a radtest utility of its own. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Fri, 2015-04-17 at 15:19 +0000, Stefan Paetow wrote:
I googled for radtest and Calling-Station-Id and found a Ubuntu man page that had -g for it. I know sometimes distros have different functions in
Ahh, this one:
http://manpages.ubuntu.com/manpages/gutsy/man1/radtest.1.html - This is provided by yardradius, not FreeRADIUS.
FreeRADIUS ships with a radtest utility of its own.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
so, some success and some more confusion. i have a virtual server configured, /etc/raddb/sites-available/mac-auth-bypass. when i link that file into /etc/raddb/sites-enabled and run radiusd -X, i am able to do some rudimentary Mac Auth Bypassing. if the mac is in the directory, the access is granted. but i need clarification around a couple of items. first, i am trying to have the directory reply with some items for VLAN assignment. the below attributes are set for the mac i am testing with: radiusservicetype: Framed-User radiustunnelmediumtype: IEEE-802 radiustunnelprivategroupid: 1 radiustunneltype: VLAN i can only assume that because of the rudimentary state of my virtual server, the items are not being acted upon or given out by the virtual server. a plain ldapsearch returns these items. i assume there is a piece i am missing, to have this done. where do i find more about what piece i am missing? second, when the virtual server is enabled, the authentication that i do to log into a switch does not work. if i disable the virtual server the auth works again. how do i setup things so that both user auth and mac auth bypass work at the same time? mac-auth-bypass virtual server: ------------------------------- server mac-auth-bypass { listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } authorize { if (EAP-Message) { #use colons (:), not dashes(-), for ldap lookups rewrite_calling_station_id_ldap if ("%{ldap:ldap:///ou=DHCP\ SubClasses,cn=DHCP\ Config,ou=Daemons,dc=bpk2,dc=com?cn?sub?(&(objectClass=dhcpSubClass)(cn= %{Calling-Station-Id}))}") { # in the future, assign to VLAN_Y update control { Auth-Type := Accept } } else { # in the future, assign to VLAN_Z update control { Auth-Type := Reject } } } else { # in the future, 802.1x stuff update control { control:Auth-Type := ldap #Auth-Type := Reject } } } authenticate { Auth-Type ldap { ldap } } } my switch (cisco sg500) will identify that a client does not support .1x and will provide the mac address as the username and password in an EAP message. because it is an EAP message, i can leverage the Calling-Station-Id attribute, and distinguish user auth vs. mac auth bypass with the "if (EAP-Message)" statement. i assume the mods-available/ldap file is not appropriate for this logic, as i tried to add an authorize section to it and i got an error saying that was not an appropriate place for an "if" statement. ultimately, i am looking to have user auth, mac auth bypass and full .1x work side-by-side-by-side, and this is an interim step. i am not sure how to get user auth and mac auth bypass working at the same time, when both are intended to use ldap for lookups. any pointers are appreciated. brendan
2015-04-21 23:00 GMT+02:00 Brendan Kearney <bpk678@gmail.com>:
my switch (cisco sg500) will identify that a client does not support .1x and will provide the mac address as the username and password in an EAP message. because it is an EAP message, i can leverage the Calling-Station-Id attribute, and distinguish user auth vs. mac auth bypass with the "if (EAP-Message)" statement.
So the only difference between a user/pass access-request package and one for mac bypass is just that the mac bypass contains the mac address as the username and password? If so, why don't you add a "user" for these mac addresses into your ldap just like you did with real users?
Because I authenticate my users against kerberos, not ldap. A principal and an ldap object all for MAB seems excessive to me. I also see that as an unnecessary duplication of data in the directory. I have the mac addresses as past of a couple of object classes and dont need more than one "copy" of the data. On Apr 21, 2015 9:23 PM, "Ben Humpert" <ben@an3k.de> wrote:
2015-04-21 23:00 GMT+02:00 Brendan Kearney <bpk678@gmail.com>:
my switch (cisco sg500) will identify that a client does not support .1x and will provide the mac address as the username and password in an EAP message. because it is an EAP message, i can leverage the Calling-Station-Id attribute, and distinguish user auth vs. mac auth bypass with the "if (EAP-Message)" statement.
So the only difference between a user/pass access-request package and one for mac bypass is just that the mac bypass contains the mac address as the username and password? If so, why don't you add a "user" for these mac addresses into your ldap just like you did with real users? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusservicetype: Framed-User radiustunnelmediumtype: IEEE-802 radiustunnelprivategroupid: 1 radiustunneltype: VLAN
For these, you probably should use a proper LDAP module mapping so that it pulls things in in one go. In FR 3.0.3, you can do this in the ldap module in mods-available. Around line 72 (assuming you've not stripped all the comments), you will find the update section, which returns attributes from LDAP. By default, you find the line "control:Password-With-Header" which maps the userPassword LDAP attribute to an attribute in the control list (which persists). So you need to map your other LDAP attributes in a similar fashion accordingly in the update section: reply:Service-Type := 'radiusservicetype' reply:Tunnel-Medium-Type := 'radiustunnelmediumtype' : : This assumes that you take the LDAP xlat (the "%{ldap:...}" 'thing') and use it in the proper LDAP module, otherwise you may need to make several ldap xlat calls to set the attributes.
second, when the virtual server is enabled, the authentication that i do to log into a switch does not work. if i disable the virtual server the auth works again. how do i setup things so that both user auth and mac auth bypass work at the same time?
Considering that the MAC address provided will be in a specific format, you can possibly look at the format of the username to discover whether it is a user or not, and set the authentication accordingly. You can do this in the authorize section with unlang. I'd suggest that you also make sure that your users use a proper NAI format username in their authentication, i.e. "username@realm", which you can again use to distinguish between users and devices. I'm sure Alan Buxey and others will have similar/better suggestions because they do this kind of stuff every day :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Apr 21, 2015, at 5:00 PM, Brendan Kearney <bpk678@gmail.com> wrote:
i have a virtual server configured, /etc/raddb/sites-available/mac-auth-bypass. when i link that file into /etc/raddb/sites-enabled and run radiusd -X, i am able to do some rudimentary Mac Auth Bypassing. if the mac is in the directory, the access is granted. but i need clarification around a couple of items.
OK.
first, i am trying to have the directory reply with some items for VLAN assignment. the below attributes are set for the mac i am testing with:
radiusservicetype: Framed-User radiustunnelmediumtype: IEEE-802 radiustunnelprivategroupid: 1 radiustunneltype: VLAN
That's nice, but did you tell FreeRADIUS to read those attributes from LDAP?
i can only assume that because of the rudimentary state of my virtual server, the items are not being acted upon or given out by the virtual server. a plain ldapsearch returns these items. i assume there is a piece i am missing, to have this done. where do i find more about what piece i am missing?
Read the configuration again. You've configured FreeRADIUS to talk to ldap via: a) %{ldap:...} which is a string expansion, and nothing more b) Auth-Type ldap {}. which verifies the password in LDAP, and nothing more If you want those LDAP attributes to be returned, you MUST list "ldap" in the "authorize" section. Except that you've already said you don't want the MAC auth users to have a normal user entry in LDAP. And the LDAP module will look for normal user entries when run in the "authorize" section. So... your requirements are contradictory. You DO want LDAP user entry lookups, so that it returns those LDAP attributes. But you DON'T want LDAP user entry lockups, because you don't have normal users in LDAP.
second, when the virtual server is enabled, the authentication that i do to log into a switch does not work.
Probably because you're disabling normal LDAP users. i.e. you don't list "ldap" in the "authorize" section.
if i disable the virtual server the auth works again. how do i setup things so that both user auth and mac auth bypass work at the same time?
Figure out what the differences are between the two kinds of packets. Then, write policies to key off of the differences, and do user auth for one, and MAC auth for the other.
my switch (cisco sg500) will identify that a client does not support .1x and will provide the mac address as the username and password in an EAP message.
That's a fairly stupid thing to do, TBH.
because it is an EAP message, i can leverage the Calling-Station-Id attribute, and distinguish user auth vs. mac auth bypass with the "if (EAP-Message)" statement.
Yes. And if there's NO EAP-Message, you should run the normal "ldap" module, to get the user entries.
i assume the mods-available/ldap file is not appropriate for this logic, as i tried to add an authorize section to it and i got an error saying that was not an appropriate place for an "if" statement.
What did you try, and why did you think it would work? The "man unlang" documentation is pretty clear on this, as is the default configuration.
ultimately, i am looking to have user auth, mac auth bypass and full .1x work side-by-side-by-side, and this is an interim step. i am not sure how to get user auth and mac auth bypass working at the same time, when both are intended to use ldap for lookups.
For one, the "if (EAP-Message)" checks will match for *both* MAC auth and normal 802.1x. So you'll have to do even more checks to separate those two kinds of packets. The simple thing to do is this: 1) get 3 virtual servers running. One for normal users, one for 802.1X, and one for Mac auth. 2) look at the differences between the packets for those 3 cases. 3) write a "unified" virtual server which does: if (packets from normal users) { normal user policy } else if (packets from mac auth) { mac auth policy } else if (packets from 802.1X) { 802.1X policy } There's some work to read the packets, but the solution really is that simple. Alan DeKok.
On Fri, Apr 17, 2015 at 07:38:00AM -0400, brendan kearney wrote:
I have looked at the radtest script and there is no mention of "calling" anything (case insensitive search done), so I seem to be missing a clue as to what I should be looking for in the script. The man page for radclient also does not contain the "calling" keyword.
You probably want to read up on the basics of RADIUS and what is actually sent between the client and the server. radtest builds a basic RADIUS request up from a few attributes (which doesn't include Calling-Station-Id) and sends it to the server with radclient. radclient can send arbitrary RADIUS packets. See "man radclient" or http://wiki.freeradius.org/config/Radclient - the examples. So for starters you probably want something like echo "Calling-Station-Id='00-1b-ea-ce-bb-a0',NAS-IP-Address=192.168.248.252" | radclient ... e.g. pass the RADIUS packet in on stdin, include the Calling-Station-Id attribute. You'll probably want to include other attributes as well - hence look at the radtest script to see what that sends. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Apr 17, 2015, at 7:38 AM, brendan kearney <bpk678@gmail.com> wrote:
I have looked at the radtest script and there is no mention of "calling" anything (case insensitive search done), so I seem to be missing a clue as to what I should be looking for in the script. The man page for radclient also does not contain the "calling" keyword.
That is not an appropriate response. RADIUS uses attributes. If you're not aware of this, then that's a major problem. radclient / radtest sends attributes. The server receives attributes. The server ONLY receives what radclient sends. If you want the server to receive a Calling-Station-Id attribute, you MUST make radclient send it. Honestly, I don't see what the problem is. I explained this in one of the earlier messages in this thread. Go back and read it. Alan DeKok.
participants (8)
-
Alan Buxey -
Alan DeKok -
Ben Humpert -
Brendan Kearney -
brendan kearney -
Matthew Newton -
Stefan Paetow -
Thomas Stather