Hi, I know that we can do a BYOD wireless setup with freeradius base on if the client setup was setup with certificate(EAP-TLS) or not by checking the EAP-Type field. But I was wondering would it be possible to do it base on MAC adresse. The idea here is that we would like to move user to the appropriate vlan base on his device mac. If MAC address is within that list, device is granted to the corp vlan, else it'll default to the BYOD vlan. In the post-auth section I did add some lines in order to try do the check base on mac addresse ======== # We rewrite calling_station_id in order to do mac checkup rewrite_calling_station_id # Check against the authorized_macs file authorized_macs if (!ok) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 155 } } else { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 157 } } ======== However look like the authorized_macs always return noop. Am I doing something wrong or something not supported? Thanx !! -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster
On Jan 31, 2018, at 2:50 PM, Luc Paulin <paulinster@gmail.com> wrote:,
I know that we can do a BYOD wireless setup with freeradius base on if the client setup was setup with certificate(EAP-TLS) or not by checking the EAP-Type field. But I was wondering would it be possible to do it base on MAC adresse.
You can do any checking you want, on any attribute you want. The only restriction is that the attribute has to exist in the packet. The one minor issue with MAC address is that people can spoof it. But if they already have an EAP-TLS client certificate, that's less of a problem.
The idea here is that we would like to move user to the appropriate vlan base on his device mac. If MAC address is within that list, device is granted to the corp vlan, else it'll default to the BYOD clan.
Sure.
In the post-auth section I did add some lines in order to try do the check base on mac addresse
======== # We rewrite calling_station_id in order to do mac checkup rewrite_calling_station_id
# Check against the authorized_macs file authorized_macs if (!ok) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 155 } } else { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 157 } } ========
However look like the authorized_macs always return noop. Am I doing something wrong or something not supported?
Post the debug output. And ensure that the MAC addresses are all in the same format. i.e. you MUST put the MACs into the "authorized_macs" configuration in *exactly the same format* as what you see in the packet. Alan DeKok.
Great thanx Alan, I agree that mac can be easilly spoofed, but the goal here is mainly to move the user's device to another vlan than corp and not doing authentication. We may eventually move to EAP-TLS, but this is at least a first step. Yes I check the format and it's exacly the same ... Here's the output of the debug section for authorized_mac. ======= <------ LINES BEFORE REWRITE_CALLING_STATION_ID REMOVED ---> (29) policy rewrite_calling_station_id { (29) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (29) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (29) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (29) update request { (29) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (29) --> 18-65-90-CB-4C-69 (29) &Calling-Station-Id := 18-65-90-CB-4C-69 (29) } # update request = noop (29) [updated] = updated (29) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (29) ... skipping else: Preceding "if" was taken (29) } # policy rewrite_calling_station_id = updated (29) authorized_macs: EXPAND %{Calling-Station-ID} (29) authorized_macs: --> 18-65-90-CB-4C-69 (29) [authorized_macs] = noop (29) if (!ok) { (29) if (!ok) -> TRUE (29) if (!ok) { (29) update reply { (29) Tunnel-Type := VLAN (29) Tunnel-Medium-Type := IEEE-802 (29) Tunnel-Private-Group-Id := 155 (29) } # update reply = noop (29) } # if (!ok) = noop (29) ... skipping else: Preceding "if" was taken (29) [exec] = noop (29) policy remove_reply_message_if_eap { (29) if (&reply:EAP-Message && &reply:Reply-Message) { (29) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (29) else { (29) [noop] = noop (29) } # else = noop (29) } # policy remove_reply_message_if_eap = noop (29) } # post-auth = updated (29) Login OK: [lpaulin] (from client clx3-fw-1 port 1 cli 18-65-90-CB-4C-69) (29) Sent Access-Accept Id 98 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0 (29) MS-MPPE-Recv-Key = 0x13cc139e4e3c5b05b1477ec7f4ff0c93fe3bf7fd326efc8a679f1cc0e3e7d5a1 (29) MS-MPPE-Send-Key = 0x745c0bf23f478b1009bc6645f0a1a680cb7efbaa1c852617eb04957276e55e88 (29) EAP-Message = 0x03490004 (29) Message-Authenticator = 0x00000000000000000000000000000000 (29) User-Name = "lpaulin" (29) Tunnel-Type := VLAN (29) Tunnel-Private-Group-Id := "155" (29) Tunnel-Medium-Type := IEEE-802 (29) Idle-Timeout := 60 (29) Session-Timeout := 60 (29) Termination-Action := RADIUS-Request (29) Juniper-Local-User-Name := "SU" (29) Juniper-Junosspace-Profile := "devops_users" ====== And here's the authorized_macs file content [root@radius-corp-01_{{PROD}} raddb]# cat authorized_macs 18-65-90-CB-4C-69 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" Thanx -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-01-31 14:59 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Jan 31, 2018, at 2:50 PM, Luc Paulin <paulinster@gmail.com> wrote:,
I know that we can do a BYOD wireless setup with freeradius base on if
the
client setup was setup with certificate(EAP-TLS) or not by checking the EAP-Type field. But I was wondering would it be possible to do it base on MAC adresse.
You can do any checking you want, on any attribute you want. The only restriction is that the attribute has to exist in the packet.
The one minor issue with MAC address is that people can spoof it. But if they already have an EAP-TLS client certificate, that's less of a problem.
The idea here is that we would like to move user to the appropriate vlan base on his device mac. If MAC address is within that list, device is granted to the corp vlan, else it'll default to the BYOD clan.
Sure.
In the post-auth section I did add some lines in order to try do the check base on mac addresse
======== # We rewrite calling_station_id in order to do mac checkup rewrite_calling_station_id
# Check against the authorized_macs file authorized_macs if (!ok) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 155 } } else { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-Id := 157 } } ========
However look like the authorized_macs always return noop. Am I doing something wrong or something not supported?
Post the debug output. And ensure that the MAC addresses are all in the same format.
i.e. you MUST put the MACs into the "authorized_macs" configuration in *exactly the same format* as what you see in the packet.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jan 31, 2018, at 3:16 PM, Luc Paulin <paulinster@gmail.com> wrote:
Great thanx Alan, I agree that mac can be easilly spoofed, but the goal here is mainly to move the user's device to another vlan than corp and not doing authentication. We may eventually move to EAP-TLS, but this is at least a first step.
Yes I check the format and it's exacly the same ... Here's the output of the debug section for authorized_mac.
======= <------ LINES BEFORE REWRITE_CALLING_STATION_ID REMOVED --->
Including deleting the "authorized_mac" config...
And here's the authorized_macs file content [root@radius-corp-01_{{PROD}} raddb]# cat authorized_macs 18-65-90-CB-4C-69 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
What the heck is that? You can't just invent a configuration file format and use it. You MUST read the docs. So.. what is the "authorized_macs" module? How did you configure it? Why do you think that putting random things into it will make it do what you want? Alan DeKok.
Sorry if the file's format isn't correct but unless that I didn't understand documentation correctly I follow what's on the following url https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth_raddb-authorized_m... . Here's the authorized mac module section [root@radius-corp-01_{{PROD}} raddb]# cat mods-enabled/stingray-authorize-mac files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. #compat = no } And this is the the content of "user/mac" address that should be authorized [root@radius-corp-01_{{PROD}} raddb]# cat authorized_macs 18-65-90-CB-4C-69 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" And here the debug output starting from rewrite_calling_station_id section (9) policy rewrite_calling_station_id { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 18-65-90-CB-4C-69 (9) &Calling-Station-Id := 18-65-90-CB-4C-69 (9) } # update request = noop (9) [updated] = updated (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_calling_station_id = updated (9) authorized_macs: EXPAND %{Calling-Station-ID} (9) authorized_macs: --> 18-65-90-CB-4C-69 (9) [authorized_macs] = noop (9) if (!ok) { (9) if (!ok) -> TRUE (9) if (!ok) { (9) update reply { (9) Tunnel-Type := VLAN (9) Tunnel-Medium-Type := IEEE-802 (9) Tunnel-Private-Group-Id := 155 (9) } # update reply = noop (9) } # if (!ok) = noop (9) ... skipping else: Preceding "if" was taken (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = updated (9) Login OK: [lpaulin] (from client clx3-fw-1 port 1 cli 18-65-90-CB-4C-69) (9) Sent Access-Accept Id 113 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0 (9) MS-MPPE-Recv-Key = 0x6348f6c554161e58e38f723fb920ebdc99ddc48c18fcb74796f63d1eeb881f82 (9) MS-MPPE-Send-Key = 0x2f4ad046e69da27b4afe756aedd922a65e0ec1095ed728e70f315a77f7c3c788 (9) EAP-Message = 0x03790004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "lpaulin" (9) Tunnel-Type := VLAN (9) Tunnel-Private-Group-Id := "155" (9) Tunnel-Medium-Type := IEEE-802 (9) Idle-Timeout := 60 (9) Session-Timeout := 60 (9) Termination-Action := RADIUS-Request (9) Juniper-Local-User-Name := "SU" (9) Juniper-Junosspace-Profile := "devops_users" (9) Finished request -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-01-31 15:22 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Jan 31, 2018, at 3:16 PM, Luc Paulin <paulinster@gmail.com> wrote:
Great thanx Alan, I agree that mac can be easilly spoofed, but the goal here is mainly to move the user's device to another vlan than corp and
not
doing authentication. We may eventually move to EAP-TLS, but this is at least a first step.
Yes I check the format and it's exacly the same ... Here's the output of the debug section for authorized_mac.
======= <------ LINES BEFORE REWRITE_CALLING_STATION_ID REMOVED --->
Including deleting the "authorized_mac" config...
And here's the authorized_macs file content [root@radius-corp-01_{{PROD}} raddb]# cat authorized_macs 18-65-90-CB-4C-69 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
What the heck is that?
You can't just invent a configuration file format and use it. You MUST read the docs.
So.. what is the "authorized_macs" module? How did you configure it? Why do you think that putting random things into it will make it do what you want?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jan 31, 2018, at 3:41 PM, Luc Paulin <paulinster@gmail.com> wrote:
Sorry if the file's format isn't correct but unless that I didn't understand documentation correctly I follow what's on the following url https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth_raddb-authorized_m...
Maybe the mailer mangled the text. Whitespace DOES matter in the "users" file.
Here's the authorized mac module section
[root@radius-corp-01_{{PROD}} raddb]# cat mods-enabled/stingray-authorize-mac files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
That should work.
... (9) authorized_macs: --> 18-65-90-CB-4C-69 (9) [authorized_macs] = noop
That means the MAC address wasn't found in the file. I'm not sure what's going wrong. It's not clear from the debug output. But the file format DOES matter. Tabs and whitespace MUST exist as in the documentation. Alan DeKok.
understand and aware about that the file format does matter. I have review the file but couldn't see what's wrong I even redo the file entirely and make sure about whitespace/tabs, not sure what I miss here cuz all look to be the same as per the documentation ... Attach the full debug output and the authorized_macs file content in addition to the post-auth section. Il if this can be of any help -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-01-31 16:36 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Jan 31, 2018, at 3:41 PM, Luc Paulin <paulinster@gmail.com> wrote:
Sorry if the file's format isn't correct but unless that I didn't understand documentation correctly I follow what's on the following url https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth_
raddb-authorized_macs
Maybe the mailer mangled the text. Whitespace DOES matter in the "users" file.
Here's the authorized mac module section
[root@radius-corp-01_{{PROD}} raddb]# cat mods-enabled/stingray-authorize-mac files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
That should work.
... (9) authorized_macs: --> 18-65-90-CB-4C-69 (9) [authorized_macs] = noop
That means the MAC address wasn't found in the file.
I'm not sure what's going wrong. It's not clear from the debug output.
But the file format DOES matter. Tabs and whitespace MUST exist as in the documentation.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Feb 1, 2018, at 10:29 AM, Luc Paulin <paulinster@gmail.com> wrote:
understand and aware about that the file format does matter. I have review the file but couldn't see what's wrong I even redo the file entirely and make sure about whitespace/tabs, not sure what I miss here cuz all look to be the same as per the documentation ... Attach the full debug output and the authorized_macs file content in addition to the post-auth section. Il if this can be of any help
Well, it all looks fine. It should work. The only other thing I would say is to just put those rules directly into "unlang: if (Calling-Station-ID == "...") { update reply { Reply-Message := "..." } reject } if that works, then there's something odd with the module. Alan DeKok.
Putting those rules in unlang work ... so look like there may be something odd with the module -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-02-01 10:40 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Feb 1, 2018, at 10:29 AM, Luc Paulin <paulinster@gmail.com> wrote:
understand and aware about that the file format does matter. I have
review
the file but couldn't see what's wrong I even redo the file entirely and make sure about whitespace/tabs, not sure what I miss here cuz all look to be the same as per the documentation ... Attach the full debug output and the authorized_macs file content in addition to the post-auth section. Il if this can be of any help
Well, it all looks fine. It should work.
The only other thing I would say is to just put those rules directly into "unlang:
if (Calling-Station-ID == "...") { update reply { Reply-Message := "..." } reject }
if that works, then there's something odd with the module.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hoo I think that I may have found something, look like that as per the rlm_files documentation ( http://networkradius.com/doc/current/raddb/mods-available/files.html) there's a postauth_usersfile directive. So I have replace the usersfile for the postauth_usersfile in the authorized_macs modules and look like it does work now. I'll do more testing but at first glance I think that was the issues. -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-02-01 11:06 GMT-05:00 Luc Paulin <paulinster@gmail.com>:
Putting those rules in unlang work ... so look like there may be something odd with the module
-- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster
2018-02-01 10:40 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Feb 1, 2018, at 10:29 AM, Luc Paulin <paulinster@gmail.com> wrote:
understand and aware about that the file format does matter. I have
review
the file but couldn't see what's wrong I even redo the file entirely and make sure about whitespace/tabs, not sure what I miss here cuz all look to be the same as per the documentation ... Attach the full debug output and the authorized_macs file content in addition to the post-auth section. Il if this can be of any help
Well, it all looks fine. It should work.
The only other thing I would say is to just put those rules directly into "unlang:
if (Calling-Station-ID == "...") { update reply { Reply-Message := "..." } reject }
if that works, then there's something odd with the module.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
On Thu, 2018-02-01 at 11:34 -0500, Luc Paulin wrote:
Hoo I think that I may have found something, look like that as per the rlm_files documentation ( http://networkradius.com/doc/current/raddb/mods-available/files.html) there's a postauth_usersfile directive. So I have replace the usersfile for the postauth_usersfile in the authorized_macs modules and look like it does work now.
You can also call a module for a different section if you want/need, e.g. post-auth { ... files.authorize ... } -- Matthew
hoo interesting .. I didn't know that .. Thanx for that hint! -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-02-01 12:52 GMT-05:00 Matthew Newton <mcn@freeradius.org>:
On Thu, 2018-02-01 at 11:34 -0500, Luc Paulin wrote:
Hoo I think that I may have found something, look like that as per the rlm_files documentation ( http://networkradius.com/doc/current/raddb/mods-available/files.html) there's a postauth_usersfile directive. So I have replace the usersfile for the postauth_usersfile in the authorized_macs modules and look like it does work now.
You can also call a module for a different section if you want/need, e.g.
post-auth { ... files.authorize ... }
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan DeKok -
Luc Paulin -
Matthew Newton