SQL Mac-Authentication based on Call-Check
florian broder
flobroed at googlemail.com
Fri Nov 25 09:20:19 CET 2005
Hi.
For better understanding. Here are the packets, the Catalyst sends to the
radius (Cisco ACS). Captured with Ethereal. The feature
(Mac-Authentication-bypass) was tested by myself, with ACS 4.0 beta and
worked.
The switch sends three packets like that:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xa9 (169)
Length: 65
Authenticator: 1C3208670AF4106D1619034D1BD50526
Attribute Value Pairs
AVP: l=8 t=User-Name(1): azbycx
AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156
AVP: l=13 t=EAP-Message(79) Last Segment[1]
AVP: l=18 t=Message-Authenticator(80):
996FDE4A9B0077AAC30FA6A8AE65BC09
They are NOT answered by the ACS-radius. Btw. WHAT is username: azbycx? Some
kind of default? It is always the same username, no matter what MAC i plug
into the Switch! Cisco documentation sucks big time on this! :( Why is he
doing it, it was definitely not configured in CatOS.
----------------------
After that, it sends the "real" access-request:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x1 (1)
Length: 100
Authenticator: 012E175F0CF11CB90FE21A16008B1613
Attribute Value Pairs
AVP: l=6 t=NAS-IP-Address(4): xx.xx.128.156
AVP: l=6 t=NAS-Port(5): 110
AVP: l=6 t=Service-Type(6): Call-Check(10)
AVP: l=19 t=Called-Station-Id(30): 00-14-1b-xx-xx-xx
AVP: l=19 t=Calling-Station-Id(31): 00-0e-7f-xx-xx-xx
AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
AVP: l=18 t=Message-Authenticator(80):
3BF52FD5838A862CD4BFBD478515982A
"Called-Station-ID" is the MAC of the Switch-Interface. "Calling-Station-ID"
is the MAC that needs to be authenticated.
I'd really appreciate, if someone could help me out on the freeradius mysql
config, based on that scenario. Thanks.
Bye Flo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051125/7dd26687/attachment.html>
More information about the Freeradius-Users
mailing list