Problem returning default reply "Filter-ID" for Enterasys gear
Kent Nasveschuk
knasveschuk at mbl.edu
Tue Dec 16 14:59:19 CET 2008
Hello,
I'm trying to set up MAC and 802.1x authentication and have a couple of questions. For right now I'm just working on the MAC authentication. Here's some info on my system:
CentOS 5.2
[root at radius01 freeradius-1.1.3]# radiusd -v
radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on May 10 2007 at 12:24:01
Connecting on backend to OpenLDAP 2.3.39. Although in the production environment I will be running a replica on the radius server for testing I'm using a test LDAP server that I can modify at will.
MAC addresses live in:
ou=Devices,ou=Network,dc=mbl,dc=edu
typical entry:
dn: cn=00-0C-F1-94-2A-9D,ou=Devices,ou=Network,dc=mbl,dc=edu
cn: 00-0C-F1-94-2A-9D
userPassword:: c25rUnN3bQ==
radiusCheckItem: 35452
radiusExpiration: 2030123100:00:00
description: SSH gateway
objectClass: device
objectClass: ieee802Device
objectClass: radiusprofile
objectClass: simpleSecurityObject
objectClass: top
macAddress: 00:0C:F1:94:2A:9D
radiusFilterId: Enterasys:version=1:policy=F-Servers
What I want to do is if a lookup in LDAP fails return ACCEPT and the string
"radiusFilterId: Enterasys:version=1:policy=D-Unregistered" where a policy will be applied on the port that is associated wit "D-Unregistered".
############################ radiusd.conf #######################
...
modules {
ldap devices {
server = "x.x.x.x"
identity = "cn=radiusd,ou=users,dc=mbl,dc=edu"
password = supersecretpassword
basedn = "ou=devices,ou=network,dc=mbl,dc=edu"
filter = "(cn=%{User-Name})"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#password_header = "{clear}"
password_attribute = userPassword
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
access_attr = "radiusFilterId"
}
ldap 802_1x {
server = "x.x.x.x"
identity = "cn=radiusd,ou=users,dc=mbl,dc=edu"
password = supersecretpassword
basedn = "ou=users,dc=mbl,dc=edu"
filter = "(cn=%{User-Name})"
start_tls = no
tls_mode = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10
#password_header = "{clear}"
password_attribute = userPassword
timeout = 3
timelimit = 5
net_timeout = 1
compare_check_items = no
access_attr = "networkProfile"
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
pap {
encryption_scheme = md5
auto_header = no
}
chap {
authtype = CHAP
}
preprocess {
huntgroups = ${confdir}/huntgroups
#hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
compat = no
#use old style users
}
# regular detail files
detail detail1 {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
dirperm = 0755
}
# temp detail file to replicate to accountrad
detail detail2 {
detailfile= ${radacctdir}/detail-combined
detailperm = 0600
dirperm = 0755
locking = yes
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module current has no configuration.
expr {
}
}
instantiate {
expr
}
authorize {
preprocess
Autz-Type LDAP1 {
devices
}
Autz-Type LDAP2 {
802_1x
chap
mschap
eap
}
files
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP {
mschap
}
authtype LDAP1 {
devices
}
authtype LDAP2 {
802_1x
}
eap
}
preacct {
preprocess
files
}
accounting {
acct_unique
detail1
detail2
#radutmp
#sradutmp
}
############################ users #######################
DEFAULT Client-IP-Address == "172.x.x.1", Auth-Type := LDAP1, Autz-Type:= LDAP1, Auth-Type := ACCEPT, Filter-Id := "Enterasys:version=1:policy=D-Unregistered"
DEFAULT Client-IP-Address == "172.x.x.2", Auth-Type := LDAP2, Autz-Type:= LDAP2
DEFAULT Autz-Type = LDAP1, Auth-Type := ACCEPT
############################ clients.conf #######################
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client 172.x.x.3 {
secret = yetanotherpassword
shortname = NagiosMonitoring
}
client 172.x.x.1 {
secret = anotherpassword
shortname = DFE-CORE
}
client 172.x.x.2 {
secret = anotherpassword
shortname = ROAMABOUT8400
}
I'm testing from the 172.x.x.3, client.
Currently I can get a MAC address to authenticate and reply with the the correct "radiusFilterID" in LDAP. I can also get an unknown MAC address to return an ACCEPT but I can't get it to return a default "Filter-ID". Putting the return string "Filter-Id := "Enterasys:version=1:policy=D-Unregistered" in the users file doesn't seem to work.
I'll work on the 802.1x when I get the above working, but I want to use the sambaLMpassword or sambaNTpassword hashes that are already in the LDAP directory versus clear text userPassword for 802.1x.
Thanks for your help.
Kent L. Nasveschuk
Systems Administrator
Office 508 289-7263
Cell 508 524-7263
----------------------------
Marine Biological Laboratory
7 MBL St.
Woods Hole, MA 02543
More information about the Freeradius-Users
mailing list