Problem returning default reply "Filter-ID" for Enterasys gear

Kent Nasveschuk knasveschuk at mbl.edu
Tue Dec 16 14:59:19 CET 2008


Hello,
I'm trying to set up MAC and 802.1x authentication and have a couple of questions. For right now I'm just working on the MAC authentication. Here's some info on my system:

CentOS 5.2
[root at radius01 freeradius-1.1.3]# radiusd -v
radiusd: FreeRADIUS Version 1.1.3, for host x86_64-redhat-linux-gnu, built on May 10 2007 at 12:24:01

Connecting on backend to OpenLDAP 2.3.39. Although in the production environment I will be running a replica on the radius server for testing I'm using a test LDAP server that I can modify at will.


MAC addresses live in:
ou=Devices,ou=Network,dc=mbl,dc=edu

typical entry:
dn: cn=00-0C-F1-94-2A-9D,ou=Devices,ou=Network,dc=mbl,dc=edu
cn: 00-0C-F1-94-2A-9D
userPassword:: c25rUnN3bQ==
radiusCheckItem: 35452
radiusExpiration: 2030123100:00:00
description: SSH gateway
objectClass: device
objectClass: ieee802Device
objectClass: radiusprofile
objectClass: simpleSecurityObject
objectClass: top
macAddress: 00:0C:F1:94:2A:9D
radiusFilterId: Enterasys:version=1:policy=F-Servers

What I want to do is if a lookup in LDAP fails return ACCEPT and the string
"radiusFilterId: Enterasys:version=1:policy=D-Unregistered" where a policy will be applied on the port that is associated wit "D-Unregistered".


############################ radiusd.conf #######################
...
modules {

        ldap devices {
        server = "x.x.x.x"
        identity = "cn=radiusd,ou=users,dc=mbl,dc=edu"
        password = supersecretpassword
        basedn = "ou=devices,ou=network,dc=mbl,dc=edu"
        filter = "(cn=%{User-Name})"
        start_tls = no
        tls_mode = no
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_cache_timeout = 120
        ldap_cache_size = 0
        ldap_connections_number = 10
        #password_header = "{clear}"
        password_attribute = userPassword
        timeout = 3
        timelimit = 5
        net_timeout = 1
        compare_check_items = no
        access_attr = "radiusFilterId"
        }
        ldap 802_1x {
        server = "x.x.x.x"
        identity = "cn=radiusd,ou=users,dc=mbl,dc=edu"
        password = supersecretpassword
        basedn = "ou=users,dc=mbl,dc=edu"
        filter = "(cn=%{User-Name})"
        start_tls = no
        tls_mode = no
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_cache_timeout = 120
        ldap_cache_size = 0
        ldap_connections_number = 10
        #password_header = "{clear}"
        password_attribute = userPassword
        timeout = 3
        timelimit = 5
        net_timeout = 1
        compare_check_items = no
        access_attr = "networkProfile"
        }
$INCLUDE ${confdir}/eap.conf

        mschap {
        authtype = MS-CHAP
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        }
        pap {
        encryption_scheme = md5
        auto_header = no
        }
        chap {
        authtype = CHAP
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                #hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                #acctusersfile = ${confdir}/acct_users
                compat = no
                #use old style users
        }
        # regular detail files
        detail detail1 {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
                dirperm = 0755
        }
        # temp detail file to replicate to accountrad
        detail detail2 {
                detailfile= ${radacctdir}/detail-combined
                detailperm = 0600
                dirperm = 0755
                locking = yes
        }

        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

        #
        #  The 'expression' module current has no configuration.
        expr {
        }

}

instantiate {
        expr
}

authorize {
        preprocess
        Autz-Type LDAP1 {
        devices
        }
        Autz-Type LDAP2 {
        802_1x
        chap
        mschap
        eap
        }
        files
}
authenticate {
        authtype PAP {
        pap
        }
        authtype CHAP {
        chap
        }
        authtype MS-CHAP {
        mschap
        }
        authtype LDAP1 {
        devices
        }
        authtype LDAP2 {
        802_1x
        }
        eap
}

preacct {
        preprocess
        files
}

accounting {
        acct_unique
        detail1
        detail2
        #radutmp
        #sradutmp
}
############################ users #######################
DEFAULT Client-IP-Address == "172.x.x.1", Auth-Type := LDAP1, Autz-Type:= LDAP1, Auth-Type := ACCEPT, Filter-Id := "Enterasys:version=1:policy=D-Unregistered"
DEFAULT Client-IP-Address == "172.x.x.2", Auth-Type := LDAP2, Autz-Type:= LDAP2

DEFAULT Autz-Type = LDAP1, Auth-Type := ACCEPT

############################ clients.conf #######################

client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
        nastype     = other     # localhost isn't usually a NAS...
}
client 172.x.x.3 {
        secret          = yetanotherpassword
        shortname       = NagiosMonitoring
}
client 172.x.x.1 {
        secret          = anotherpassword
        shortname       = DFE-CORE
}
client 172.x.x.2 {
        secret          = anotherpassword
        shortname       = ROAMABOUT8400
}

I'm testing from the 172.x.x.3, client.

Currently I can get a MAC address to authenticate and reply with the the correct "radiusFilterID" in LDAP. I can also get an unknown MAC address to return an ACCEPT but I can't get it to return a default "Filter-ID". Putting the return string "Filter-Id := "Enterasys:version=1:policy=D-Unregistered" in the users file doesn't seem to work. 

I'll work on the 802.1x when I get the above working, but I want to use the sambaLMpassword or sambaNTpassword hashes that are already in the LDAP directory versus clear text userPassword for 802.1x. 


Thanks for your help.


Kent L. Nasveschuk
Systems Administrator
Office  508 289-7263
Cell    508 524-7263
----------------------------
Marine Biological Laboratory
7 MBL St.
Woods Hole, MA 02543



More information about the Freeradius-Users mailing list