MAC auth bypass with freeradius/openldap
g17jimmy
g17jimmy at gmail.com
Tue Jun 21 22:53:09 CEST 2011
I've been looking at this for a day now and it seems like I'm close, but
something is not right. I have a freeradius server with an openldap backend
for MAC auth bypass. This system is just for test, but it is an essential
first step in my project.
I'm using freeradius2-2.1.7-7.el5, freeradius2-ldap-2.1.7-7.el5,
openldap-servers-2.3.43-12.el5_6.7, and I am currently using a Cisco labled
linksys SFE-2000 switch.
Since I have been reading docs and trying different things all day I'm
thinking there is something I've just messed up on and overlooked while
going over the files. I have tried creating the MAC address in LDAP several
ways, as a cn(objectclass=device), as a uid(with and without a password.)
Here are the files I've mod'd:
**********************************
raddb/modules/ldap:
**********************************
ldap {
cache = no
server = "localhost"
identity = "uid=radauth,ou=radius,dc=CSPKRB"
password = password
basedn = "ou=radius,dc=CSPKRB"
filter = "(cn=%{User-Name})"
tls {
start_tls = no
}
default_profile = "uid=radauth,ou=radius,dc=CSPKRB"
profile_attribute = "radiusProfileDn"
access_attr = "cn"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = radius_users
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 4
timelimit = 3
net_timeout = 1
set_auth_type = no
}
**********************************
raddb/site-enabed/inner-tunnel:
**********************************
server inner-tunnel {
authorize {
preprocess
ldap
pap
update control {
Proxy-To-Realm := LOCAL
}
}
eap {
ok = return
}
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
**********************************
clients.conf
**********************************
client localhost {
ipaddr = 127.0.0.1
secret = SharedSecret
require_message_authenticator = no
}
client 192.168.0.0/16 {
require_message_authenticator = no
secret = SharedSecret
nastype = other
}
**********************************
debug output:
**********************************
rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
length=99
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 24
User-Name = "0010182b9065"
Acct-Session-Id = "0500002B"
EAP-Message = 0x0200001101303031303138326239303635
Message-Authenticator = 0x57f15349b978ec4c8dcdda92f6cc6fed
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/auth-detail-20110621
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20110621
[auth_log] expand: %t -> Tue Jun 21 16:38:24 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for 0010182b9065
[ldap] expand: (cn=%{User-Name}) -> (cn=0010182b9065)
[ldap] expand: ou=radius,dc=CSPKRB -> ou=radius,dc=CSPKRB
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius,dc=CSPKRB, with filter
(cn=0010182b9065)
[ldap] checking if remote access for 0010182b9065 is allowed by cn
rlm_ldap: performing search in uid=radauth,ou=radius,dc=CSPKRB, with filter
(objectclass=radiusprofile)
rlm_ldap: object not found
[ldap] default_profile/user-profile search failed
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user 0010182b9065 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.254 port 49154
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc26dceefc26cdb5c17fcb167e47515a3
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
length=134
Cleaning up request 4 ID 0 with timestamp +348
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 24
User-Name = "0010182b9065"
Acct-Session-Id = "0500002B"
State = 0xc26dceefc26cdb5c17fcb167e47515a3
EAP-Message =
0x0201002204103007f2c1a22a920adc933106b4a62923303031303138326239303635
Message-Authenticator = 0xf9ba8e6f27790169ab8ee1b280fbb4e9
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/auth-detail-20110621
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20110621
[auth_log] expand: %t -> Tue Jun 21 16:38:24 2011
++[auth_log] returns ok
[suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for 0010182b9065
[ldap] expand: (cn=%{User-Name}) -> (cn=0010182b9065)
[ldap] expand: ou=radius,dc=CSPKRB -> ou=radius,dc=CSPKRB
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius,dc=CSPKRB, with filter
(cn=0010182b9065)
[ldap] checking if remote access for 0010182b9065 is allowed by cn
rlm_ldap: performing search in uid=radauth,ou=radius,dc=CSPKRB, with filter
(objectclass=radiusprofile)
rlm_ldap: object not found
[ldap] default_profile/user-profile search failed
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user 0010182b9065 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] Response appears to match, but EAP type is wrong.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [0010182b9065] (from client 192.168.0.0/16 port 24)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 0010182b9065
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 0 to 192.168.1.254 port 49154
Waking up in 4.9 seconds.
Cleaning up request 5 ID 0 with timestamp +348
Ready to process requests.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4511949.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list