MAC auth bypass with freeradius/openldap

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 22 11:01:35 CEST 2011


On 06/21/2011 09:53 PM, g17jimmy wrote:
> I've been looking at this for a day now and it seems like I'm close, but
> something is not right. I have a freeradius server with an openldap backend
> for MAC auth bypass. This system is just for test, but it is an essential
> first step in my project.

The debug you sent is not mac-auth bypass. It's 802.1x/EAP, and it's 
failing for a bunch of reasons.

Firstly, if you want to do mac-auth, you must configure mac-auth on the 
switch. 802.1x is not mac-auth.


> rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
> length=99
>          NAS-IP-Address = 192.168.1.254
>          NAS-Port-Type = Ethernet
>          NAS-Port = 24
>          User-Name = "0010182b9065"
>          Acct-Session-Id = "0500002B"
>          EAP-Message = 0x0200001101303031303138326239303635
>          Message-Authenticator = 0x57f15349b978ec4c8dcdda92f6cc6fed

The EAP-Message indicates this is EAP/802.1x

> +- entering group authorize {...}
> ++[preprocess] returns ok
<snip>
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the
> user is configured correctly?

EAP needs known-good passwords...

> [ldap] user 0010182b9065 authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.

...so it's going to fail. Anyway, but it doesn't get that far, because...

Now things get really broken:

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 192.168.1.254 port 49154
>          EAP-Message = 0x010100061520
>          Message-Authenticator = 0x00000000000000000000000000000000
>          State = 0xc26dceefc26cdb5c17fcb167e47515a3
> Finished request 4.

This is FreeRADIUS saying, "OK, proceed, using EAP-TLS please"

> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
> length=134
> Cleaning up request 4 ID 0 with timestamp +348
>          NAS-IP-Address = 192.168.1.254
>          NAS-Port-Type = Ethernet
>          NAS-Port = 24
>          User-Name = "0010182b9065"
>          Acct-Session-Id = "0500002B"
>          State = 0xc26dceefc26cdb5c17fcb167e47515a3
>          EAP-Message =
> 0x0201002204103007f2c1a22a920adc933106b4a62923303031303138326239303635
>          Message-Authenticator = 0xf9ba8e6f27790169ab8ee1b280fbb4e9
> +- entering group authorize {...}
> ++[preprocess] returns ok
<snip>
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] Response appears to match, but EAP type is wrong.

This is just broken. FreeRADIUS said "use EAP-TLS" and your client 
replied with "ok, using EAP-something-else".

What is the NAS and what is the client here?

Is the NAS trying to do mac-auth via some kind of EAP? That's just 
crazy, and even if it wasn't, it's managed to break the EAP conversation 
so it can't possibly work.



More information about the Freeradius-Users mailing list