MAC auth bypass with freeradius/openldap

g17jimmy g17jimmy at gmail.com
Wed Jun 22 17:23:09 CEST 2011


I guess I was too quick to call it, and it looks like the problem is still on
the NAS. You will see that the client first gets access using the MAC
address as the CSID, but at some point, the client or NAS decieded to
re-auth but this time using the IP address that the client had acquired.
It's doesn't look like it's associated with the reauthentication period as
that is set to 1 hour and the issue occurred within about 10 minutes. I'm
pretty sure this has nothing to do with radius and everything to do with my
switch config, so sorry if this post is inappropriate.

rad_recv: Accounting-Request packet from host 192.168.1.254 port 49154,
id=0, length=112
        User-Name = "0010182b9065"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 24
        Called-Station-Id = "00-1A-70-8B-2B-8C"
        Calling-Station-Id = "00-10-18-2B-90-65"
        Acct-Status-Type = Start
        Acct-Session-Id = "0500002D"
        Acct-Authentic = Local
        NAS-Port-Type = Ethernet
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 24,Client-IP-Address =
192.168.1.254,NAS-IP-Address = 192.168.1.254,Acct-Session-Id =
"0500002D",User-Name = "0010182b9065"'
[acct_unique] Acct-Unique-Session-ID = "42587646b94a35b4".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "0010182b9065", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]        expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/detail-20110622
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.254/detail-20110622
[detail]        expand: %t -> Wed Jun 22 09:15:40 2011
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> 0010182b9065
++[radutmp] returns ok
[attr_filter.accounting_response]       expand: %{User-Name} -> 0010182b9065
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 0 to 192.168.1.254 port 49154
Finished request 7.
Cleaning up request 7 ID 0 with timestamp +60184
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.1.254 port 49154,
id=0, length=97
        User-Name = "admin"
        NAS-IP-Address = 192.168.1.254
        Called-Station-Id = "192.168.1.254"
        Calling-Station-Id = "192.168.1.118"
        Acct-Status-Type = Stop
        Acct-Session-Id = "0500002C"
        Acct-Authentic = Local
        Acct-Session-Time = 1280
        Acct-Terminate-Cause = Idle-Timeout
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 192.168.1.254,NAS-IP-Address =
192.168.1.254,Acct-Session-Id = "0500002C",User-Name = "admin"'
[acct_unique] Acct-Unique-Session-ID = "0f743b391350fbbb".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]        expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.254/detail-20110622
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.254/detail-20110622
[detail]        expand: %t -> Wed Jun 22 09:25:47 2011
++[detail] returns ok
++[unix] returns noop
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> admin
  rlm_radutmp: No NAS-Port seen.  Cannot do anything.
  rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> admin
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 0 to 192.168.1.254 port 49154
Finished request 8.
Cleaning up request 8 ID 0 with timestamp +60791
Going to the next request
Ready to process requests.


--
View this message in context: http://freeradius.1045715.n5.nabble.com/MAC-auth-bypass-with-freeradius-openldap-tp4511949p4514401.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list