Help needed configuring MAB on FreeRADIUS and Cisco switch
Kaya Saman
kayasaman at gmail.com
Mon Jul 16 16:44:14 CEST 2012
On Mon, Jul 16, 2012 at 2:33 PM, alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> > rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162
>> > User-Name = "0015c5537baa"
>> > User-Password = "0015c5537baa"
>
> note those 2 lines - the USer-Name is the MAC address in that format. the passwors is
> the same.
>
>> > [eap] No EAP-Message, not doing EAP
>> > ++[eap] returns noop
>> > ++[files] returns noop
>> > ++[expiration] returns noop
>> > ++[logintime] returns noop
>> > [pap] WARNING! No "known good" password found for the user.
>> > Authentication may fail because of this.
>> > ++[pap] returns noop
>> > ERROR: No authenticate method (Auth-Type) found for the request:
>
> so, you havent got any module configured for this request - either in users file,
> or SQL et (in fact, you arent even calling SQL - so if the SQL is all set up, then its not
> being used....edit your default virtual server to enable SQL functionality..and
> the dialup.conf with appropriate settings).
>
> quick test
>
> put this at the top of the 'users' file and restart the server
>
>
> 0015c5537baa Cleartext-Password := "0015c5537baa"
> Tunnel-Type:0 = VLAN,
> Tunnel-Medium-Type:0 = IEEE-802,
> Tunnel-Private-Group-Id:0 = "3",
> Tunnel-Preference = 0x000000
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Poking around in the radiusd.conf file I checked the section modules
which looks like this:
[...]
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
#
#
# As of 2.0.5, most of the module configurations are in a
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
$INCLUDE sql.conf
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# $INCLUDE sql/mysql/counter.conf
#
# IP addresses managed in an SQL table.
#
# $INCLUDE sqlippool.conf
}
[...]
The modules look like so:
raddb]# ls modules/
acct_unique counter dynamic_clients files mac2vlan
pap realm unix
always cui echo inner-eap mschap
passwd smbpasswd wimax
attr_filter detail etc_group ippool
ntlm_auth perl smsotp
attr_rewrite detail.example.com exec linelog
opendirectory policy sqlcounter_expire_on_login
chap detail.log expiration logintime otp
preprocess sql_log
checkval digest expr mac2ip pam
radutmp sradutmp
I don't see a mysql module in there.
By placing the entry you suggested at the top of the /etc/raddb/users
file and restarting the server I got this:
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=162
User-Name = "0015c5537baa"
User-Password = "0015c5537baa"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1B-8F-60-AB-8D"
Calling-Station-Id = "00-15-C5-53-7B-AA"
Message-Authenticator = 0x8a054d90202217a1e4d81aa3e5e61f2f
NAS-Identifier = "1"
NAS-Port-Type = Ethernet
NAS-Port = 50013
NAS-Port-Id = "GigabitEthernet0/13"
NAS-IP-Address = 10.0.0.1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 104 to 10.0.0.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 104 with timestamp +13
Ready to process requests.
I am assuming that
"Tunnel-Private-Group-Id:0 = "3","
means VLAN 3??
If so I should change it to 20 as that's what has been configured on the switch!
Regards,
Kaya
More information about the Freeradius-Users
mailing list