SQL MAC Authentication

Christopher Kuhn youarethehat at hotmail.com
Fri Dec 13 19:01:03 CET 2013


Hello,

I have a FreeRADIUS 2.1.10 server which is currently working as an authentication server on our wireless network. It is able to successfully use PEAP-MSCHAP and LDAP queries to an Active Directory database for authentication.

We have now been trying to implement MAC address authentication on the wired network, using a Cisco switch and this same FreeRADIUS server. The goal is to use a MySQL database of MACs to check against. However, testing so far has failed to auth the test machines.

The radius.radcheck table:

+----+--------------+--------------------+----+--------------+
| id | username     | attribute          | op | value        |
+----+--------------+--------------------+----+--------------+
|  1 | 28d2441b77c9 | Cleartext-Password | := | 28d2441b77c9 |
|  2 | aabbcc112233 | Cleartext-Password | := | aabbcc112233 |
+----+--------------+--------------------+----+--------------+

The debug output:

Ready to process requests.
rad_recv: Access-Request packet from host 10.25.22.31 port 49181, id=0, length=118
        NAS-IP-Address = 10.25.22.31
        NAS-Port-Type = Ethernet
        NAS-Port = 76
        User-Name = "28d2441b77c9"
        Acct-Session-Id = "050004EE"
        Calling-Station-Id = "28-D2-44-1B-77-C9"
        EAP-Message = 0x0200001101323864323434316237376339
        Message-Authenticator = 0x0c1c468757ad8814bb6dae782e1ac927
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "28d2441b77c9", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 189
++[files] returns ok
[sql]   expand: %{User-Name} -> 28d2441b77c9
[sql] sql_set_user escaped user --> '28d2441b77c9'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '28d2441b77c9'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '28d2441b77c9'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '28d2441b77c9'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[ldap] performing user authorization for 28d2441b77c9
[ldap]  expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=28d2441b77c9)
[ldap]  expand: DC=company,DC=tld -> DC=company,DC=tld
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to server.company.tld:636, authentication 0
  [ldap] setting TLS mode to 1
  [ldap] bind as [redacted]
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in DC=company,DC=tld, with filter (sAMAccountName=28d2441b77c9)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.25.22.31 port 49181
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8246357d82472c193c76c7709d2aae65
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.22.31 port 49181, id=0, length=153
Cleaning up request 1 ID 0 with timestamp +37
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x8246357d82472c19 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
        NAS-IP-Address = 10.25.22.31
        NAS-Port-Type = Ethernet
        NAS-Port = 76
        User-Name = "28d2441b77c9"
        Acct-Session-Id = "050004EE"
        State = 0x8246357d82472c193c76c7709d2aae65
        Calling-Station-Id = "28-D2-44-1B-77-C9"
        EAP-Message = 0x020100220410ab090564f0a81fef7cc5fa4ad743a959323864323434316237376339
        Message-Authenticator = 0xb33f92e3651c00e500fe3b5722276082
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "28d2441b77c9", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 189
++[files] returns ok
[sql]   expand: %{User-Name} -> 28d2441b77c9
[sql] sql_set_user escaped user --> '28d2441b77c9'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '28d2441b77c9'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '28d2441b77c9'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '28d2441b77c9'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[ldap] performing user authorization for 28d2441b77c9
[ldap]  expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=28d2441b77c9)
[ldap]  expand: DC=company,DC=tld -> DC=company,DC=tld
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in DC=company,DC=tld, with filter (sAMAccountName=28d2441b77c9)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] Response appears to match, but EAP type is wrong.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (  [ldap] User not found): [28d2441b77c9] (from client test-switch port 76 cli 28-D2-44-1B-77-C9)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 28d2441b77c9
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 0 to 10.25.22.31 port 49181

What I do not understand:
1) Why does finding the user in SQL not seem to count for authentication (is it supposed to return updated)?
2) Why does FreeRADIUS continue on to try LDAP, even showing it as the exclusive reason for failure?
3) What am I missing that will cause an Access-Accept if a user is found in SQL?

I hope you can forgive a first-timer for any relevant information I have left out.Any feedback you can give is greatly appreciated. 		 	   		  


More information about the Freeradius-Users mailing list