MAC Auth Bypass and LDAP

Alan DeKok aland at
Tue Apr 7 15:56:24 CEST 2015

On Apr 7, 2015, at 9:18 AM, Brendan Kearney <bpk678 at> wrote:
> i am running v3.0.3 on Fedora 20.  i have found the wiki article for MAC
> Auth, but that is for v2.x and a lot has changed from v2 to v3.

  Most of the changes are just re-arrangements of the files.  See this URL for details:

>  because
> i am looking to leverage ldap lookups for MAC Auth Bypass, the info in
> the wiki does not seem applicable.  where do i start looking for info
> around MAC Auth Bypass and ldap?  the ldap module does not have anything
> that i am able to see as appropriate.  i would like to avoid using the
> files module, as the mac address info, etc is in my ldap already.

  That's fine.  You can use LDAP.  But as always, the details are key.

  What is in LDAP?  What does your schema look like?  What does an LDAP query look like?

  To be honest, you can just write LDAP queries in the configuration:

	if ("%{ldap:ldap stuff...}") {
		# allow

  There's no magic.  Just get an LDAP query to see if the MAC is authorized, and put it into the "authorize" section.  Then, if the user is authorized, allow them.  Otherwise, reject them.

> once i get MAB working, i want to begin assigning the VLAN based on MAC
> class or address.  is the MAC the right data point to make that
> determination?


>  i see the desire to have full .1x use dynamic VLAN
> assignment, too, so i want to make sure the decisions are not counter to
> each other.

  Then make the decisions separately.  And do the MAC AUTH lookups in LDAP *only* if there's no EAP-Message attribute:

	if (!EAP-Message && ("{%ldap:...} ) {
		# allow

  The key is again in the details. Be sure that the MAC auth bypass code is run ONLY for MAC auth bypass packets.  Look at the packets.  Read the debug output.  See what makes them different from other packets.  Then, write checks that look for those differences.

> i am ultimately looking to have full .1x, with MAC Auth Bypass as a
> fallback, and in either case (or both, if that could/should be) have the
> VLAN assigned based on the outcome of the auth (or auth bypass).  my
> logic would be:
> if the device passes .1x, the device is assigned to VLAN_X.

  That's easy.

> if the device fails .1x, the device is assigned to VLAN_Z.

  That's less easy.  It won't work for WiFi.  It can work for wired 802.1X, but it requires some hacks which are complex.  Leave it for the last thing.

> if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is
> known and is in ldap), the device is assigned to VLAN_Y.
> if the device cannot do .1x and fails MAC Auth Bypass, the device is
> assigned to VLAN_Z.

  That's easy:

	if (!EAP-Message) {
	  if ("{%ldap:...} ) {
		# assign to VLAN_Y
 	  else {
		# assign to VLAN_Z
	else {
		# 802.1X stuff

  It's really a matter of writing down what you want in English.  And then translating that to if / then / else statements.

  Alan DeKok.

More information about the Freeradius-Users mailing list