MAC Auth Bypass and LDAP

Brendan Kearney bpk678 at
Tue Apr 7 19:39:55 CEST 2015

On Tue, 2015-04-07 at 09:56 -0400, Alan DeKok wrote:
> On Apr 7, 2015, at 9:18 AM, Brendan Kearney <bpk678 at> wrote:
> > i am running v3.0.3 on Fedora 20.  i have found the wiki article for MAC
> > Auth, but that is for v2.x and a lot has changed from v2 to v3.
>   Most of the changes are just re-arrangements of the files.  See this URL for details:
> >  because
> > i am looking to leverage ldap lookups for MAC Auth Bypass, the info in
> > the wiki does not seem applicable.  where do i start looking for info
> > around MAC Auth Bypass and ldap?  the ldap module does not have anything
> > that i am able to see as appropriate.  i would like to avoid using the
> > files module, as the mac address info, etc is in my ldap already.
>   That's fine.  You can use LDAP.  But as always, the details are key.
>   What is in LDAP?  What does your schema look like?  What does an LDAP query look like?
everything, but the kitchen sink.  i have the macAddress attribute from
the ieee802Device class, the dhcpHWAddress from the dhcpHost class and i
use the mac address and dhcp-client-identifier as a cn in the
dhcpSubClass class.

macAddress/ieee802Device - generally used for objects in the Computers
OU, and those devices are servers or statically assigned IPs.
query: ldapsearch -LLL -h server1 -b ou=Computers,dc=bpk2,dc=com
'(objectclass=ieee802Device)' macAddress

dhcpHWAddress/dhcpHost - host definition data (ethernet address,
dhcp-client-identifier, ddns-hostname) that is generally used to
identify which dhcp pool to put the device into (i assign different
ranges in a subnet based on proxy-able, unproxy-able and unknown
query: ldapsearch -LLL -h server1 -b ou=DHCP\ Hosts,cn=DHCP\
Config,ou=Daemons,dc=bpk2,dc=com '(objectclass=dhcpHost)' dhcpHWAddress

cn/dhcpSubClass - used to specify which pool a device's address belongs
to.  usually has both mac address and dhcp-client-identifier.  i am
thinking about using this for radiusprofile attributes for vlan
assignment, but may move it somewhere else.
query: ldapsearch -LLL -h server1 -b ou=DHCP\ SubClasses,cn=DHCP\
Config,ou=Daemons,dc=bpk2,dc=com '(objectclass=dhcpSubClass)' cn

note, the queries return all values.  i am figuring i need to create a
query that finds just the one mac address that being evaluated.

>   To be honest, you can just write LDAP queries in the configuration:
> 	if ("%{ldap:ldap stuff...}") {
> 		# allow
> 	}
>   There's no magic.  Just get an LDAP query to see if the MAC is authorized, and put it into the "authorize" section.  Then, if the user is authorized, allow them.  Otherwise, reject them.
good to know.  i'll start there.

> > once i get MAB working, i want to begin assigning the VLAN based on MAC
> > class or address.  is the MAC the right data point to make that
> > determination?
>   Yes.
> >  i see the desire to have full .1x use dynamic VLAN
> > assignment, too, so i want to make sure the decisions are not counter to
> > each other.
>   Then make the decisions separately.  And do the MAC AUTH lookups in LDAP *only* if there's no EAP-Message attribute:
> 	if (!EAP-Message && ("{%ldap:...} ) {
> 		# allow
> 	}
i assume this is still in the "authorize" section?

>   The key is again in the details. Be sure that the MAC auth bypass code is run ONLY for MAC auth bypass packets.  Look at the packets.  Read the debug output.  See what makes them different from other packets.  Then, write checks that look for those differences.
> > i am ultimately looking to have full .1x, with MAC Auth Bypass as a
> > fallback, and in either case (or both, if that could/should be) have the
> > VLAN assigned based on the outcome of the auth (or auth bypass).  my
> > logic would be:
> > if the device passes .1x, the device is assigned to VLAN_X.
>   That's easy.
> > if the device fails .1x, the device is assigned to VLAN_Z.
>   That's less easy.  It won't work for WiFi.  It can work for wired 802.1X, but it requires some hacks which are complex.  Leave it for the last thing.
curious, why wont it work for wifi, and what can be done around that?

> > if the device cannot do .1x, and passes MAC Auth Bypass (i.e. the MAC is
> > known and is in ldap), the device is assigned to VLAN_Y.
> > if the device cannot do .1x and fails MAC Auth Bypass, the device is
> > assigned to VLAN_Z.
>   That's easy:
> 	if (!EAP-Message) {
> 	  if ("{%ldap:...} ) {
> 		# assign to VLAN_Y
> 	  }
>  	  else {
> 		# assign to VLAN_Z
> 	  }
> 	}
> 	else {
> 		# 802.1X stuff
> 	}
>   It's really a matter of writing down what you want in English.  And then translating that to if / then / else statements.
>   Alan DeKok.
looks like i have my research and testing identified.  thanks.

More information about the Freeradius-Users mailing list