how to setup MAC based authentication with LDAP

Thomas Stather Thomas.Stather at mpimf-heidelberg.mpg.de
Tue May 12 11:51:02 CEST 2015 

Hello again

I have this (LDAP string has been modified because of security considerations)

server macauth {

 authorize {
 preprocess

 # clean the Calling-Station-ID
 rewrite_calling_station_id

 # now authenticate against LDAP
 if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
 reject
 }
 else {
 # accept
 update control {
 Auth-Type := Accept
 }
 }
 }

 authenticate {
 Auth-Type LDAP {
 ldap
 }
 }
}

When i try with 

echo "Calling-Station-Id=f0:1f:af:35:c8:02" | radclient -s localhost:1812 auth radiusTest2015

I get an access-accept reply.

If i setup my AP and try to connect with a client where the MAC address is in LDAP i get:

Ready to process requests
(2) Received Access-Request Id 9 from xxxxxxxxxx:44620 to xxxxxxxxxx:1812 length 167
(2) User-Name = 'user'
(2) NAS-IP-Address = xxxxxxxxxxxx
(2) NAS-Identifier = '0418d66a5934'
(2) NAS-Port = 0
(2) Called-Station-Id = '0A-18-D6-6B-59-34:test'
(2) Calling-Station-Id = '30-75-12-EE-63-AA'
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = 'CONNECT 0Mbps 802.11b'
(2) EAP-Message = 0x0276000d017473746174686572
(2) Message-Authenticator = 0x708c606acafcf02e4706c7729288354f
(2) # Executing section authorize from file /etc/raddb/sites-enabled/macauth
(2) authorize {
(2) [preprocess] = ok
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(2) update request {
(2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2) --> 30:75:12:ee:63:aa
(2) &Calling-Station-Id := "30:75:12:ee:63:aa"
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated
(2) ... skipping else for request 2: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}"){
rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 103 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 103 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 155 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You probably need to increase "spare"
rlm_ldap (ldap): Opening additional connection (8)
rlm_ldap (ldap): Connecting to ldap://ldap1.xxxxxxxxxxxxx:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (8)
(2) Performing search in 'ou=hosts,dc=.......' with filter '(&(objectClass=ieee802Device)(macAddress=30:75:12:ee:63:aa))', scope 'sub'
(2) Waiting for search result...
rlm_ldap (ldap): Released connection (8)
rlm_ldap (ldap): 0 of 1 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (9)
rlm_ldap (ldap): Connecting to ldap://ldap1.xxxxxxxxxxxxx:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(2) EXPAND %{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}
(2) --> test01.mydomain.local
(2) if (!"%{ldap:ldaps:///ou=hosts,dc=ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") -> FALSE
(2) else {
(2) update control {
(2) Auth-Type := Accept
(2) } # update control = noop
(2) } # else = noop
(2) } # authorize = updated
(2) Found Auth-Type = Accept
(2) Auth-Type = Accept, accepting the user
(2) Sent Access-Accept Id 9 from xxxxxxxxxx:1812 to xxxxxxxxxx:44620 length 20
(2) Finished request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(2) <done>: Cleaning up request packet ID 9 with timestamp +247
Ready to process requests


Is this ok from the RADIUS side? Because i still cannot get any connection using wifi (no DHCP request) and when using Windows 7 i even get prompted for my credentials.
What am i doing wrong?

Best,,
Thomas


Am 16.04.15 06:16 nachm. schrieb Alan DeKok  <aland at deployingradius.com>:
> 
> On Apr 16, 2015, at 6:22 AM, Thomas Stather <Thomas.Stather at mpimf-heidelberg.mpg.de> wrote:
> > I tried to set it up but i failed
> 
>  Following directions helps. Reading the debug output helps.
> 
> > if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
> 
>  Is that a valid LDAP query? Probably not.
> 
> > radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)
> 
>  Which doesn't send a Calling-Station-Id attribute.
> 
> > Ready to process requests
> > (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103
> > (0) User-Name = 'f0-1f-af-35-c8-10'
> > (0) User-Password = 'f0-1f-af-35-c8-10'
> > (0) NAS-IP-Address = 192.168.1.1
> > (0) NAS-Port = 10
> > (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418
> > (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth
> 
>  And there's no Calling-Station-Id in the packet. How do you expect to use policies based on Calling-Station-Id when it's not in the packet?
> 
>  See "man radclient". Or even read the "radtest" script. It's a shell script. You need to *explicitly* add a Calling-Station-Id attribute to the packet.
> 
> 	...
> 	Calling-Station-Id = f0-1f-af-35-c8-10
> 	...
> 
>  Read the debug output for packets sent by the NAS. Use them as a template, and create files which radclient will read. You will then be sure that your tests match the packets sent by the NAS.
> 
> > What have i done wrong? 
> 
>  I had given detailed instructions in my previous message. Following them would be a good idea.
> 
> > And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?
> 
>  You should write an LDAP query that uses "ou=hosts".
> 
>  I told you to write an LDAP query, and test it via "ldapsearch". You seem to have skipped that step. Why?
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list