freeradius with Active Directory via winbind or MAC address access

Wed Nov 29 18:20:19 CET 2017

On Nov 29, 2017, at 12:11 PM, Vieri via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I need to configure all my switches to query a freeradius server in order to allow/deny wired hosts to connect to the network.
> Most wired clients implement 802.1x+peap, but some don't. My goal is to allow clients that can authenticate their users with AD, and also allow clients that fail to authenticate or cannot do so as long as their MAC addresses are in a DB or plain text file.

  Again... look at the debug output.

> Here's the missing part:
> 
> FreeRADIUS Version 3.0.14
...
> 
> Ready to process requests

  No, that is NOT what I said to do.  Look at the *ACCESS-REQUEST PACKETS COMING IN TO THE SERVER*.

>> Which is fine, because it's not a MAC auth packet.
> 
> Incidentally, and please forgive my novice question, I'm wondering if most Radius clients can send MAC auth packets. In other words, can a Windows 7/10 wired client be authorized to access a network through a switch which in turn calls freeradius, but only based on its MAC address (if user auth fails) ie. can its MAC address be checked? If the native OS can't, would it be possible to use a third-party radius client?

  The Windows box doesn't send RADIUS packets.  The switch sends RADIUS packets.

>> So... when you you want it to do AD auth?
>> i.e. what is in the *Access-Request packet* that lets you know it should do AD auth? 
> 
> Again, forgive my ignorance, but I'll take a wild guess here:
> User-Name and User-Password?

  <sigh>  The information is in front of you, in the debug output, in the Access-Request packet.

  Go look at that.  Stop guessing.  Stop doing everything *else*, and follow instructions.

> In sites-enabled/default I have this in the authorize section:
> 
> rewrite_calling_station_id
> if (!EAP-Message) {
> authorized_macs
> 
> if (!ok) {
> reject
> }
> else {
> update control {
> Auth-Type := Accept

  That don't work at all for a host of reasons.  And none of the guides say to do that.

  You can't just make random changes and hope it works.  You have to understand what's going on.

  As a hint: you can't just set "Auth-Type := Accept" for EAP packets.  It won't work.

  Again... do what I said in my previous message.  Write it down in plain English.  Use example attributes from the Access-Request packets... that you see from running the server in debugging mode.

> I guess my else { eap } clause is wrong or incomplete.

  Don't guess.  READ THE DEBUG OUTPUT.

  Honestly, this isn't difficult.  If you read the debug output, it will tell you what it's doing, why, and what's going on.

> I think I'll first try to configure freeradius with just Active Directory. I first saw this guide:
> http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
> I then went for the winbind setup instead of using ntlm_auth, but I believe the only difference in this guide is in the mods-available/eap setup, ie.
> default_eap_type = peap
> 
> 
>> Expand that with the *detailed packet contents*, as seen in the debug output.  If you're not sure, post them here.
> 
> What do you mean by *detailed packet contents*?

  The Access-Request packets that the server receives.

> Should I run something like radiusd -Xxxx?

  Did I say to do that?  No...

  How do you expect to debug packet processing when you post the debug output that contains no packet processing?

  Alan DeKok.