Authorized MAC users stopped authenticating

Thu Jan 4 06:06:16 CET 2018

Hi Alan,

I blew away all my configs, and running vanilla 3.0.13 from yum install.  I
am using out-of-the-box configs, and created users and clients file.  I
created certificate files, and I also tested with eapol_test

I can authenticate with windows 10 client with no issues at this point.  I
created certificates based on README instructions with new install, and
verified that I can connect with eap_test using ttls-eap-mschapv2 and
others (ttls-pap)...

At this point, I would like to lock down the authentication so that either
the client cert is required, or authorized MAC.  I did configure the
authorized mac previously which was working, but stopped working, and I
think the reason it stopped working prior had nothing to do with the MAC
configs, but because the CA/CERTs I created expired.  They are not expired
now since I created them with a new EXPIRE date, but what is happening is
that the clients/supplicant I am testing with can authenticate without the
root/client certs installed.  I would rather authenticate with
certificates, and not rely on authorized MACs at this point...

Can you point me in the direction of how to configure the radius server to
only authenticate if the client certificate is installed?

Thanks I'm advance...

-Rob

>
> I'm Running 3.0.13 for a while now.  I set it up to support cert
> authentication, as well as authorized MACs.  I didn't deploy any clients
> using certs, only set up with user/pass and authorized MACs.

  It may be good then to disable EAP.  Especially if you're not using it.

> Sometime last week, users couldn't authenticate.  I see errors in debug
> stated there are 2 auth types, I can see the MAC auth is working, but
users
> are failing to authenticate because of EAP failure.  At this point, I want
> to be able to use both MAC / user+pass auth, and if in the future we
decide
> to deploy certs, than allow that too.  If we need to disable EAP or certs
> to get this working, that is an option too.  Not sure why it stopped
> working out of the blue.  The radius server hasn't been touched since the
> initial working config.

  If the RADIUS server did't change, then something else did.

> Any ideas?
>
>
> (0) Received Access-Request Id 168 from 10.2.1.53:41523 to 10.2.2.35:1812
> length 218
> (0)   User-Name = "rbadani"
> (0)   NAS-Identifier = "pakedge"
> (0)   Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Service-Type = Framed-User
> (0)   NAS-Port = 0
> (0)   Calling-Station-Id = "34-F3-9A-86-59-57"
> (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (0)   Acct-Session-Id = "196EB9DAB87DC1A9"
> (0)   Acct-Multi-Session-Id = "A7617A3B4E8A4349"
> (0)   WLAN-Pairwise-Cipher = 1027076
> (0)   WLAN-Group-Cipher = 1027076
> (0)   WLAN-AKM-Suite = 1027073
> (0)   Framed-MTU = 1400
> (0)   EAP-Message = 0x02e1000c0172626164616e69

  Is this user supposed to be doing EAP?  If so, fix your configuration to
allow EAP and MAC auth.

  If not... talk to the user and ask him what he thinks he's doing.

> (0) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
> (0)     [authorized_macs] = ok
> (0)     if (!ok) {
> (0)     if (!ok)  -> FALSE
> (0)     else {
> (0)       update control {
> (0)         Auth-Type := Accept

  You can't do this for EAP.

  Your "allow MAC auth" rule has to check for EAP, too.  i.e. do:

        authorized_macs
        if (!ok) {
                reject  # reject unauth MACs, even if they do EAP
        }

        if (!EAP-Message) {
                update control {
                        Auth-Type := Accept
                }
        }

> (0) Found Auth-Type = Accept
> (0) Found Auth-Type = eap
> (0) ERROR: Warning:  Found 2 auth-types on request for user 'rbadani'

  Exactly.  The default configuration doesn't have this error.  So it's
something you added locally.

> (2) eap: Peer sent packet with method EAP PEAP (25)

  Is the user supposed to be doing PEAP?

  Alan DeKok.