Authorized MAC users stopped authenticating

Alan DeKok aland at deployingradius.com
Thu Jan 4 14:09:51 CET 2018


On Jan 4, 2018, at 12:06 AM, R.Geller <rg1 at robertgeller.net> wrote:
> I blew away all my configs, and running vanilla 3.0.13 from yum install.  I
> am using out-of-the-box configs, and created users and clients file.  I
> created certificate files, and I also tested with eapol_test

  That's good.

> I can authenticate with windows 10 client with no issues at this point.  I
> created certificates based on README instructions with new install, and
> verified that I can connect with eap_test using ttls-eap-mschapv2 and
> others (ttls-pap)...

  That's good/

> At this point, I would like to lock down the authentication so that either
> the client cert is required, or authorized MAC.  I did configure the
> authorized mac previously which was working, but stopped working, and I
> think the reason it stopped working prior had nothing to do with the MAC
> configs, but because the CA/CERTs I created expired.

  Don't guess.  Figure out the problem.

>  They are not expired
> now since I created them with a new EXPIRE date, but what is happening is
> that the clients/supplicant I am testing with can authenticate without the
> root/client certs installed.

  Only if you configure the clients to do that.

>  I would rather authenticate with
> certificates, and not rely on authorized MACs at this point...
> 
> Can you point me in the direction of how to configure the radius server to
> only authenticate if the client certificate is installed?

  Configure EAP-TLS, and disable all other EAP types.

  And be *methodical* about changes to the config.  Make a change.  Test it.  Make a backup of the config.

  One of the top 3 reasons why people screw up their config is by making random changes without testing them, or without understanding what the changes do.  And, it wastes enormous amounts of time.

  Alan DeKok.




More information about the Freeradius-Users mailing list