pap + mac auth authentication problem

Tue Oct 30 15:45:40 CET 2018

Hello,

I’m in the following situation :
- I have switches that share either wifi and wired connexions.
- on wifi connexion I have an eap/peap authentication
- what I want is that on wired connexion, if the user/password authentication fail, authentication is done on mac-adress with automatic vlan configuration.

I have a working wifi configuration on a first server
I have a working wired configuration on a second server

Is there any way to mix both on a single server ?

Server version is 3.0.17 

The wifi configuration is :

authorize {
        preprocess
        mschap
        suffix
	eap
        files
        ldap
}

authenticate {
	Auth-Type MS-CHAP {
                mschap
        }
        eap
}

The wired configuration is : 
authorize {
        filter_username
        rewrite.called_station_id_ipb
        rewrite.calling_station_id_ipb
        preprocess
        suffix
        update control {
                Auth-Type := Accept
                Tunnel-Private-Group-Id :=" %{ldap:ldap://ldap.xxx/ou=hosts,dc=xxx,dc=xxx?radiusTunnelPrivateGroupId?sub?(&(objectClass=radiusProfile)(macAddress=%{Calling-Station-ID}))}"
        }
        if (!"%{control:Tunnel-Private-Group-ID}") {
                reject
        }
        expiration
        logintime
}

authenticate {
}

post-auth {
        update {
                &reply: += &session-state:
        }
        -sql
        update reply {
               &Tunnel-Private-Group-Id := "%{control:Tunnel-Private-Group-Id}"
                &Tunnel-Medium-Type := "IEEE-802"
                &Tunnel-Type := "VLAN"
}
 	remove_reply_message_if_eap
	Post-Auth-Type REJECT {
		-sql
		attr_filter.access_reject
	}
        Post-Auth-Type Challenge {
	}
}