[FreeRadius] Mac Authen with Centos

yesi yesi at posteo.net
Fri Dec 4 18:25:46 CET 2020 

Hi,

I am trying to install FreeRadius to do the Mac Auth.
I followed this guide : 
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x 
<https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x>.

Here are the elements :

- server :
CentOS Linux release 7.9.2009 (Core)
SELinux is disabled.

rpm -qa |egrep freeradius
freeradius-utils-3.0.13-15.el7.x86_64
freeradius-3.0.13-15.el7.x86_64


- client : a Huawei switch

#
authentication-profile name ACCESS-MAC
  mac-access-profile MAC
  authentication mode multi-authen max-user 100
  access-domain toto force
#
radius-server template TOTO
  radius-server shared-key cipher tata
  radius-server authentication 10.x.x.x 1812 vpn-instance management 
weight 80
#
authentication-scheme TOTO
   authentication-mode radius
#
domain toto
   authentication-scheme TOTO
   accounting-scheme default
   radius-server TOTO
#

---
cat /etc/raddb/users
bob     Auth-Type := Accept, Cleartext-Password := "toto"
         Reply-Message := "Hello, %{User-Name}"
DEFAULT Group == "disabled", Auth-Type := Reject
                 Reply-Message = "Your account has been disabled."
DEFAULT         Auth-Type := Reject
                 Reply-Message = "\_o< Acces refuse."
DEFAULT Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
         Framed-Protocol = SLIP,
         Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
         Framed-Protocol = SLIP

---
cat /etc/raddb/authorized_macs
xx-xx-xx-xx-xx-xx
         Reply-Message = "Device with MAC Address %{Calling-Station-Id} 
authorized for network access"

---
cat /etc/raddb/sites-enabled/default
...
authorize {
         filter_username
         preprocess
          rewrite_calling_station_id
         authorized_macs
         if (!ok) {
                 reject
         }
         else {
                 update control {
                         Auth-Type := Accept
                 }
         }
        auth_log
         chap
         mschap
         digest
         suffix
         eap {
                 ok = return
         }
         files
         -sql
         -ldap
         expiration
         logintime
         pap
}

I did not modified policy.d/canonicalization from the package

cat /etc/raddb/mods-available/files
files {
         moddir = ${modconfdir}/${.:instance}
         filename = ${moddir}/authorize
         acctusersfile = ${moddir}/accounting
         preproxy_usersfile = ${moddir}/pre-proxy
}
files authorized_macs {
         key = "%{Calling-Station-ID}"
         usersfile = ${confdir}/authorized_macs
#        compat = no -------> if not commented, Configuration item 
"compat" is deprecated
}


Here is the message from the switch client :
Status : Pre-authen

There is no more message.
 From the switch a test with test user "bob" is ok.
In the debug mode, "radiusd -X", there is no message when a machine 
tried to connect to the switch.

Any help would be appreciated.

y.

More information about the Freeradius-Users mailing list