[FreeRadius] Mac Authen with Centos

Michael Schwartzkopff ms at sys4.de
Fri Dec 4 18:28:50 CET 2020


On 04.12.20 18:25, yesi wrote:
> Hi,
>
> I am trying to install FreeRadius to do the Mac Auth.
> I followed this guide :
> https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
> <https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x>.
>
> Here are the elements :
>
> - server :
> CentOS Linux release 7.9.2009 (Core)
> SELinux is disabled.
>
> rpm -qa |egrep freeradius
> freeradius-utils-3.0.13-15.el7.x86_64
> freeradius-3.0.13-15.el7.x86_64
>
>
> - client : a Huawei switch
>
> #
> authentication-profile name ACCESS-MAC
>  mac-access-profile MAC
>  authentication mode multi-authen max-user 100
>  access-domain toto force
> #
> radius-server template TOTO
>  radius-server shared-key cipher tata
>  radius-server authentication 10.x.x.x 1812 vpn-instance management
> weight 80
> #
> authentication-scheme TOTO
>   authentication-mode radius
> #
> domain toto
>   authentication-scheme TOTO
>   accounting-scheme default
>   radius-server TOTO
> #
>
> ---
> cat /etc/raddb/users
> bob     Auth-Type := Accept, Cleartext-Password := "toto"
>         Reply-Message := "Hello, %{User-Name}"
> DEFAULT Group == "disabled", Auth-Type := Reject
>                 Reply-Message = "Your account has been disabled."
> DEFAULT         Auth-Type := Reject
>                 Reply-Message = "\_o< Acces refuse."
> DEFAULT Framed-Protocol == PPP
>         Framed-Protocol = PPP,
>         Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "CSLIP"
>         Framed-Protocol = SLIP,
>         Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "SLIP"
>         Framed-Protocol = SLIP
>
> ---
> cat /etc/raddb/authorized_macs
> xx-xx-xx-xx-xx-xx
>         Reply-Message = "Device with MAC Address %{Calling-Station-Id}
> authorized for network access"
>
> ---
> cat /etc/raddb/sites-enabled/default
> ...
> authorize {
>         filter_username
>         preprocess
>          rewrite_calling_station_id
>         authorized_macs
>         if (!ok) {
>                 reject
>         }
>         else {
>                 update control {
>                         Auth-Type := Accept
>                 }
>         }
>        auth_log
>         chap
>         mschap
>         digest
>         suffix
>         eap {
>                 ok = return
>         }
>         files
>         -sql
>         -ldap
>         expiration
>         logintime
>         pap
> }
>
> I did not modified policy.d/canonicalization from the package
>
> cat /etc/raddb/mods-available/files
> files {
>         moddir = ${modconfdir}/${.:instance}
>         filename = ${moddir}/authorize
>         acctusersfile = ${moddir}/accounting
>         preproxy_usersfile = ${moddir}/pre-proxy
> }
> files authorized_macs {
>         key = "%{Calling-Station-ID}"
>         usersfile = ${confdir}/authorized_macs
> #        compat = no -------> if not commented, Configuration item
> "compat" is deprecated
> }
>
>
> Here is the message from the switch client :
> Status : Pre-authen
>
> There is no more message.
> From the switch a test with test user "bob" is ok.
> In the debug mode, "radiusd -X", there is no message when a machine
> tried to connect to the switch.
>
> Any help would be appreciated.
>
> y.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


I assume this is a problem of the switch. If it does not send out RADIUS
packets, then the RADIUS server cannot receive any.


Did you assign the profile to interfaces?

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201204/7d3ef15a/attachment.sig>


More information about the Freeradius-Users mailing list