[FreeRadius] Mac Authen with Centos
Michael Schwartzkopff
ms at sys4.de
Fri Dec 4 18:28:50 CET 2020
On 04.12.20 18:25, yesi wrote:
> Hi,
>
> I am trying to install FreeRadius to do the Mac Auth.
> I followed this guide :
> https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
> <https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x>.
>
> Here are the elements :
>
> - server :
> CentOS Linux release 7.9.2009 (Core)
> SELinux is disabled.
>
> rpm -qa |egrep freeradius
> freeradius-utils-3.0.13-15.el7.x86_64
> freeradius-3.0.13-15.el7.x86_64
>
>
> - client : a Huawei switch
>
> #
> authentication-profile name ACCESS-MAC
> mac-access-profile MAC
> authentication mode multi-authen max-user 100
> access-domain toto force
> #
> radius-server template TOTO
> radius-server shared-key cipher tata
> radius-server authentication 10.x.x.x 1812 vpn-instance management
> weight 80
> #
> authentication-scheme TOTO
> authentication-mode radius
> #
> domain toto
> authentication-scheme TOTO
> accounting-scheme default
> radius-server TOTO
> #
>
> ---
> cat /etc/raddb/users
> bob Auth-Type := Accept, Cleartext-Password := "toto"
> Reply-Message := "Hello, %{User-Name}"
> DEFAULT Group == "disabled", Auth-Type := Reject
> Reply-Message = "Your account has been disabled."
> DEFAULT Auth-Type := Reject
> Reply-Message = "\_o< Acces refuse."
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
> DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>
> ---
> cat /etc/raddb/authorized_macs
> xx-xx-xx-xx-xx-xx
> Reply-Message = "Device with MAC Address %{Calling-Station-Id}
> authorized for network access"
>
> ---
> cat /etc/raddb/sites-enabled/default
> ...
> authorize {
> filter_username
> preprocess
> rewrite_calling_station_id
> authorized_macs
> if (!ok) {
> reject
> }
> else {
> update control {
> Auth-Type := Accept
> }
> }
> auth_log
> chap
> mschap
> digest
> suffix
> eap {
> ok = return
> }
> files
> -sql
> -ldap
> expiration
> logintime
> pap
> }
>
> I did not modified policy.d/canonicalization from the package
>
> cat /etc/raddb/mods-available/files
> files {
> moddir = ${modconfdir}/${.:instance}
> filename = ${moddir}/authorize
> acctusersfile = ${moddir}/accounting
> preproxy_usersfile = ${moddir}/pre-proxy
> }
> files authorized_macs {
> key = "%{Calling-Station-ID}"
> usersfile = ${confdir}/authorized_macs
> # compat = no -------> if not commented, Configuration item
> "compat" is deprecated
> }
>
>
> Here is the message from the switch client :
> Status : Pre-authen
>
> There is no more message.
> From the switch a test with test user "bob" is ok.
> In the debug mode, "radiusd -X", there is no message when a machine
> tried to connect to the switch.
>
> Any help would be appreciated.
>
> y.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
I assume this is a problem of the switch. If it does not send out RADIUS
packets, then the RADIUS server cannot receive any.
Did you assign the profile to interfaces?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201204/7d3ef15a/attachment.sig>
More information about the Freeradius-Users
mailing list