How to deal with switches not sending User-Password attribute for MAC-based authentication
Martin Gignac
martin.gignac at gmail.com
Fri Jan 24 18:47:12 CET 2020
Hi,
I'm setting up wired 802.1x authentication for Juniper and Ubiquiti
switches. Each device supports supplicant-based authentication and can fall
back to MAC-based authentication. When using the Juniper, if it falls back
to MAC-based authentication it sends an Access-Request with User-Name and
User-Password attributes that both contain the MAC address of the device
connecting to the switch, such as "e6e849A201e8". However, when the
Ubiquiti falls back to MAC-based auth the Access-Request it sends only
contains the User-Name attribute. Since my sites-enabled/default file
contains:
if (User-Password) {
update control {
Auth-Type := rest
}
}
in the authorize section, REST authentication is completely skipped. I then
tried adding:
if (&NAS-Port-Type == "Ethernet" && !User-Password) {
update control {
User-Password = &User-Name
Auth-Type := rest
}
}
right on top of the previous section, but then I get this:
(1) if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(1) if (&NAS-Port-Type == "Ethernet" && !User-Password) -> TRUE
(1) if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(1) update control {
(1) User-Password = &User-Name -> 'E6E849A201E8'
(1) Auth-Type := rest
(1) } # update control = noop
(1) } # if (&NAS-Port-Type == "Ethernet" && !User-Password) = noop
(1) if (User-Password) {
(1) if (User-Password) -> FALSE
(1) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(1) pap: WARNING: !!! Ignoring control:User-Password. Update your
!!!
(1) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(1) pap: WARNING: !!! password is in Cleartext-Password and NOT in
!!!
(1) pap: WARNING: !!! User-Password.
!!!
(1) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = rest
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) rest: ERROR: You set 'Auth-Type = REST' for a request that does not
contain a User-Password attribute!
(1) [rest] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
So I changed it to this:
if (&NAS-Port-Type == "Ethernet" && !User-Password) {
update control {
Cleartext-Password = &User-Name
Auth-Type := rest
}
}
(2) if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(2) if (&NAS-Port-Type == "Ethernet" && !User-Password) -> TRUE
(2) if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(2) update control {
(2) Cleartext-Password = &User-Name -> 'E6E849A201E8'
(2) Auth-Type := rest
(2) } # update control = noop
(2) } # if (&NAS-Port-Type == "Ethernet" && !User-Password) = noop
(2) if (User-Password) {
(2) if (User-Password) -> FALSE
(2) pap: WARNING: Auth-Type already set. Not setting to PAP
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = rest
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) rest: ERROR: You set 'Auth-Type = REST' for a request that does not
contain a User-Password attribute!
(2) [rest] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
Am I approaching the problem in a wrong way? What would be the best way to
deal with the lack of the User-Password attribute?
Thanks,
-Martin
More information about the Freeradius-Users
mailing list