dot1x, MAB and EAP-TLS/PEAP with Freeradius
Matthew Newton
mcn at freeradius.org
Thu Sep 8 13:15:05 UTC 2022
On 08/09/2022 11:08, Vieri Di Paola wrote:
> On Wed, Sep 7, 2022 at 3:42 PM Alan DeKok <aland at deployingradius.com> wrote:
>> Then, write "unlang" rules to match the MAB packets (but not the 802.1X packets!). Something like:
>
> The only thing I found that could identify the packet as being MAB
> (well, Cisco's MAB implementation) is:
>
> Cisco-AVPair = "method=mab"
>
> It seems to always be in 3rd position, but I don't know if this is reliable.
You can enable "with_cisco_vsa_hack" in the preprocess module and add a
new local attribute "method" in /etc/raddb/dictionary. Then the
preprocess module will convert the fake Cisco AVpair attribute into a
real one. Makes things easier.
Other usual checks for MAB are that there is no EAP-Message attribute,
User-Name and User-Password are identical, and both are a MAC address
format.
> This seems to work fine for me:
>
> if ("%{request:Cisco-AVPair[2]}" == "method=mab" && !EAP-Message) -> TRUE
Use the preprocess hack and you should then be able to do
if (&method == "mab" && !EAP-Message) {
> I don't know if I should also check for the presence of
> "service-type=Call Check".
Doubt it, if you can work out what's going on from other attributes.
> So anyway, I can set the following condition in authorize and "accept"
> without filtering:
>
> if ("%{request:Cisco-AVPair[*]}" =~ /method=mab/ && !EAP-Message) {
> accept
> }
You could look up the MAC address here and reject if it is not found,
assuming you don't want to allow all MAB auths.
> In post-auth I will then add a condition to lookup the MAC addr. in
> local DB, eg:
Seems OK to me.
--
Matthew
More information about the Freeradius-Users
mailing list