Mac-Auth or 802.1x
Alpers, Andreas
AA at eks-engel.de
Tue Jan 23 13:21:27 UTC 2024
Hello,
My experience with Freeradius is still in the beginning. My requirements in the first step are not very high.
I want to configure Freeradius so that users can be authenticated via 802.1x or via MAC-Auth.
I followed these instructions exactly:
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
Unfortunately, it does not work. I have created a username and password and also entered a Mac address in the file.
But neither the user nor the Mac address work. I always get a reject, although it should work according to the instructions.
I get the following answer when I run radtest:
radtest andreas andreas123 127.0.0.1 1812 testing123
Sent Access-Request Id 123 from 0.0.0.0:51323 to 127.0.0.1:1812 length 77
User-Name = "andreas"
User-Password = "andreas123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "andreas123"
Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:51323 length 20
(0) -: Expected Access-Accept got Access-Reject
Here are the individual files. I am very grateful for any help.
/etc/freeradius/3.0/mods-available/files:
files {
moddir = ${modconfdir}/${.:instance}
filename = ${moddir}/authorize
acctusersfile = ${moddir}/accounting
preproxy_usersfile = ${moddir}/pre-proxy
}
files authorized_macs {
key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
}
# The instructions also say here
# compat = no
# but if I leave this in, I get an error message and the server no longer starts. Why does this happen?
/etc/freeradius/3.0/authorized_macs
00-11-22-33-44-55
Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
/etc/freeradius/3.0/sites-available/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
preprocess
# If cleaning up the Calling-Station-Id...
rewrite_calling_station_id
# If this is NOT 802.1x, assume mac-auth. We check this by testing
# for the presence of the EAP-Message attribute in the request.
if (!EAP-Message) {
# Now check against the authorized_macs file
authorized_macs
if (!ok) {
reject
}
else {
# accept
update control {
Auth-Type := Accept
}
}
}
else {
# Normal FreeRADIUS virtual server config goes here e.g.
eap
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
Thank you all for your help.
Regards
Andy
More information about the Freeradius-Users
mailing list