Mac-Auth or 802.1x

Wed Jan 24 12:01:30 UTC 2024

On Jan 24, 2024, at 2:42 AM, Alpers, Andreas <AA at eks-engel.de> wrote:
> 
> I want the server to authenticate users based on username/password and devices based on MAC addresses.
> When I turn on 802.1x on the Ethernet switch, username/password works on Linux but not on Windows 10/11.

  FreeRADIUS doesn't know what OS is being used on the device.  FreeRADIUS only knows what it receives.  That's why we tell people to run in debug mode: so that they can see what FreeRADIUS receives.

  The right approach is not that there is some magic, unknown, difference between "Linux" versus "Windows".  The right approach is to read the debug output, and see "Linux sends X and it works", while "Windows sends Y and it doesn't work".

  The problem then goes from "Windows magic" to "I didn't configure Y, so I'll go do that now".

> MAC-Auth configured on the corresponding ports of the Ethernet switch does not work at all.

  That again is the wrong approach.  "I did a bunch of stuff and it didn't work.  What else can I do?"  The only answer here is "Uh... try different stuff?"

  If you have a methodical and careful approach, you can solve problems.  If you treat things as magic, then they can only get fixed by magic.

> Here is the debug of the server:

  It helps to read it, as I said multiple times in my last message.

  There are detailed guidelines for reading it on the Wiki: http://wiki.freeradius.org/radius-X

> (0) Received Accounting-Request Id 0 from 172.16.5.60:11528 to 172.16.5.70:1813 length 70
> (0)   Acct-Status-Type = Accounting-On

  When debugging authentication, it's not useful to include accounting packets.  Accounting != authentication.

> (3) Received Access-Request Id 0 from 172.16.5.60:20834 to 172.16.5.70:1812 length 132
> (3)   User-Name = "9c2dcd92e0f6"

  I suggested that you compare the User-Name with the entry in the "authorize" file.  It seems they might be different, as I suggested.

  There are things which can be done about that.
> 
> (4)     if (!EAP-Message) {
> (4)     if (!EAP-Message)  -> FALSE
> (4)     else {
> (4) eap: Peer sent EAP Response (code 2) ID 1 length 22
> (4) eap: No EAP Start, assuming it's an on-going EAP conversation
> (4)       [eap] = updated
> (4)     } # else = updated
> (4)   } # authorize = updated

  It's not running the "files" module.

* you put user names / passwords into the "files" module

* with a different name than what appears in the Access-Request packets

* and then edited the configuration so that the server doesn't even run the "files" module.

  Why not try configuring the server to use the "files" module?

  But a better approach is to start with the default configuration, and make small changes.  Then, test each change.

  It is very much NOT recommended to "hack and slash" the configuration to remove all kinds of things.  Especially when you remove things which are needed to reach the goal of authenticating uses.

  Alan DeKok.