802.1x and MAC Authentication
Connor Herring
connorrjherring at gmail.com
Mon Sep 23 14:58:36 UTC 2024
Hi Dominic,
Using the authorized_macs file. Was going to attempt SQL but I couldn't see
a guide anywhere so wanted to give this a try first. Seems to be working
fine but I was just unsure on some of the nuances.
I have also removed the 'else' from the below section. Didn't know if this
was a bad thing to do but it seems to work? If I then put the else back in
and wrap the rest of the Authorize section in the else it doesn't work at
all so not sure on that one.
if (!ok) {
# Reject if the MAC address was not permitted.
reject
}
# If this is NOT 802.1x, mac-auth
if (!EAP-Message) {
# MAC address has already been checked, so accept
update control {
Auth-Type := Accept
}
}
else {
# Normal FreeRADIUS virtual server config goes here e.g.
eap
}
}
Kind regards,
Connor
On Mon, Sep 23, 2024 at 3:52 PM <dominic.stalder at unibe.ch> wrote:
> Hi Connor
>
> Sorry, not yet able to provide you any help on your question at the
> moment, but I am in the middle of implementing the same use case at this
> exact moment:
>
> 1. MAC authentication with a REST API call to Infoblox first
>
> 2. 802.1X / PEAP authentication, only first auth above was successful
>
> Are you authorizing the mac addresses against the authorized_macs file on
> FreeRADIUS server or towards something else (eg. SQL, REST API, something
> else)?
>
> Regards
> Dominic
>
> Am 23.09.24, 16:43 schrieb "Freeradius-Users im Auftrag von Connor
> Herring" <freeradius-users-bounces+dominic.stalder=
> unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im
> Auftrag von connorrjherring at gmail.com <mailto:connorrjherring at gmail.com>>:
>
>
> Hi All,
>
>
> I am attempting to setup my server so that it now checks a MAC address and
> then provided the MAC address is ok it then moves on to performing EAP
> authentication. This seems to be working fine but I noticed something in
> the logs that I wanted to query. I am using this guide
> <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x> <
> https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x;>.
>
>
> Whenever the RADIUS server sends an Access-Challenge, it still sends the
> usual EAP-Message, Message-Authenticator, and State attributes, however it
> now also sends a Reply-Message on the line above these in the format of the
> one in the aforementioned guide:
>
>
> Reply-Message = "Device with MAC Address %{Calling-Station-Id}
> authorized for network access"
>
>
> Doesn't seem like something to worry about just wondered if there was any
> way around this?
>
>
> Further to this the guide says:
>
>
> if (!ok) {
> # Reject if the MAC address was not permitted.
> reject
> }
>
>
> # If this is NOT 802.1x, mac-auth
> if (!EAP-Message) {
> # MAC address has already been checked, so accept
> update control {
> Auth-Type := Accept
>
>
> Unless I am misunderstanding this is saying, "check the MAC address, if
> this isn't correct then continue. If it is correct but someone isn't using
> EAP then just allow them through". Surely unless someone were to comment
> out all authentication modules besides EAP in the default server, this
> would just allow someone to get onto the network with a correct MAC even if
> they don't have auth credentials?
>
>
> Kind regards,
>
>
> Connor
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html <
> http://www.freeradius.org/list/users.html>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list