MAc-Auth with EAP
I am setting up our Freeradius to do authentication for MAC address for
windows PC. This is to enable PCs to connect to the AD to access Domain
information just before Windows User Logon Screen. The PC is already
connected to a Cisco switch port which has been configured 802.1x.
I have stored list of authorized MAC addresses in a file called
authorized_macs in Freeradius confdir. I have also set up appropriate
commands in Authorize and Authentication sections of sites-enabled/default
file for authorization and authentication. I can see from the log that the
MAC addresses is checked and OK. But there is an [eap] returns reject just
after the mac address was successfully checked. I guess I need a way to
get radius to force an EAP accept after successful checking of the MAC
addresses.
Below is my Auth-Type statement which gets the system to do MAC address
checking for PCs connecting with the hint “thehive”. The else statement is
to cause all other requests to requests to be processed normally using
mschap_ad (which is a function that calls ntlm_auth).
Auth-Type MS-CHAP {
if ( Hint == validmac) {
authorized_macs
update control {
Auth-Type := Accept
}
}
else {
mschap_ad
}
}
Below is the extract of the log highlighting successful mac address
checking but still returned [eap] returns reject
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschapv2] ++? if (outer.Hint == validmac)
[mschapv2] ? Evaluating (outer.Hint == validmac) - TRUE
[mschapv2] ++? if (outer.Hint == validmac) - TRUE
[mschapv2] ++- entering if (outer.Hint == validmac) {...}
[authorized_macs] expand: %{Calling-Station-ID} - 00-1a-a0-b8-3b-73
+++[authorized_macs] returns noop
++- if (outer.Hint == thehive) returns noop
++ ... skipping else for request 14: Preceding if was taken
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/hive-rjm2.library.networcs.net] (from client
193.62.48.37 port 50242 cli 00-1a-a0-b8-3b-73 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
--
'Tunde Ogedengbe
But thanks be to God, who gives me the VICTORY through my Lord Jesus
CHRIST - 1 Corinthians 15:57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
On 08/02/13 12:52, Tunde Ogedengbe wrote: see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. This doesn't work. You can't force accept of an EAP session. The protocol is challenge/response and must complete correctly at both ends. Your approach won't work. Instead, you must configure pre-login 802.1x authentication correct on the Windows side, either using machine credentials or user creds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. 'Tunde Ogedengbe On 8 Feb 2013 13:18, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/02/13 12:52, Tunde Ogedengbe wrote: see from the log that the MAC addresses is checked and OK. But there is an [eap] returns reject just after the mac address was successfully checked. I guess I need a way to get radius to force an EAP accept after successful checking of the MAC addresses. This doesn't work. You can't force accept of an EAP session. The protocol is challenge/response and must complete correctly at both ends. Your approach won't work. Instead, you must configure pre-login 802.1x authentication correct on the Windows side, either using machine credentials or user creds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAc-Auth with EAP
On 08/02/13 16:09, Tunde Ogedengbe wrote: Ok. Can you pls help with procedure for configuring pre-login on Windows for 802.1x? Windows is sending packets to RADIUS as host/machine-name.domain. I would like to have a dedicated userid/password configured on windows for pre-login machine authentication. Windows doesn't support that. Your options are: 1. Use the machine account 2. Use the user/password typed into the login box That's it - that's all windows supports. As for configuring it - right-click on the network adapter settings, select the authentication tab, click the additional settings button. The options should be self explanatory. If not, consult the microsoft docs: http://technet.microsoft.com/en-gb/magazine/2007.11.cableguy.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
