Hi All,
We have FreeRADIUS running on a pfSense, currently serving OpenVPN for MFA. This all works great!
We also have a Ubiquiti EdgeSwitch, on which we would like to use MAC based dot1x port authentication and dynamic VLAN assignment, served by FreeRADIUS.
It works if we create a user on FreeRADIUS with the MAC as the username and password. However this is of course no use from a security perspective as then someone could sign into OpenVPN using that MAC as the username and password. FreeRADIUS, does have a MAC specific config though, presumably designed to circumvent this (yet to be successfully tested, looking at the config files I'm not so sure!).
The problem is when we setup the MAC in the MAC config it will not authorise. It will only authorise when it is entered as a user. Not sure if this is a FreeRADIUS problem or an EdgeSwitch problem, I'm assuming FreeRADIUS from the below log entries.
(1) authorized_macs: --> 3c-18-re-m-ov-ed (1) authorized_macs: users: Matched entry 3c-18-re-m-ov-ed at line 2 (1) [authorized_macs] = ok (1) if (ok) { (1) if (ok) -> TRUE (1) if (ok) { (1) update control { (1) Auth-Type := Accept (1) } # update control = noop (1) } # if (ok) = noop (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "3C18removed", skipping NULL due to config. (1) [suffix] = noop (1) ntdomain: Checking for prefix before "\" (1) ntdomain: No '\' in User-Name = "3C18removed", skipping NULL due to config. (1) [ntdomain] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 22 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [forever] = noop (1) if (&request:Calling-Station-Id == &control:Calling-Station-Id) { (1) ERROR: Failed retrieving values required to evaluate condition (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = Accept (1) Found Auth-Type = eap (1) ERROR: Warning: Found 2 auth-types on request for user '3C18removed' (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x89bf8bc989be8f93 (1) eap: Finished EAP session with state 0x89bf8bc989be8f93 (1) eap: Previous EAP request found for state 0x89bf8bc989be8f93, released from the list (1) eap: Peer sent packet with method EAP MD5 (4) (1) eap: Calling submodule eap_md5 to process data EAP-MD5 digests do not match. (1) eap: Sending EAP Failure (code 4) ID 1 length 4 (1) eap: Freeing handler (1) [eap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user Login incorrect (Failed retrieving values required to evaluate condition): [3C18removed/<via Auth-Type = Accept>] (from client EdgeSwitch48 port 8 cli 3c-18-re-m-ov-ed)
Has anyone any helpful pointers? From a management perspective it'd be really nice to use the package in pfSense and not to require a dedicated RADIUS server.
Many thanks in advance!
No comments:
Post a Comment