Hello everyone,
I'm trying to set up MAC authorization (yes I know it's not ideal but it's a test) with 802.1X using FreeRADIUS, a Dell N2048 (DN OS6.3.3.9) switch as the authenticator and a Ubuntu machine as the supplicant. I've followed this guide for configuring FreeRADIUS : https://wiki.freeradius.org/guide/Mac-Auth#plain-mac-auth
My FreeRADIUS config files looks like this (MAC addresses have been replaced) :
$ sudo cat /etc/freeradius/3.0/sites-available/default listen { type = auth ipaddr = 10.0.180.100 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } authorize { preprocess rewrite_calling_station_id authorized_macs if (!ok) { reject } else { update control { Cleartext-Password := &Calling-Station-ID Auth-Type = Accept } } } $ sudo cat /etc/freeradius/3.0/mods-available/files files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs } $ sudo cat /etc/freeradius/3.0/authorized_macs AA-BB-CC-DD-EE-FF Cleartext-Password := "AA-BB-CC-DD-EE-FF", User-Name := "AA-BB-CC-DD-EE-FF", Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 6, Tunnel-Private-Group-id = 150, Reply-Message = "Device %{Calling-Station-ID} authorized"
The wpa_supplicant.conf on the Ubuntu client :
ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 ap_scan=0 network={ key_mgmt=IEEE8021X eap=MD5 identity="AA-BB-CC-DD-EE-FF" password="AA-BB-CC-DD-EE-FF" eapol_flags=0 }
The switch dot1x config :
! dot1x system-auth-control aaa authentication dot1x default radius aaa authorization network default radius radius-server host auth 10.0.180.100 primary name "Default-RADIUS-Server" usage 802.1x key 7 "..." exit ! interface Gi1/0/1 switchport mode general dot1x port-control mac-based dot1x mac-auth-bypass exit !
With this configuration everything is processed correctly, since the freeradius -X command is displaying that an Access-Accept message has been sent. The RADIUS server is authorizing the supplicant based on its MAC address. However, the switch refuse the EAP Access-Accept from the server. And I'm lost here. The only clue the switch gives me is that the EAP packet cannot be transmitted :
<189> Aug 2 10:28:08 dell-n2048p-users-1-1 DOT1X[dot1xTask]: dot1x_radius.c(654) 58882 %% EAP message not received from server.RADIUS server did not send required EAP message. <189> Aug 2 10:27:08 dell-n2048p-users-1-1 DOT1X[dot1xTask]: dot1x_radius.c(654) 58879 %% EAP message not received from server.RADIUS server did not send required EAP message. <190> Aug 2 10:27:08 dell-n2048p-users-1-1 RADIUS[dot1xTask]: radius_api.c(1002) 58878 %% RADIUS: radiusAccessRequestMsgSend(): Updated Global radius server entry with ipaddr 10.0.180.100'
On the supplicant (Ubuntu machine), Wireshark is showing a "Request, Notification[Malformed Packet]" where the correct "Reply-Message" attribute is present. So I deducted it's actually the EAP Access-Accpet sent by the RADIUS server.
I've tried using the supplicant MAC address as username and password, and making it a Framed-User but it doesn't change anything. I've added the MAC address as a Cleartext-Password into the EAP response message (Cleartext-Password := &Calling-Station-ID) in case this would be accepted but it doesn't change anything either. Enabling MAB doesn't seem to do anything, even by tweaking the dot1x timeouts.
Am I missing something in the config ? What could make the EAP response being rejected by the switch ?
Thanks
Note : This is a repost of my topic at NetworkEngineering Stack Exchange.
No comments:
Post a Comment