hello all. We are working here with UCS 4.4-8 and freeradius 3.0.12. Radius itself is working fine for autendification for users on networkdevices and so on. But I can’t get the Mac-based autendification to work. I have set up everything according to the documentation.
Only the APs are not authenticated with radius, because the userauth for Enterprise runs directly via LDAP.
This is an SSD that was only created for devices and therefore only uses WPA2. Therefore, I would also like to use the MAC filter with radius.
Well, as you can see very well in the log, the client is found, but it is not authenticated.
(0) Received Access-Request Id 0 from 10.4.4.2:22116 to 172.16.66.1:1812 length 238
(0) User-Name = "5A:F1:70:5E:1D:2A"
(0) User-Password = "5A:F1:70:5E:1D:2A"
(0) Calling-Station-Id = "5C-F3-70-5C-BD-1A"
(0) NAS-IP-Address = 0.0.0.0
(0) NAS-Identifier = "192.168.7.2/5246-tuxi-dev"
(0) Called-Station-Id = "91-60-AC-B0-2C-9A:tuxi-dev"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Call-Check
(0) Attr-26.12356.7 = 0x626f647967756964652d646576
(0) Attr-26.12356.8 = 0x46503232314333583136303436393830
(0) Message-Authenticator = 0x38ca65a1e4a52e766d04f2399b184d10
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "5A:F1:70:5E:1D:2A", looking up realm NULL
(0) ntdomain: No such realm "NULL"
(0) [ntdomain] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (|(uid=%{mschap:User-Name:-%{User-Name}})(macAddress=%{mschap:User-Name:-%{User-Name}}))
(0) ldap: --> (|(uid=5A:F1:70:5E:1D:2A)(macAddress=5A:F1:70:5E:1D:2A))
(0) ldap: Performing search in "dc=tux,dc=lan" with filter "(|(uid=5A:F1:70:5E:1D:2A)(macAddress=5A:F1:70:5E:1D:2A))", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "cn=scanner,cn=drucker,cn=zuhause,cn=computers,dc=tux,dc=lan"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc1.tux.lan:7389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [5A:F1:70:5E:1D:2A/5A:F1:70:5E:1D:2A] (from client fw01 port 0 cli 5A-F1-70-5E-1D-2A)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> 5A:F1:70:5E:1D:2A
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 0 from 172.16.66.1:1812 to 10.4.4.2:22116 length 20
Waking up in 3.9 seconds.
By default, nothing at all is found in the LDAP. In order for it to work at all, as you can see here in the log, you first have to set the LDAP filter correctly in the Raidusconfig.
/etc/freeradius/3.0/mods-enabled/ldap
- filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
+ filter = "(|(uid=%{mschap:User-Name:-%{User-Name}})(macAddress=%{mschap:User-Name:-%{User-Name}}))"
I’ve set freeradius/auth/helper/ntlm/debug to highest level, but there is no logfile like /var/log/univention/radius_ntlm_auth.log as described in the documentation.
Does anyone have an idea why the part does not want?