Freeradius Mac based authendification did not work

hello all. We are working here with UCS 4.4-8 and freeradius 3.0.12. Radius itself is working fine for autendification for users on networkdevices and so on. But I can’t get the Mac-based autendification to work. I have set up everything according to the documentation.

Only the APs are not authenticated with radius, because the userauth for Enterprise runs directly via LDAP.

This is an SSD that was only created for devices and therefore only uses WPA2. Therefore, I would also like to use the MAC filter with radius.

Well, as you can see very well in the log, the client is found, but it is not authenticated.

(0) Received Access-Request Id 0 from 10.4.4.2:22116 to 172.16.66.1:1812 length 238
(0)   User-Name = "5A:F1:70:5E:1D:2A"
(0)   User-Password = "5A:F1:70:5E:1D:2A"
(0)   Calling-Station-Id = "5C-F3-70-5C-BD-1A"
(0)   NAS-IP-Address = 0.0.0.0
(0)   NAS-Identifier = "192.168.7.2/5246-tuxi-dev"
(0)   Called-Station-Id = "91-60-AC-B0-2C-9A:tuxi-dev"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Call-Check
(0)   Attr-26.12356.7 = 0x626f647967756964652d646576
(0)   Attr-26.12356.8 = 0x46503232314333583136303436393830
(0)   Message-Authenticator = 0x38ca65a1e4a52e766d04f2399b184d10
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "5A:F1:70:5E:1D:2A", looking up realm NULL
(0) ntdomain: No such realm "NULL"
(0)     [ntdomain] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (|(uid=%{mschap:User-Name:-%{User-Name}})(macAddress=%{mschap:User-Name:-%{User-Name}}))
(0) ldap:    --> (|(uid=5A:F1:70:5E:1D:2A)(macAddress=5A:F1:70:5E:1D:2A))
(0) ldap: Performing search in "dc=tux,dc=lan" with filter "(|(uid=5A:F1:70:5E:1D:2A)(macAddress=5A:F1:70:5E:1D:2A))", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "cn=scanner,cn=drucker,cn=zuhause,cn=computers,dc=tux,dc=lan"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc1.tux.lan:7389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [5A:F1:70:5E:1D:2A/5A:F1:70:5E:1D:2A] (from client fw01 port 0 cli 5A-F1-70-5E-1D-2A)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> 5A:F1:70:5E:1D:2A
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 0 from 172.16.66.1:1812 to 10.4.4.2:22116 length 20
Waking up in 3.9 seconds.

By default, nothing at all is found in the LDAP. In order for it to work at all, as you can see here in the log, you first have to set the LDAP filter correctly in the Raidusconfig.

/etc/freeradius/3.0/mods-enabled/ldap

- filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
+ filter = "(|(uid=%{mschap:User-Name:-%{User-Name}})(macAddress=%{mschap:User-Name:-%{User-Name}}))"

I’ve set freeradius/auth/helper/ntlm/debug to highest level, but there is no logfile like /var/log/univention/radius_ntlm_auth.log as described in the documentation.

Does anyone have an idea why the part does not want?

Hi Mario,

I am not absolutely sure but do not mix up the user authentication va. the MAC based access controll. For the first you need credentials, both username and passwort while for the second it only has to match to the preconfigured values. So there is no password. From the log you cleary see Radisu reads the MAC as username where it should not ("missing ").

I do not know how to configure MAC based access control but at least you will need a list of allowed MAC addresses. Have you checked this page to configure freeRadius accordingly?

ldap: Performing search in "dc=tux,dc=lan" with filter "(|(uid=5A:F1:70:5E:1D:2A)(macAddress=5A:F1:70:5E:1D:2A))",

Again, it looks for a username with the MAC 5A… so no good. However, it found an entry “cn=scanner” but it could not read the configured password:

ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute

Either you freeradius lacks permissions or the password is wrong read above link carefully:
Verifies that the CHAP-Password attribute matches the Calling-Station-ID of the station

Hope it helps…

/CV

Hello knebb,

you talking about the official freeradiusconfig, but i talking about the Univention UCS freeradiusconfig. This are two different things, because the implementation. So if you read the offical documentation to freeradius from UCS you see that here the special flag enable the macfiltering globaly.

For this reason, I also believe that it can only be a small thing. Because for auth the system takes the Mac address, for user and for password.

Hat sowas denn niemand im Einsatz?

Hi, we have both MAC and User/Pass auth working.

What are you trying to accomplish?

Our Use-Case:

Known Clients (Computer Object with MAC in LDAP) are authenticated during boot and put in a VLAN for known Clients. Unknown Clients are put in a Guest VLAN.
Upon User login (Windows) the User gets authenticated using Username/Password and switches to a User specific VLAN or (on rejection) switches into Guest VLAN.

I only want to introduce Mac address control for the WLAN. This means that users who log on via the WLAN (WPA2/3 Enterprise and also WPA Personal for certain devices that cannot use WPA Enterprise) can only do this with devices that are stored in the LDAP with MAC.

Ok, so that should normally be easy.
Did you set the password of the Computer Object to the MAC address?

Your Clients send:

(0)   User-Name = "5A:F1:70:5E:1D:2A"
(0)   User-Password = "5A:F1:70:5E:1D:2A"

So you need to set the Password accordingly.
Extended Settings -> Account -> Password

Done. But i get the same error message in the radius logs.

It works now. Very thanks to @chris.g for help to understand how this feature works. Because of this i’ve writen an howto for configure this on UCS 4.4.x

The important thing was to set the changes on the templates, and not directly on the Configfiles. And that you useing not an ipmanaged clientprofile for your device in UCS.
https://deepdoc.at/dokuwiki/doku.php?id=prebuilt_systems:ucs:radius_macadressenkontrolle_fuer_wlan_ueber_ldapauth_mit_fortinet_accesspoints

Update for UCS5 available: prebuilt_systems:ucs:radius_macadressenkontrolle_fuer_wlan_ueber_ldapauth_mit_fortinet_accesspoints [DEEPDOC.AT - enjoy your brain]