MAC authentication with Freeradius2 & Openldap

nicetail

Hello,

I am trying to set up a mac authentication with freeradius2 and openldap.

When host is conneceted on a Switch, the later ask the radius server whether host mac address is allowed to connect or not (the switch port must be defined too). Then, the radius server check the ldap database to see if the macddress is allowed to access the Network..

I found some docs about that. However, I have some troubleshootings since ldap module is not recognized by freeradius server.

here is my users file from freeeradius

DEFAULT NAS-Port-Type == "Ethernet", Auth-Type := LDAP
Framed-Filter-Id = "Enterasys:version=1:policy=test", Fall-Through = No

I configured the ldap module as follow in raddb/modules/ldap :

ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=freeradius,ou=system,dc=radius,dc=com"
password = secret
basedn = "dc=radius,dc=com"
filter = "(|(&(objectClass=person)(sn=%{Stripped-User-Name:-%{User-Name}}))(&(objectClass=computer)(macAddress={Stripped-User-Name:-%{User-Name}})))"

#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"

# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5

# seconds to wait for LDAP query to finish. default: 20
timeout = 4

# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3

#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1

#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no

# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd

# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}

# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword

# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
# ligne ci-dessous COMMENTEE
# edir_account_policy_check = no

#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName

compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes

#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes

#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes

# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}

I also uncomment ldap in authentication and authorize sections of raddb/sites-enabled/default

But radiusd -X return those errors :

/etc/raddb/users[51]: Parse error (check) for entry DEFAULT: Unknown value LDAP for attribute Auth-Type
Errors reading /etc/raddb/users
/etc/raddb/modules/files[7]: Instantiation failed for module "files"
/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules

LDAP value for Auth-type in users file is not recognized.

I found that Auth-type possible values are listed in /usr/share/freeradius/dictionary.freeradius.internal :

#
# FreeRADIUS extensions (most originally from Cistron)
#
VALUE Auth-Type Accept 254

VALUE Auth-Type PAP 1024
VALUE Auth-Type CHAP 1025

# 1026 was LDAP, but we deleted it. Adding it back will break the
# ldap module.
VALUE Auth-Type PAM 1027
VALUE Auth-Type MS-CHAP 1028
VALUE Auth-Type MSCHAP 1028
VALUE Auth-Type Kerberos 1029
VALUE Auth-Type CRAM 1030
VALUE Auth-Type NS-MTA-MD5 1031
# 1032 is unused (was a duplicate of CRAM)
VALUE Auth-Type

By adding the following line, my error disapeared

#VALUE Auth-Type LDAP 1026

But I doubt that it is the best way to process, since it is prevented to add it :

"1026 was LDAP, but we deleted it. Adding it back will break the ldap module."

Is there another way to configure a MAC authentication by using freeradius2 and openldap ?

Regards,

saqman2060

What are you referring to as "Later"?

saqman2060

Also, can you tell me what this line means?

"(|(&(objectClass=person)(sn=%{Stripped-User-Name:-%{User-Name}}))(&(objectClass=computer)(macAddress={Stripped-User-Name:-%{User-Name}})))"

I'm trying to understand the script you created.