MAC authentication with Freeradius2 & Openldap
Hello,
I am trying to set up a mac authentication with freeradius2 and openldap.
When host is conneceted on a Switch, the later ask the radius server whether host mac address is allowed to connect or not (the switch port must be defined too). Then, the radius server check the ldap database to see if the macddress is allowed to access the Network..
I found some docs about that. However, I have some troubleshootings since ldap module is not recognized by freeradius server.
here is my users file from freeeradius
Framed-Filter-Id = "Enterasys:version=1:policy=test", Fall-Through = No
I configured the ldap module as follow in raddb/modules/ldap :
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=freeradius,ou=system,dc=radius,dc=com"
password = secret
basedn = "dc=radius,dc=com"
filter = "(|(&(objectClass=person)(sn=%{Stripped-User-Name:-%{User-Name}}))(&(objectClass=computer)(macAddress={Stripped-User-Name:-%{User-Name}})))"
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
# ligne ci-dessous COMMENTEE
# edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}
I also uncomment ldap in authentication and authorize sections of raddb/sites-enabled/default
But radiusd -X return those errors :
Errors reading /etc/raddb/users
/etc/raddb/modules/files[7]: Instantiation failed for module "files"
/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module "files".
/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section.
}
}
Errors initializing modules
LDAP value for Auth-type in users file is not recognized.
I found that Auth-type possible values are listed in /usr/share/freeradius/dictionary.freeradius.internal :
# FreeRADIUS extensions (most originally from Cistron)
#
VALUE Auth-Type Accept 254
VALUE Auth-Type PAP 1024
VALUE Auth-Type CHAP 1025
# 1026 was LDAP, but we deleted it. Adding it back will break the
# ldap module.
VALUE Auth-Type PAM 1027
VALUE Auth-Type MS-CHAP 1028
VALUE Auth-Type MSCHAP 1028
VALUE Auth-Type Kerberos 1029
VALUE Auth-Type CRAM 1030
VALUE Auth-Type NS-MTA-MD5 1031
# 1032 is unused (was a duplicate of CRAM)
VALUE Auth-Type
By adding the following line, my error disapeared
#VALUE Auth-Type LDAP 1026
But I doubt that it is the best way to process, since it is prevented to add it :
"1026 was LDAP, but we deleted it. Adding it back will break the ldap module."
Is there another way to configure a MAC authentication by using freeradius2 and openldap ?
Regards,
Comments
-
What are you referring to as "Later"?0
-
Also, can you tell me what this line means?
"(|(&(objectClass=person)(sn=%{Stripped-User-Name:-%{User-Name}}))(&(objectClass=computer)(macAddress={Stripped-User-Name:-%{User-Name}})))"
I'm trying to understand the script you created.0
Categories
- All Categories
- 50 LFX Mentorship
- 103 LFX Mentorship: Linux Kernel
- 553 Linux Foundation Boot Camps
- 296 Cloud Engineer Boot Camp
- 119 Advanced Cloud Engineer Boot Camp
- 52 DevOps Engineer Boot Camp
- 53 Cloud Native Developer Boot Camp
- 4 Express Training Courses
- 4 Express Courses - Discussion Forum
- 1.9K Training Courses
- 18 LFC110 Class Forum
- 6 LFC131 Class Forum
- 25 LFD102 Class Forum
- 150 LFD103 Class Forum
- 17 LFD121 Class Forum
- LFD137 Class Forum
- 61 LFD201 Class Forum
- LFD210 Class Forum
- LFD210-CN Class Forum
- 1 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum
- LFD237 Class Forum
- 23 LFD254 Class Forum
- 598 LFD259 Class Forum
- 102 LFD272 Class Forum
- 1 LFD272-JP クラス フォーラム
- LFD273 Class Forum
- 2 LFS145 Class Forum
- 24 LFS200 Class Forum
- 739 LFS201 Class Forum
- 1 LFS201-JP クラス フォーラム
- 3 LFS203 Class Forum
- 69 LFS207 Class Forum
- 300 LFS211 Class Forum
- 54 LFS216 Class Forum
- 47 LFS241 Class Forum
- 41 LFS242 Class Forum
- 37 LFS243 Class Forum
- 11 LFS244 Class Forum
- 34 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 140 LFS253 Class Forum
- LFS254 Class Forum
- 1K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 92 LFS260 Class Forum
- 130 LFS261 Class Forum
- 32 LFS262 Class Forum
- 79 LFS263 Class Forum
- 15 LFS264 Class Forum
- 11 LFS266 Class Forum
- 17 LFS267 Class Forum
- 17 LFS268 Class Forum
- 23 LFS269 Class Forum
- 203 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS281 Class Forum
- 221 LFW211 Class Forum
- 167 LFW212 Class Forum
- SKF100 Class Forum
- 902 Hardware
- 219 Drivers
- 74 I/O Devices
- 44 Monitors
- 115 Multimedia
- 209 Networking
- 101 Printers & Scanners
- 85 Storage
- 761 Linux Distributions
- 88 Debian
- 66 Fedora
- 15 Linux Mint
- 13 Mageia
- 24 openSUSE
- 141 Red Hat Enterprise
- 33 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 477 Linux System Administration
- 41 Cloud Computing
- 69 Command Line/Scripting
- Github systems admin projects
- 95 Linux Security
- 77 Network Management
- 108 System Management
- 49 Web Management
- 66 Mobile Computing
- 23 Android
- 29 Development
- 1.2K New to Linux
- 1.1K Getting Started with Linux
- 536 Off Topic
- 131 Introductions
- 216 Small Talk
- 21 Study Material
- 817 Programming and Development
- 275 Kernel Development
- 508 Software Development
- 928 Software
- 260 Applications
- 184 Command Line
- 3 Compiling/Installing
- 76 Games
- 316 Installation
- 59 All In Program
- 59 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)