0

I'm attempting to configure FreeRadius to work with Dynamic VLAN Assignment.

What I'm attempting to do, is return a specific VLAN ID for known hosts, but return a default VLAN ID for unknown hosts.

This is my first stab at creating a /etc/freeradius/users file, with a single valid mac address...

DEFAULT
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Fall-Through = Yes

00188bc6db33    Cleartext-Password := "00188bc6db33"
                Tunnel-Private-Group-ID := 9

DEFAULT
                Auth-Type = Accept,
                Tunnel-Private-Group-ID = 1

If I test this using a valid mac address, it works fine and returns the VLAN ID of 9

root@wwwcache1:/etc/freeradius# radtest 00188bc6db33 00188bc6db33
127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812
        User-Name = "00188bc6db33"
        User-Password = "00188bc6db33"
        NAS-IP-Address = 10.58.3.132
        NAS-Port = 0 rad_recv: Access-Accept packet from host
127.0.0.1 port 1812, id=251, length=35
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "9"

...but if I use an unknown mac address, the authentication is rejected.

root@wwwcache1:/etc/freeradius# radtest 0123456789ab 0123456789ab
127.0.0.1 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812
        User-Name = "0123456789ab"
        User-Password = "0123456789ab"
        NAS-IP-Address = 10.58.3.132
        NAS-Port = 0 rad_recv: Access-Reject packet from host
127.0.0.1 port 1812, id=13, length=20

What I would like to see from radtest for this is

root@wwwcache1:/etc/freeradius# radtest 0123456789ab 0123456789ab
127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812
        User-Name = "0123456789ab"
        User-Password = "0123456789ab"
        NAS-IP-Address = 10.58.3.132
        NAS-Port = 0 rad_recv: Access-Accept packet from host
127.0.0.1 port 1812, id=251, length=35
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"

How can I force freeradius to always return a Access-Accept packet regardless of the authentication request?

Bryan
  • 7,538
  • 15
  • 68
  • 92

2 Answers2

3

Would it not be better to configure your switch with a "failed auth" vlan? I seriously doubt you'll ever find a way to make any authentication ALWAYS say any username/password combination is correct... without breaking a lot of things.

TheCompWiz
  • 7,349
  • 16
  • 23
  • D'oh! That's so obvious, it embarrassing! This re-enforces the requirement to take a break every now and again. Thanks! – Bryan Sep 03 '10 at 16:57
  • :D I know that feeling. I think I still have a bald spot & flat forehead from when I was trying to setup my lab with mac auth. 1 additional word of advise. Don't setup mac-auth on ports that connect to other switches. Let those switches implement mac auth on their own. – TheCompWiz Sep 03 '10 at 17:07
  • also... I think HP switches use "xx-xx-xx-xx-xx-xx" instead of "xxxxxxxxxxxx" for mac auth. – TheCompWiz Sep 03 '10 at 17:08
  • Thanks, These are Dell PowerConnect switches, but thanks for the heads up. If it doesn't work I will check the freeradius logs as I've enabled authentication logging. – Bryan Sep 04 '10 at 10:47
0

The problem in the default settings is the password mismatch, thats why it's rejecting for other MAC addresses, try writing your default settings as

DEFAULT        Cleartext-Password := "%{User-Name}"
               Tunnel-Private-Group-ID := 1,
               Reply-Message := "Hello %{User-Name}, You are assigned vlan 1"

This works like a charm on my machine.

Pardeep Bansal
  • 1