MAC Authentication Bypass (MAB) is an alternative for devices without 802.1X support. The switch checks the MAC address of an endpoint with RADIUS server. Freeradius, plus I've seen some tutos that say that cisco Mac-auth-Bypass can do the trick. Cisco MAB is a.method. you configure on the switch. It still needs a backend. FreeRADIUS works as the back-end while daloRADIUS works as the front-end. In this tutorial, I will explain step by step how to install FreeRADIUS server and Daloradius web client on Ubuntu 18.04 LTS. I'm attempting to configure FreeRadius to work with Dynamic VLAN Assignment. What I'm attempting to do, is return a specific VLAN ID for known hosts, but return a default VLAN ID for unknown hosts. This is my first stab at creating a /etc/freeradius/users file, with a single valid mac address.

• Freeradius Mac Authentication Vlan Assignment
• Freeradius For Mac Pro
• Freeradius Macos
• Freeradius For Mac Download

FreeRADIUS

Last updated 2015/09/07

Return to the Suffield Academy Network Documentation Homepage

A printable version of this documentis also available.

• FreeRADIUS
  • Setting up Samba
  • Configuring FreeRADIUS
  • TODO

Introduction

RADIUS is a protocol used by many pieces of networking equipment toauthenticate and authorize users who wish to access the network. Italso forms the base of 802.1X, aka WPA-Enterprise, which is thebest-known method for securing wireless networks (as opposed topre-shared single-key systems such as WPA-Personal).

FreeRADIUS is a wonderful piece of software that acts as a RADIUSserver. It allows you to authenticate against numerous back-ends(flat files, SQL, LDAP, ActiveDirectory), has built-in configurationsfor redundancy and failover, and even has options for embeddedlanguages like Perl so you can write your own custom server logic.

This document describes our setup and configuration of FreeRADIUS.

A few implementation notes/assumptions; the code we use has beentested in the following environment:

We currently use Juniper gear on the wired side (EX4200/3200switches). We also use Juniper (formerly Trapeze) wirelesscontrollers.

We currently use a Samba-based ActiveDirectory domain for centralizedauthentication.

Debian Jessie is the base operating system that we run everything on.

Design

We have two RADIUS servers that operate in parallel with each other.They are configured identically (except for minor differences likehostnames) and serve requests independently of each other.

FreeRADIUS is configured to provide the following major services(there are nearly a dozen configured modules, but these are the mostimportant):

• EAP termination (negotiating and tunneling a RADIUS request over a secure TLS tunnel). Note that some of our equipment does the EAP termination on the device, and passes us a raw RADIUS request. Thus, our server needs to handle both.
• Authorization (determining if a username is allowed to access a given resource). We check username formatting to reject obviously bad usernames, and also do some MAC address checking for MAC-based auth. However, the majority of requests are not rejected on authorization reasons, as we prefer to use other means to contain users who should not be allowed (switching them to dead-end VLANs).
• Authentication (determining if a user is who they say they are). We pass of usernames to our ActiveDirectory controllers to check passwords. MAC addresses have no authentication (there's no password), so the best we can do is confirm time-of-day or location-based rules.
• Post-Auth (setting policy). After a user passes authorization and authentication, we can specify other options for the connection. The most popular are VLAN assignment and Filter (ACLs). This is very flexible and gives us the ability to change user's abilities to access the network at different times without having to flat-out reject them. For example, we can dead-end students at certain times of day without having to reject them outright (which might lead to them getting 'invalid password' messages that make them think something is wrong with the way they're authenticating).
• Accounting. The network equpiment sends accounting packets for each authenticated session so we can track duration, traffic amounts, and other details.
• Logging. At several points we log information to help diagnose problems or generate reports. We include full detail logging of entire request packets on a per-user and per-access-point basis, as well as a full debug log for all users. We also emit a selected amount of data to syslog (auth attempts, and their resulting failure or success) for analysis. Finally, accounting data can be logged and correlated later.

Setting up Samba

We're authenticating against AD, so we'll need Kerberos and Winbind stuff:

Kerberos

If prompted, accept the default configuration for Kerberos. Itdoesn't matter much; we'll be paving over the config file with this(substitute your AD realm name in ALL CAPS):

You should verify that you can get a kerberos ticket at this point:

Samba

Next, go grab the smb.conf.member_server config file from theactivedirectory repository and drop it into/etc/samba/smb.conf. Note that you may wish to set thepassword server option to list a preferred set of servers,followed by the '*' wildcard for auto-lookup. In this way, you candiversify the servers used from different RADIUS servers but stillmaintain auto-failover.

Restart samba:

Now, join the server to the domain:

Note that there might be some IPv6 errors, but those are (aparently?) harmless...

Generate a keytab:

Confirm that it passed the smoke test:

If that passes, then you can be reasonably sure that you've joined thedomain and are ready to move on to the next step.

Winbind

Winbind is a daemon that allows you to translate between the world ofUNIX authentication and ActiveDirectory authentication. You can useit to merge with NSS and other system-wide tools to authenticate userson your Linux box via ActiveDirectory.

In this case, we're setting it up so FreeRADIUS can use it toauthenticate users. We won't integrate it with the system as a whole;just FreeRADIUS.

Restart winbindd:

A few basic tests:

You should get back sane answers from those (substitue real usernamesand passwords). If you do, then auth is working and you're ready tohave FreeRADIUS use it.

Building FreeRADIUS

Follow these directions to build FR from source:

(Substitute the current stable version number as found onhttp://freeradius.org/download.html)

The 'installs' dependencies are found in the source packagedebian/control file.

Note that as of this writing (FR 3.0.9) there is a bug where two ofthe FR packages both list the same module files, and so theyconflict. Edit the debian/freeradius.install file and change:

to

(See https://github.com/FreeRADIUS/freeradius-server/issues/1125 formore information.)

When you're ready to build:

If it all builds well, install the packages (path is relative to thebuild directory):

Configuring FreeRADIUS

Attempting to describe the configuration of FreeRADIUS here would takefar too long and take too much space. The configuration files (in/etc/freeradius) are the best place to start. All of our changesare heavily commented (grep for 'suffield:'), and in most cases we'veactually made copies of entire files and renamed them with an 'sa-'prefix to make them easier to find. For example, instead of changingthe 'eap' file in 'mods-available', we made a copy named 'sa-eap' andkept all our changes there.

FreeRADIUS has a few files that aren't auto-included, and so must benamed by convention. radiusd.conf and clients.conf have ourmodifications (again, commented), but the files have not been renamed.

If you're just getting familiar with the sources, start with thesa-authz and sa-accounting files in the sites-availabledirectory. Those are the top-level 'server' files, which referencethe other files we've configured. They'll give a good overview of howthe configuration is organized. Additionally, the clients.conffile contains the very-necessary definition of clients that areallowed to connect to the server, as well as the shared secrets usedbetween them.

(See TODO for more information on how this might change.)

Winbind Socket Access

If using winbind to authenticate users against AD, you must grantread permissions to the user FreeRADIUS runs as:

(Those are the default usernames and file locations under DebianJessie.)

FreeRADIUS Configuration

To get the config up and running, make sure that all of the 'sa-'files have been symlinked into their 'enabled' directories (formodules and sites). The sites-enabled directory should onlycontain the 'sa-' prefixed symlinks; remove the default andinner-tunnel links.

Other files should go where they are defined (policy.d, top-level,and others).

To test the config, run freeradius -XC. If no errors are reported,you can run the server in debug mode with freeradius -X. Thatwill provide extensive output to the console and you can testconnections to the server (many network equipment operating systemshave a 'radtest' or 'radping' function that lets you send test queriesto the server).

If all looks good, you can use the init scripts to start freeradiuspermanently.

TODO

Check files into source control

Right now, the /etc/freeradius files are not checked into sourcecontrol. They were built as a one-off on Jacen. To make things alittle better, consider the following plan:

Freeradius Mac Authentication Vlan Assignment

Edit /etc/default/freeradius and have it search for a config filein /etc/freeradius/suffield/$(hostname -s).conf. If found, appendthe '-n $(hostname -s)' to FREERADIUS_OPTIONS.

Make a copy of the default radiusd.conf file and name it byhostname. Comment out stuff you don't need (proxy?) and includeanything non-standard you want (a separate clients file?).

Maybe even have that radiusd.conf copy generic, and have aper-hostname file that sets a few global variables (like hostname) andINCLUDES it.

Freeradius For Mac Pro

The only real issue left is/are the secrets in clients.conf and eap,which are coded into the file but not easy to load from somewhereelse. Maybe have a SECRETS file that has all the sensitive data, andthe other modules can reference the variables set there. Then thatcould be the only thing that ISN'T checked into source control.

Fix accounting

Right now, we've built a nice 'robust' accounting server that logs intwo phases: once to disk in 'detail' format, and then reading thatformat to perform the final handling. If the second phase fails forany reason, the first continues to chug along logging to disk until itbecomes available again.

Freeradius Macos

We've written a basic perl script that 'handles' the accounting byline logging to a file, but ideally we'd want to do some SQL loggingof things. The hooks are there, but there's still some work to do:

Current plan is to let the perl 'preacct' hook handle all the heavylifting: fix any missing attributes (possibly by adding hooks andstorage to the authz phases), and coalesce values into counters.Might need to invent some 'SA-*' AVPs to store these (add them to oursa-dictionary).

Next, hollow out the SQL module to just do accounting updates using anew schema that references these attributes. The built-in schema isfine, but is missing some things we'd want (like NAS-Location-Id) inour reporting. Easier to just synthesize it all with somethingflexible like perl, and then let the SQL code just grab it and dump itin the DB.

Merge MAC-auth and CoA

Freeradius For Mac Download

Still looking to improve upon the perl authz script to deal with CoAand MAC auth. Probably use redis (or another shared key/value store)to hold the MAC/port/role/etc database.