FreeRADIUS MAC authentication

NogBadTheBad

@aaronssh Try running radsniff -x from a ssh session on your pfSense box

aaronssh

Screenshot 2023-07-24 at 11.02.12 AM.png

aaronssh

@aaronssh I am not sure how to read that output in the screenshot above other than it looks like FreeRADIUS is rejecting the auth attempt. I don't understand why.

Gertjan

@NogBadTheBad

radsniff is nice.

I'll add another one :
Shut down FreeRadius in the pfSense GUI.

On the pfSense command line (SSH - NOT GUI !!) or console : menu 8 :

radiusd -X

Enjoy.

Totally useless, but I say it anyway : if you think FreeRadius doesn't show something, then this means it didn't receive something.
Also, terminology used is rather cryptic. Radius is .... well .... Radius.

aaronssh

@Gertjan said in FreeRADIUS MAC authentication:

radiusd -X

I do get a lot more info that way, but I don't know how to interpret what I'm seeing here. Can you determine what this means?

Screenshot 2023-07-24 at 11.36.15 AM.png

Screenshot 2023-07-24 at 11.36.29 AM.png

Gertjan

@aaronssh

Welll ... I never used pfSense Freeradius to do MAC authentication / identification.

I do see the same :
- consider this one harmless.

I don't know who is 10.173.7.104 neither 10.173.7.1 (probably : pfSense but it has a strange LAN IP)
00-e0-97-00-35-4b looks like a MAC. From what device ?
Etc.

I'm the more basic "user + password" guy.

The pfSense documentation hasn't a doc / example for you ?

aaronssh

@Gertjan
10.173.7.104 is the switch
10.173.7.1 is pfSense
00-e0-97-00-35-4b is the MAC address on my Macbook

So all of that looks right to me, and I don't understand why it is rejecting.

keyser

@aaronssh Perhaps you forgot to enable MAC bypass in Freeradius since your client is 802.1x challenged?

aaronssh

@keyser I noticed that and tried it both ways, but it does not change the result or the error messages.

aaronssh

So I noticed in the logs that both the USER and PASS that are being passed to FreeRADIUS are the MAC address. I have that MAC address entered in the MACs section of FreeRADIUS so to me it seems like it SHOULD at that point authenticate ok. It obviously doesn't.

So I thought, what the hell, let's trying setting up a user under USERS in FreeRADIUS and enter the MAC address as both the user and pass. Bam, that works! So seems very counterintuitive but that's good enough for me. Thank you everyone for your help!

keyser

@aaronssh Well, I’m using mac-auth and my clients are entered on the MAC addresses sheet, so it does work in the right configuration.
But if you are not going to use 802.1x you can just create the MAc addresses as users.

NogBadTheBad

This post is deleted!