Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense mit freeradius - MAB via Cisco Switch (erledigt)

    Scheduled Pinned Locked Moved Deutsch
    2 Posts 1 Posters 687 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Toni 0
      last edited by Toni 0

      Moin,

      habe mir gerade freeradius auf die pfSense gezogen und wollte anfangen mit einfachem MAB via Cisco Switch.
      Leider bisher erfolglos.

      Folgende Infos zum Thema:

      Cisco Config (2960CX):
      vlan 25
      int vlan 25
      ip address 192.168.25.200 255.255.255.0

      aaa new-model
      aaa group server radius PFS
      ip radius source-interface vlan 25
      server-private 192.168.25.250 key password

      aaa authentication dot1x default group PFS
      aaa authorization network default group PFS
      dot1x system-auth-control

      interface gi0/1
      switchport mode acc
      authentication port-control auto
      dot1x pae authenticator
      authentication host-mode multi-auth
      mab
      authentication order mab
      authentication event fail action authorize vlan 666
      authentication event no-response action authorize vlan 666

      pfSense - freeRADIUS konfiguration via pfSense-GUI ergibt folgende konfig dateien:

      radiusd.conf:
      /usr/local/etc/raddb/radiusd.conf
      prefix = /usr/local
      exec_prefix = ${prefix}
      sysconfdir = ${prefix}/etc
      localstatedir = /var
      sbindir = ${exec_prefix}/sbin
      logdir = ${localstatedir}/log
      raddbdir = ${sysconfdir}/raddb
      radacctdir = ${logdir}/radacct
      name = radiusd
      confdir = ${raddbdir}
      modconfdir = ${confdir}/mods-config
      certdir = ${confdir}/certs
      cadir = ${confdir}/certs
      run_dir = ${localstatedir}/run
      db_dir = ${raddbdir}
      libdir = /usr/local/lib/freeradius-3.0.17
      pidfile = ${run_dir}/${name}.pid
      max_request_time = 30
      cleanup_delay = 5
      max_requests = 1024
      hostname_lookups = no
      regular_expressions = yes
      extended_expressions = yes

      log {
      destination = syslog
      colourise = yes
      file = ${logdir}/radius.log
      syslog_facility = daemon
      stripped_names = yes
      auth = yes
      auth_badpass = yes
      auth_goodpass = no
      msg_goodpass = "GRANTED"
      msg_badpass = "DENIED"
      msg_denied = "You are already logged in - access denied"
      }

      checkrad = ${sbindir}/checkrad
      security {
      allow_core_dumps = no
      max_attributes = 200
      reject_delay = 1
      status_server = no
      # Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
      allow_vulnerable_openssl = yes
      }

      $INCLUDE clients.conf
      thread pool {
      start_servers = 5
      max_servers = 32
      min_spare_servers = 3
      max_spare_servers = 10
      max_queue_size = 65536
      max_requests_per_server = 0
      auto_limit_acct = no
      }

      modules {
      $INCLUDE ${confdir}/mods-enabled/
      }

      instantiate {
      exec
      expr
      expiration
      logintime
      ### Dis-/Enable sql instatiate
      #sql
      daily
      weekly
      monthly
      forever
      }
      policy {
      $INCLUDE policy.d/
      }
      $INCLUDE sites-enabled/

      clients.conf
      /usr/local/etc/raddb/clients.conf

      client "switch" {
      ipaddr = 192.168.25.200
      proto = udp
      secret = 'password'
      require_message_authenticator = no
      nas_type = cisco
      ### login = !root ###
      ### password = someadminpass ###
      limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
      }
      }

      macs.conf

      /usr/local/etc/raddb/authorized_macs

      54-31-50-6d-4d-8e Cleartext-Password := "54-31-50-6d-4d-8e"

      Tunnel-Type = VLAN,
      Tunnel-Medium-Type = IEEE-802,
      Tunnel-Private-Group-ID = "25
      

      Sorry für den haufen Config aber dann kommen ggf. weniger rückfragen.

      Zwischen Switch und pfSense besteht Erreichbarkeit aber interessanter Weise bekomme ich auch keine radius Log Einträge.

      Grüße
      Toni

      1 Reply Last reply Reply Quote 0
      • T
        Toni 0
        last edited by

        Problem gelöst!

        Hatte den falschen Port verwendet.
        Cisco verwendet default Port 1645,
        freeradius auf der pfSense default 1812.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.