pfSense mit freeradius - MAB via Cisco Switch (erledigt)



  • Moin,

    habe mir gerade freeradius auf die pfSense gezogen und wollte anfangen mit einfachem MAB via Cisco Switch.
    Leider bisher erfolglos.

    Folgende Infos zum Thema:

    Cisco Config (2960CX):
    vlan 25
    int vlan 25
    ip address 192.168.25.200 255.255.255.0

    aaa new-model
    aaa group server radius PFS
    ip radius source-interface vlan 25
    server-private 192.168.25.250 key password

    aaa authentication dot1x default group PFS
    aaa authorization network default group PFS
    dot1x system-auth-control

    interface gi0/1
    switchport mode acc
    authentication port-control auto
    dot1x pae authenticator
    authentication host-mode multi-auth
    mab
    authentication order mab
    authentication event fail action authorize vlan 666
    authentication event no-response action authorize vlan 666

    pfSense - freeRADIUS konfiguration via pfSense-GUI ergibt folgende konfig dateien:

    radiusd.conf:
    /usr/local/etc/raddb/radiusd.conf
    prefix = /usr/local
    exec_prefix = ${prefix}
    sysconfdir = ${prefix}/etc
    localstatedir = /var
    sbindir = ${exec_prefix}/sbin
    logdir = ${localstatedir}/log
    raddbdir = ${sysconfdir}/raddb
    radacctdir = ${logdir}/radacct
    name = radiusd
    confdir = ${raddbdir}
    modconfdir = ${confdir}/mods-config
    certdir = ${confdir}/certs
    cadir = ${confdir}/certs
    run_dir = ${localstatedir}/run
    db_dir = ${raddbdir}
    libdir = /usr/local/lib/freeradius-3.0.17
    pidfile = ${run_dir}/${name}.pid
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    hostname_lookups = no
    regular_expressions = yes
    extended_expressions = yes

    log {
    destination = syslog
    colourise = yes
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = yes
    auth = yes
    auth_badpass = yes
    auth_goodpass = no
    msg_goodpass = "GRANTED"
    msg_badpass = "DENIED"
    msg_denied = "You are already logged in - access denied"
    }

    checkrad = ${sbindir}/checkrad
    security {
    allow_core_dumps = no
    max_attributes = 200
    reject_delay = 1
    status_server = no
    # Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
    allow_vulnerable_openssl = yes
    }

    $INCLUDE clients.conf
    thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_queue_size = 65536
    max_requests_per_server = 0
    auto_limit_acct = no
    }

    modules {
    $INCLUDE ${confdir}/mods-enabled/
    }

    instantiate {
    exec
    expr
    expiration
    logintime
    ### Dis-/Enable sql instatiate
    #sql
    daily
    weekly
    monthly
    forever
    }
    policy {
    $INCLUDE policy.d/
    }
    $INCLUDE sites-enabled/

    clients.conf
    /usr/local/etc/raddb/clients.conf

    client "switch" {
    ipaddr = 192.168.25.200
    proto = udp
    secret = 'password'
    require_message_authenticator = no
    nas_type = cisco
    ### login = !root ###
    ### password = someadminpass ###
    limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
    }
    }

    macs.conf

    /usr/local/etc/raddb/authorized_macs

    54-31-50-6d-4d-8e Cleartext-Password := "54-31-50-6d-4d-8e"

    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = "25
    

    Sorry für den haufen Config aber dann kommen ggf. weniger rückfragen.

    Zwischen Switch und pfSense besteht Erreichbarkeit aber interessanter Weise bekomme ich auch keine radius Log Einträge.

    Grüße
    Toni



  • Problem gelöst!

    Hatte den falschen Port verwendet.
    Cisco verwendet default Port 1645,
    freeradius auf der pfSense default 1812.