pfSense mit freeradius - MAB via Cisco Switch (erledigt)

Toni 0

Moin,

habe mir gerade freeradius auf die pfSense gezogen und wollte anfangen mit einfachem MAB via Cisco Switch.
Leider bisher erfolglos.

Folgende Infos zum Thema:

Cisco Config (2960CX):
vlan 25
int vlan 25
ip address 192.168.25.200 255.255.255.0

aaa new-model
aaa group server radius PFS
ip radius source-interface vlan 25
server-private 192.168.25.250 key password

aaa authentication dot1x default group PFS
aaa authorization network default group PFS
dot1x system-auth-control

interface gi0/1
switchport mode acc
authentication port-control auto
dot1x pae authenticator
authentication host-mode multi-auth
mab
authentication order mab
authentication event fail action authorize vlan 666
authentication event no-response action authorize vlan 666

pfSense - freeRADIUS konfiguration via pfSense-GUI ergibt folgende konfig dateien:

radiusd.conf:
/usr/local/etc/raddb/radiusd.conf
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-3.0.17
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
regular_expressions = yes
extended_expressions = yes

log {
destination = syslog
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = no
msg_goodpass = "GRANTED"
msg_badpass = "DENIED"
msg_denied = "You are already logged in - access denied"
}

checkrad = ${sbindir}/checkrad
security {
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = no
# Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
allow_vulnerable_openssl = yes
}

$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
auto_limit_acct = no
}

modules {
$INCLUDE ${confdir}/mods-enabled/
}

instantiate {
exec
expr
expiration
logintime
### Dis-/Enable sql instatiate
#sql
daily
weekly
monthly
forever
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

clients.conf
/usr/local/etc/raddb/clients.conf

client "switch" {
ipaddr = 192.168.25.200
proto = udp
secret = 'password'
require_message_authenticator = no
nas_type = cisco
### login = !root ###
### password = someadminpass ###
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}

macs.conf

/usr/local/etc/raddb/authorized_macs

54-31-50-6d-4d-8e Cleartext-Password := "54-31-50-6d-4d-8e"

Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "25

Sorry für den haufen Config aber dann kommen ggf. weniger rückfragen.

Zwischen Switch und pfSense besteht Erreichbarkeit aber interessanter Weise bekomme ich auch keine radius Log Einträge.

Grüße
Toni

Toni 0

Problem gelöst!

Hatte den falschen Port verwendet.
Cisco verwendet default Port 1645,
freeradius auf der pfSense default 1812.