FreeRadius: wireless access points receive no response for MAC authentication
-
Hi all,
I am trying to add dynamic vlan assignment using MAC authentication with Radius for wireless IOT/low spec devices which cannot perform 802.1x through my Cisco wireless access points. I have added Freeradius3 (0.15.10_1) to my pfsense (23.09) and configured the options however I'm having a problem with the access points getting no response i.e. no success or failure. At a high level I have:
- Cisco access points configured to connect to freeradius IP with a shared key
- There are next to no options in the wireless access point to configure the connection, however I determined that it always connects to radius on UDP port 1813 which can't be changed
- I've added an 'interface' in freeradius for the pfsense IP in the subnet the access points are connected to and configured it as type Authentication on port 1813.
- The Cisco wireless access points are added to freeradius as 'other' clients with their IP's and set to UDP
- I've added a test device MAC address to the MAC's interface configuration as well as creating a test user with password
When I try connecting a test device with matching MAC, it:
- makes the initial connection to the wireless access point
- I created a firewall rule to log all connections to port 1813 for that IP and I can see in the firewall log that the access point makes a connection to Freeradius on port 1813 which shows as it was permitted
- However there is no log in the freeradius log showing a successful or failed connection or query.
- The test device connection eventually times out, it doesn't receive an IP address etc and it shows in the wireless access point as a failed connection - there are no further logs in the wireless access point.
I also added a test freeradius client on 127.0.0.1. If I SSH to pfsense and run radtest, I get a successful connection & response for the test user I created. The only oddity in the reply is it shows NAS-IP-Address = 192.168.4.1 which is not an IP or subnet in my network.
radtest -x testuser testpassword2 192.168.5.1:1813 0 testing123
Sent Access-Request Id 224 from 0.0.0.0:8656 to 192.168.5.1:1813 length 78
User-Name = "testuser"
User-Password = "testpassword2"
NAS-IP-Address = 192.168.4.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "testpassword2"
Received Access-Reject Id 224 from 192.168.5.1:715 to 192.168.5.1:34390 length 20I've gone through and checked all settings from end to end numerous time but cannot find anything wrong. My assumption is the Cisco wireless access points are making the connection to radius on port 1813 but the command/data they are passing in isn't what's being expected in terms of how I've configured freeradius and therefore the neither the connection shows as successful or failed. There are likely some settings I am missing. Any help would be much appreciated.
Many thanks for any help,
Stuart -
I'm not a Freeradius expert, but I'm using it as I was able to copy the settings from Netgate video ... and it worked for ^^
By default, 1813 is accounting. 1812 is authentication.
[23.09.1-RELEASE][root@pfSense.bhfl.tld]/root: radtest x x 192.168.2.1:1812 0 radius Sent Access-Request Id 11 from 0.0.0.0:93fe to 192.168.2.1:1812 length 71 User-Name = "x" User-Password = "x" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "x" Received Access-Accept Id 11 from 192.168.2.1:714 to 192.168.2.1:37886 length 26 Acct-Interim-Interval = 600if you want to see what happens real time, stop FreeRadius in the pfSense GUI.
Then on the console or SSH, start it in debug moderadiusd -Xand now you see ... a lot.
-
Hi @Gertjan
Thank you sharing your configuration and suggestions. I'll review my config and carry out more testing with debugging on this weekend. Can I ask, are you authenticating users or devices using username and password in the 'Users' tab, and/or devices with MAC address in the MAC's tab ?
Thanks,
Stuart
