FreeRADIUS handing out IPs even when MAC auth fails
-
We have enabled 802.1x auth on our network switches to authenticate against FreeRADIUS using MAC addresses. We can see the requests come in and the FreeRADIUS logs correctly show approval of a registered MAC address and hand out the IP.
- Login OK: [0004c0410cd] (from client NativeLAN port 5 cli 00-B0-4C-04-10-CD)
- Sent Access-Accept Id 17 from 128.1.6.250:1812 to 128.1.5.8:33162 length 20
But when we plug in a device with an unregistered MAC, we can see the request come in and it is marked to reject, but pfSense STILL gives it an IP address anyway.
- Login incorrect (Failed retrieving values required to evaluate condition): [6c2b5933b2fb] (from client NativeLAN port cli 6C-2B-59-33-B2-FB)
- Sent Access-Reject Id 18 from 128.1.6.250:1812 to 128.1.5.8:33162 length 20
Why is pfSense giving out an IP even though auth fails and it is marked as reject? And how do I get it working?
-
Any ideas anyone? I'm stuck and out of ideas. Thank you in advance for your help,
Aaron -
Not really.
But I know a way so you can see all the details.
In the GUI, stop FreeRadius :
( the circled square ).
Now, go SSH or console, option 8, and start radius in debug mode :
radiusd -XNow you'll see what radius does in real time ...
-
@Gertjan Yes, that is how I acquired the logs shown in my original post.
-
@aaronssh said in FreeRADIUS handing out IPs even when MAC auth fails:
Any ideas anyone? I'm stuck and out of ideas. Thank you in advance for your help,
AaronThe issue is not at pfsense But at your switch/wifi point. It obviously does not respect the radius reject and still puts the user on a VLAN. Pfsense DHCP knows nothing about authentication - is just serves IP addresses for clients asking. The switch or Wifi AP should deny the Client access to a LAN when it sees a reject from radius.
-
@keyser Thank you, I was wondering if that is was the case! I will follow up with the switch vendor.
