MAC Authentication using FreeRadius
We have FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. Our sever is a SLES 11 server. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
We have been following the website Mac Auth
We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
client 10.0.9.77 {
secret = xxxxxxxx
shortname = 10.0.9.77
nastype = cisco
}
This is the IP address of our WAP. We have configured the WAP under the Wireless section:
Basic Setting SSID = RADIUS TEST SSID broadcast enabled
Security currently disabled
Connection Control set to RADIUS with the IP address of the server and the secret question.
On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
We have also attempted to connect by adding the following to the clients.conf file with no luck.
client 10.0.8.0/21 {
secret = xxxxxxx
shortname = KAHS
}
Any guidance would be greatly appreciated.
We have been following the website Mac Auth
We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
client 10.0.9.77 {
secret = xxxxxxxx
shortname = 10.0.9.77
nastype = cisco
}
This is the IP address of our WAP. We have configured the WAP under the Wireless section:
Basic Setting SSID = RADIUS TEST SSID broadcast enabled
Security currently disabled
Connection Control set to RADIUS with the IP address of the server and the secret question.
On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
We have also attempted to connect by adding the following to the clients.conf file with no luck.
client 10.0.8.0/21 {
secret = xxxxxxx
shortname = KAHS
}
Any guidance would be greatly appreciated.
Comments
-
ecbanks Member Posts: 22 ■■■□□□□□□□I haven't done that setup, but I think a good start would be getting a packet capture running to see what traffic is coming into the RADIUS server. It's hard to tell if the laptop isn't making the attempt to authenticate, if the WAP and RADIUS server aren't talking at all, or if there's partial communication, but a breakdown somewhere due to key mismatches or other configuration issue.
Your SUSE box probably has tcpdump built-in at the CLI to allow for the packet capture. Alternately, just do a port-mirror off of a switch and use WireShark./Ethan -
katech Registered Users Posts: 2 ■□□□□□□□□□Sorry for the late reply. Other "emergency" situations came up. Ran the command you suggested. In the terminal windows I have this message:
listening on eth0, link-type EN10MB (Ehternet) captue size 96 bytes.
after my laptop times out attempting to access the Cisco 4410n WAP and I end the tcpdump command I get a message
0 packets captured
4 packets received by filter
0 packets dropped by kernel
Running wireshark at the same time, receive a ton of messages. All in red. The source is the access point IP and the destination is 224.0.0.251. The protocol is MDNS. -
ecbanks Member Posts: 22 ■■■□□□□□□□Sorry for the late reply. Other "emergency" situations came up. Ran the command you suggested. In the terminal windows I have this message:
listening on eth0, link-type EN10MB (Ehternet) captue size 96 bytes.
after my laptop times out attempting to access the Cisco 4410n WAP and I end the tcpdump command I get a message
0 packets captured
4 packets received by filter
0 packets dropped by kernel
Running wireshark at the same time, receive a ton of messages. All in red. The source is the access point IP and the destination is 224.0.0.251. The protocol is MDNS.
Since you have Wireshark as an option, I'd stick with that. If you only say MDNS messages from your WAP (no RADIUS), then it sounds like either:
(1) Something is wrong with the WAP RADIUS configuration -or-
(2) The test laptop didn't send an authentication event to the WAP, so the WAP never had a reason to kick off a RADIUS request.
Sounds like a configuration issue, but I couldn't say what - I'm not familiar with that RADIUS software you're using. My recommendation is try something different. Maybe try getting user/pass authentication to work against that RADIUS server via the WAP first. If you get that going, then try changing the authentication method around to MAC./Ethan