Hello!
I tried to set up MAC authorization for testing purposes according to
the instructions at
http://wiki.freeradius.org/Mac-Auth.
The solution there almost worked, except for the
raddb/sites-available/default post-auth{} section.
The wiki contains the code:
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(notfound){
reject
}
}
However, when the rlm_files module can't find the user, it returns noop,
not notfound.
As a result, EVERY mac authentication attempt is successful.
When I changed the section to
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
}
}
I got correct rejects in reply to the MACs not listed in the file.
The funny thing is that I actually think that the snippet on wiki page
should work,
and the rlm_files module is returning the wrong result code.
As far as I understand the result codes, noop should be returned when
the module ignores the request, because it thinks it should not handle
it, and notfound should be returned when the module accepted and tried
to handle the requests, but cannot find the user in its "database".
Either way, the documentation and the code do not match, and one of them
should be fixed.
Currently if somene just blindly copies the sample config, and does not
test for correct rejects, he'll have wide-open network.
I have tested on fedora 13, with the latest
freeradius-2.1.10-1.fc13.x86_64 rpm.
best regards
István Tóth
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
