Hi,
I installed freeradius2-2.1.7-7.el5.x86_64 and set it up for MAC_auth as
explained in this freeradius wiki page <http://wiki.freeradius.org/Mac-Auth>
But its not working. I am attaching the output of radiusd -X, and the
policy.conf files
I went through the output myself, I notice these:
a) it has not executed "rewrite_calling_station", going by the mac
format in the debug output.
b) The wifi client has a window which prompts for username/password
(not expected in simple mac_auth)
Can someone point out what mistake I am doing?
Thanks a lot.
Nagaraj
--
+----------------------------------+--------------------------------------+
Nagaraj Panyam | Office tel: +91-22-22782126
Dept of High Energy Physics | Office fax: +91-22-22804610
Tata Instt. of Fundamental Research| Home tel : +91-22-22804936
Mumbai - 400 005, INDIA | **Email** : p...@tifr.res.in
+----------------------------------+--------------------------------------+
ad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=57,
length=185
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001301544553545c746573742d31383034
Message-Authenticator = 0x8012a54d51c5aa3c6a6a96aa75aa18cd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 57 to xx.xx.xx.xx port 3072
EAP-Message = 0x010100160410bcac0552383c8987ceeedb8259d7512e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f1c20b7f17369eba55349056
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=58,
length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0xf1c30f25f1c20b7f17369eba55349056
Message-Authenticator = 0x9a186d278c1f81fb746473363ed32079
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 58 to xx.xx.xx.xx port 3072
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f0c1167f17369eba55349056
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=59,
length=308
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202008219800000007816030100730100006f03014d2465745b05fc2eeed27aa497d088ce5d8db0996b6a4a9486280ddf78927653000018002f00350005000ac009c00ac013c01400320038001300040100002e00000013001100000e746573745c746573742d31383034000a00080006001700180019000b00020100ff01000100
State = 0xf1c30f25f0c1167f17369eba55349056
Message-Authenticator = 0xc79d3a7230dc27da64618790895b12f4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 130
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 120
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0073], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 59 to xx.xx.xx.xx port 3072
EAP-Message =
0x0103040019c0000008a216030100310200002d03014d24658e440cdb90c5cf5817264cd7a51def1ffe8a170d51d4916929ded259cf00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3131303130333131343735385a170d3132303130333131343735385a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e9ce0d20797f9d5a1d956453494dc3093fd6e4a816c41e0f287b56ac6000101537f12d02201a3a31a9e50dd8ed5f99a0d914e3389fca43
EAP-Message =
0x4ab5fa7821da3d5bc3492570e61024827d03917ab768326078804225ab57136d89997c5746ac5441671265cfe93ad9d36b72351d39f88b879b164502b5f20fd66efd76dec45e7d77597c25266ffc1d10ff38aa4c8e2de86e0d114183c4833e02f39e003d001b9a1921c7e61b3d6f6063237aca41a18e6a9bbdcd268685df6d66c1d644474a3be69e3a771554e6caceb9f9a930b9375a970ace830edf4b21baaccf669a462b18f2cb108dbeb6849ec0d6582cdded75442a6532f18a8ccf5066fa1c90394aeded6d1e590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009985
EAP-Message =
0x10e2b6a56e12676ab2c5cd1621418113f71ab254589459d5f509782e85c692446a86a0fac92cc5b60613e165251fc20bbe76c2cb969f934c4be73577fc59b9a3a639b2ba7f05712c1c07c4fd5b89358b2475002bb87fc880dd7239aa3bd46984338818ec7290c30ed5046b986c56f412602492b508550a5eaa12a437988f609701a051d12ba2ec9507cfe6f58f44f0167054d21f7971af197bf3145dded0906a85c58db37364565caf20d110893a26a9908a1008aff0fba755e5812d73731e7de519949d80f37e02024b1eeb2b557d91e2443462f1d716122a82089a282de906089eacaece3013ee68ed21175b263a80a2febe033d2e86fa626a819a45
EAP-Message = 0xf60004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f3c0167f17369eba55349056
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=60,
length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0xf1c30f25f3c0167f17369eba55349056
Message-Authenticator = 0x261da0e043b9bfb64e89e09348b83a45
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 60 to xx.xx.xx.xx port 3072
EAP-Message =
0x010403fc1940a003020102020900b703e3654b392aed300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303130333131343735385a170d3132303130333131343735385a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5f36f8fe6bc13068e2daaadac4acac248ce11a0d13c5cab7b8b7dbd8084681e4cb9a9d3145b4e43b6462d71d4426a0aeaa641a0f9a5662cd522d345d87e3ab405c91692c2b5d4613c828191acc54b3e6e2421603eef58c716b2801eef3b79ad38943efab044f9ef
EAP-Message =
0x6952c7b635961ed24273e357186d1070ff869f5747993caa0e7bf944f3c4e88e64c411fe3f60bb35b835a931d851cecea15e05d06b46b9f581aaed78e88392fb4cf9fec4f75e03384bc4af1e345dc82339a0fc7cd2f6047def8e61a0cd4e2d8206aa708cb5f6ab123f5e41735cd97fe41b8a49960c7597ed51066249e4e88bd910fc9385f828568573edada97b2fff45a57671f476c7992b0203010001a381fb3081f8301d0603551d0e041604145209f0d910b833d8c2bf21013979a67fbcc16c093081c80603551d230481c03081bd80145209f0d910b833d8c2bf21013979a67fbcc16c09a18199a48196308193310b300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b703e3654b392aed300c0603551d13040530030101ff300d06092a864886f70d010105050003820101001837a0d066840811146ee1438a22673ee350f09c19e284ff5da1e1725b8019bb089f4eac597f0381be89dfccfb98375c86128b2833bfe61122d3c8530da1d3fe8efe2cf6164c2560eda60d
EAP-Message = 0x93a5a16694df2a56
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f2c7167f17369eba55349056
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=61,
length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0xf1c30f25f2c7167f17369eba55349056
Message-Authenticator = 0x47f450d8911252a7359fb4aca48d6de0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 61 to xx.xx.xx.xx port 3072
EAP-Message =
0x010500bc1900adf270039788633910428185442e7440ff8ee7c3c78d36f887e5137eeb0e7c3656e0c266b7fdbf30222d944164df65826d7ff08636f9272aa22ffe9123ead878173bb5b40938fc6600ea8c4a907a469a9542ae8aaedcf93a6a69edac75135e899d231022c6656be3091333a11e31943a7e306170683a98a2f3fd51f109e31d9b7706eca3748f7707d09d0e9b52d254ca8d86d1aacacd188fd789a6a5dba4f1fbde15f7d0063786469fce43fae316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f5c6167f17369eba55349056
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=62,
length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0xf1c30f25f5c6167f17369eba55349056
Message-Authenticator = 0xd8967a29a74719843bd5e7b6a8640645
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 62 to xx.xx.xx.xx port 3072
EAP-Message = 0x010600061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f4c5167f17369eba55349056
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 57 with timestamp +39
Cleaning up request 1 ID 58 with timestamp +39
Cleaning up request 2 ID 59 with timestamp +39
Cleaning up request 3 ID 60 with timestamp +39
Cleaning up request 4 ID 61 with timestamp +39
Cleaning up request 5 ID 62 with timestamp +39
Ready to process requests.
# -*- text -*-
##
## policy.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
#
# Policies are virtual modules, similar to those defined in the
# "instantate" section of radiusd.conf.
#
# Defining a policy here means that it can be referenced in multiple
# places as a *name*, rather than as a series of conditions to match,
# and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
policy {
#
# Forbid all EAP types.
#
forbid_eap {
if (EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
#
# Forbid all attempts to login via realms.
#
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
#
# If you want the server to pretend that it is dead,
# then use the "do_not_respond" policy.
#
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
#
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
#
# The client indicates it can do CUI by sending a CUI attribute
# containing one zero byte
#
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
#
# Add a CUI attribute based on the User-Name, and a secret key
# known only to this server.
#
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {
Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
}
#
# If there is a CUI attribute in the reply, add it to the DB.
#
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
#
# Rewrite called station id attribute into a standard format.
#
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
"%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
else {
noop
}
}
#
# If we had stored a CUI for the User, add it to the request.
#
cui_accounting {
#
# If the CUI isn't in the packet, see if we can find it
# in the DB.
#
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := "%{cui: SELECT cui
FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid =
'%{Calling-Station-Id}' AND username = '%{User-Name}'}"
}
}
#
# If it exists now, then write out when we last saw
# this CUI.
#
if (Chargeable-User-Identity && (Chargeable-User-Identity !=
"")) {
cui
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
