Hello, I set up Freeradius 2.1.11 to authenticate against ActiveDirectory (with ntlm) after having validated the mac Address (with mac-auth), for a wireless Lan (Netgear WPAN320).
Everything is working fine on Windows but I have a problem with workstation on Ubuntu 11.04 : on the first connection, everything is working fine : it checks if the MAC address and login/password are correct and allow connection or not. But if the connection is correct at the first time and if I then change one of those parameters (ie, disable MAC address on the radius server or change login on my Ubuntu workstation), I can still connect to my WLAN. The only way to correct this problem is to physically switch off and on the wlan card on Ubuntu workstation. It seems that it has a kind of cache but I can't determine where and how to disable it (on my Radius server). Here is a freeradius log extract of the first connection where we can see that it checks the MAC address Mon Oct 3 11:55:51 2011 : Info: ++- entering policy rewrite.calling_station_id {...} Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) Mon Oct 3 11:55:51 2011 : Info: ?? Evaluating (Calling-Station-Id) -> TRUE Mon Oct 3 11:55:51 2011 : Info: expand: %{Calling-Station-Id} -> 00-18-DE-55-61-7F Mon Oct 3 11:55:51 2011 : Info: expand: policy.mac-addr -> policy.mac-addr Mon Oct 3 11:55:51 2011 : Info: expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ Mon Oct 3 11:55:51 2011 : Info: ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Mon Oct 3 11:55:51 2011 : Info: +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} Mon Oct 3 11:55:51 2011 : Info: expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 00-18-DE-55-61-7F Mon Oct 3 11:55:51 2011 : Info: expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 00-18-de-55-61-7f Mon Oct 3 11:55:51 2011 : Info: ++++[request] returns ok Mon Oct 3 11:55:51 2011 : Info: ++++[updated] returns updated Mon Oct 3 11:55:51 2011 : Info: +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated Mon Oct 3 11:55:51 2011 : Info: +++ ... skipping else for request 11: Preceding "if" was taken Mon Oct 3 11:55:51 2011 : Info: ++- policy rewrite.calling_station_id returns updated Mon Oct 3 11:55:51 2011 : Info: [authorized_macs] expand: %{Calling-Station-ID} -> 00-18-de-55-61-7f Mon Oct 3 11:55:51 2011 : Info: [authorized_macs] users: Matched entry 00-18-de-55-61-7f at line 2 Mon Oct 3 11:55:51 2011 : Info: ++[authorized_macs] returns ok Mon Oct 3 11:55:51 2011 : Info: ++? if (!ok) Mon Oct 3 11:55:51 2011 : Info: ? Evaluating !(ok) -> FALSE Mon Oct 3 11:55:51 2011 : Info: ++? if (!ok) -> FALSE Mon Oct 3 11:55:51 2011 : Info: ++? if (!EAP-Message) Mon Oct 3 11:55:51 2011 : Info: ? Evaluating !(EAP-Message) -> FALSE Here is the Freeradius log file for the second connection, after disable MAC Address and restarted FreeRadius (it connects directly without checking MAC address) : rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, length=152 Acct-Session-Id = "4E8592C9-00000140" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "salons" NAS-IP-Address = 192.168.2.15 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "20-4E-7F-3C-EF-00:mdwifi" Calling-Station-Id = "00-18-DE-55-61-7F" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" Mon Oct 3 11:50:16 2011 : Info: # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default Mon Oct 3 11:50:16 2011 : Info: +- entering group preacct {...} Mon Oct 3 11:50:16 2011 : Info: ++[preprocess] returns ok Mon Oct 3 11:50:16 2011 : Info: [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.2.15,NAS-IP-Address = 192.168.2.15,Acct-Session-Id = "4E8592C9-00000140",User-Name = "salons"' Mon Oct 3 11:50:16 2011 : Info: [acct_unique] Acct-Unique-Session-ID = "94477ec3eb897dd7". Mon Oct 3 11:50:16 2011 : Info: ++[acct_unique] returns ok Mon Oct 3 11:50:16 2011 : Info: [suffix] No '@' in User-Name = "salons", looking up realm NULL Mon Oct 3 11:50:16 2011 : Info: [suffix] No such realm "NULL" Mon Oct 3 11:50:16 2011 : Info: ++[suffix] returns noop Mon Oct 3 11:50:16 2011 : Info: ++[files] returns noop Mon Oct 3 11:50:16 2011 : Info: # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default Mon Oct 3 11:50:16 2011 : Info: +- entering group accounting {...} Mon Oct 3 11:50:16 2011 : Info: [detail] expand: %{Packet-Src-IP-Address} -> 192.168.2.15 Mon Oct 3 11:50:16 2011 : Info: [detail] expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003 Mon Oct 3 11:50:16 2011 : Info: [detail] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003 Mon Oct 3 11:50:16 2011 : Info: [detail] expand: %t -> Mon Oct 3 11:50:16 2011 Mon Oct 3 11:50:16 2011 : Info: ++[detail] returns ok Mon Oct 3 11:50:16 2011 : Info: ++[unix] returns ok Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand: %{User-Name} -> salons Mon Oct 3 11:50:16 2011 : Info: ++[radutmp] returns ok Mon Oct 3 11:50:16 2011 : Info: ++[exec] returns noop Mon Oct 3 11:50:16 2011 : Info: [attr_filter.accounting_response] expand: %{User-Name} -> salons Mon Oct 3 11:50:16 2011 : Debug: attr_filter: Matched entry DEFAULT at line 12 Mon Oct 3 11:50:16 2011 : Info: ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 2 to 192.168.2.15 port 32847 Mon Oct 3 11:50:16 2011 : Info: Finished request 1. Mon Oct 3 11:50:16 2011 : Info: Cleaning up request 1 ID 2 with timestamp +17 Mon Oct 3 11:50:16 2011 : Debug: Going to the next request Mon Oct 3 11:50:16 2011 : Info: Ready to process requests. Do you have any idea of how to correct this ? Thank you very much, Regards, Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html