Ubuntu client always connect to wlan even if it is not allowed by Freeradius

PROST Frédéric Mon, 03 Oct 2011 03:06:05 -0700

Hello,

I set up Freeradius 2.1.11 to authenticate against ActiveDirectory (with ntlm) 
after having validated the mac Address (with mac-auth), for a wireless Lan 
(Netgear WPAN320).


Everything is working fine on Windows but I have a problem with workstation on 
Ubuntu 11.04 : on the first connection, everything is working fine : it checks 
if the MAC address and login/password are correct and allow connection or not.

But if the connection is correct at the first time and if I then change one of 
those parameters (ie, disable MAC address on the radius server or change login 
on my Ubuntu workstation), I can still connect to my WLAN.
The only way to correct this problem is to physically switch off and on the 
wlan card on Ubuntu workstation.

It seems that it has a kind of cache but I can't determine where and how to 
disable it (on my Radius server).

Here is a freeradius log extract of the first connection where we can see that 
it checks the MAC address

Mon Oct  3 11:55:51 2011 : Info: ++- entering policy rewrite.calling_station_id 
{...}
Mon Oct  3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && 
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
Mon Oct  3 11:55:51 2011 : Info: ?? Evaluating (Calling-Station-Id) -> TRUE
Mon Oct  3 11:55:51 2011 : Info:        expand: %{Calling-Station-Id} -> 
00-18-DE-55-61-7F
Mon Oct  3 11:55:51 2011 : Info:        expand: policy.mac-addr -> 
policy.mac-addr
Mon Oct  3 11:55:51 2011 : Info:        expand: ^%{config:policy.mac-addr}$ -> 
^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
Mon Oct  3 11:55:51 2011 : Info: ? Evaluating ("%{Calling-Station-Id}" =~ 
/^%{config:policy.mac-addr}$/i) -> TRUE
Mon Oct  3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && 
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
Mon Oct  3 11:55:51 2011 : Info: +++- entering if ((Calling-Station-Id) && 
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...}
Mon Oct  3 11:55:51 2011 : Info:        expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} 
-> 00-18-DE-55-61-7F
Mon Oct  3 11:55:51 2011 : Info:        expand: 
%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 00-18-de-55-61-7f
Mon Oct  3 11:55:51 2011 : Info: ++++[request] returns ok
Mon Oct  3 11:55:51 2011 : Info: ++++[updated] returns updated
Mon Oct  3 11:55:51 2011 : Info: +++- if ((Calling-Station-Id) && 
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated
Mon Oct  3 11:55:51 2011 : Info: +++ ... skipping else for request 11: 
Preceding "if" was taken
Mon Oct  3 11:55:51 2011 : Info: ++- policy rewrite.calling_station_id returns 
updated
Mon Oct  3 11:55:51 2011 : Info: [authorized_macs]      expand: 
%{Calling-Station-ID} -> 00-18-de-55-61-7f
Mon Oct  3 11:55:51 2011 : Info: [authorized_macs] users: Matched entry 
00-18-de-55-61-7f at line 2
Mon Oct  3 11:55:51 2011 : Info: ++[authorized_macs] returns ok
Mon Oct  3 11:55:51 2011 : Info: ++? if (!ok)
Mon Oct  3 11:55:51 2011 : Info: ? Evaluating !(ok) -> FALSE
Mon Oct  3 11:55:51 2011 : Info: ++? if (!ok) -> FALSE
Mon Oct  3 11:55:51 2011 : Info: ++? if (!EAP-Message)
Mon Oct  3 11:55:51 2011 : Info: ? Evaluating !(EAP-Message) -> FALSE


Here is the Freeradius log file for the second connection, after disable MAC 
Address and restarted FreeRadius (it connects directly without checking MAC 
address) : 

rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, 
length=152
        Acct-Session-Id = "4E8592C9-00000140"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        User-Name = "salons"
        NAS-IP-Address = 192.168.2.15
        NAS-Identifier = "hello"
        NAS-Port = 0
        Called-Station-Id = "20-4E-7F-3C-EF-00:mdwifi"
        Calling-Station-Id = "00-18-DE-55-61-7F"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11b"
Mon Oct  3 11:50:16 2011 : Info: # Executing section preacct from file 
/usr/local/etc/raddb/sites-enabled/default
Mon Oct  3 11:50:16 2011 : Info: +- entering group preacct {...}
Mon Oct  3 11:50:16 2011 : Info: ++[preprocess] returns ok
Mon Oct  3 11:50:16 2011 : Info: [acct_unique] Hashing 'NAS-Port = 
0,Client-IP-Address = 192.168.2.15,NAS-IP-Address = 
192.168.2.15,Acct-Session-Id = "4E8592C9-00000140",User-Name = "salons"'
Mon Oct  3 11:50:16 2011 : Info: [acct_unique] Acct-Unique-Session-ID = 
"94477ec3eb897dd7".
Mon Oct  3 11:50:16 2011 : Info: ++[acct_unique] returns ok
Mon Oct  3 11:50:16 2011 : Info: [suffix] No '@' in User-Name = "salons", 
looking up realm NULL
Mon Oct  3 11:50:16 2011 : Info: [suffix] No such realm "NULL"
Mon Oct  3 11:50:16 2011 : Info: ++[suffix] returns noop
Mon Oct  3 11:50:16 2011 : Info: ++[files] returns noop
Mon Oct  3 11:50:16 2011 : Info: # Executing section accounting from file 
/usr/local/etc/raddb/sites-enabled/default
Mon Oct  3 11:50:16 2011 : Info: +- entering group accounting {...}
Mon Oct  3 11:50:16 2011 : Info: [detail]       expand: 
%{Packet-Src-IP-Address} -> 192.168.2.15
Mon Oct  3 11:50:16 2011 : Info: [detail]       expand: 
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
 -> /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003
Mon Oct  3 11:50:16 2011 : Info: [detail] 
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
 expands to /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003
Mon Oct  3 11:50:16 2011 : Info: [detail]       expand: %t -> Mon Oct  3 
11:50:16 2011
Mon Oct  3 11:50:16 2011 : Info: ++[detail] returns ok
Mon Oct  3 11:50:16 2011 : Info: ++[unix] returns ok
Mon Oct  3 11:50:16 2011 : Info: [radutmp]      expand: 
/usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp
Mon Oct  3 11:50:16 2011 : Info: [radutmp]      expand: %{User-Name} -> salons
Mon Oct  3 11:50:16 2011 : Info: ++[radutmp] returns ok
Mon Oct  3 11:50:16 2011 : Info: ++[exec] returns noop
Mon Oct  3 11:50:16 2011 : Info: [attr_filter.accounting_response]      expand: 
%{User-Name} -> salons
Mon Oct  3 11:50:16 2011 : Debug:  attr_filter: Matched entry DEFAULT at line 12
Mon Oct  3 11:50:16 2011 : Info: ++[attr_filter.accounting_response] returns 
updated
Sending Accounting-Response of id 2 to 192.168.2.15 port 32847
Mon Oct  3 11:50:16 2011 : Info: Finished request 1.
Mon Oct  3 11:50:16 2011 : Info: Cleaning up request 1 ID 2 with timestamp +17
Mon Oct  3 11:50:16 2011 : Debug: Going to the next request
Mon Oct  3 11:50:16 2011 : Info: Ready to process requests.

Do you have any idea of how to correct this ?

Thank you very much,

Regards,

Fred


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ubuntu client always connect to wlan even if it is not allowed by Freeradius

Reply via email to