Not authenticating only bad guys
For a very open wireless network, we'd like to allow everyone to connect unless we know the MAC is a bad guy. That is, if the MAC address is *in* the postgres db, don't authenticate. If it's not in the db, authenticate. Can anyone think of a way to do this, or will I need to tweak the code? Thanks! Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not authenticating only bad guys
On Mon 13-Sep-04 at 859 EDT, Kaczmarek, Thaddeus wrote: > On Mon, 2004-09-13 at 08:55, Mike Markowski wrote: > > For a very open wireless network, we'd like to allow everyone > > to connect unless we know the MAC is a bad guy. That is, if > > the MAC address is *in* the postgres db, don't authenticate. If > > it's not in the db, authenticate. > > > > Can anyone think of a way to do this, or will I need to > > tweak the code? > > > > Thanks! > > Mike > > Not for nothing, but would it not be much easier to only authenticate > trusted macs? I suspect the table would be much smaller as well. Thanks, Ted, for your thoughts, but it so happens that just the opposite is the case in this instance. I won't bore the list with the details, but there will be many users over time, and a few will inevitably be discovered to be hacked machines spamming the world, sharing copyrighted material, etc., and must be disabled till the machines are cleaned. Those are the only guys we care about. Anyone else in range gets to connect. I'm sure a code tweak is simple for this, but I hate to have to do that on each and every new freeradius release if there's a better way. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Beginner's problem - how to authenticate everyone
>From another thread I started, you may have read that my ultimate goal is to make a wireless network that uses freeradius to let everyone associate with a WAP except for MACs in the db (the known bad guys). I decided to trim back my attempts to the bare minimum and incrementally add to a working set up, especially since I'm brand new to freeradius. So first, I've commented out all interaction with my postgres db. Second, I simply want a trivial, or pointless, set up that authenticates everyone and uses no encryption. The mini set up is: - One Cisco 1100 WAP, set up for Open MAC Authentication - One wireless client - Freereadius-1.0.0 My complete simple users file: # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Calling-Station-Id == "00:00:00:00:00:00", Auth-Type := Reject DEFAULT Auth-Type := Accept Yet I still get a "No authenticate method". From radiusd -X output: rad_recv: Access-Request packet from host 10.2.2.101:21645, id=36, length=120 User-Name = "004096471704" User-Password = "004096471704" Called-Station-Id = "000f.34c9.03b0" Calling-Station-Id = "0040.9647.1704" NAS-Port-Type = Wireless-802.11 NAS-Port = 293 Service-Type = Framed-User NAS-IP-Address = 10.2.2.101 NAS-Identifier = "net10-2-52" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "004096471704", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Any hints as to what newbie mistake I'm making? Thanks very much! Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beginner's problem - how to authenticate everyone
On Wed 15-Sep-04 at 1046 EDT, Alan DeKok wrote: > Mike Markowski <[EMAIL PROTECTED]> wrote: > > My complete simple users file: > ... > > Yet I still get a "No authenticate method". From radiusd -X output: > ... > > rlm_eap: No EAP-Message, not doing EAP > > modcall[authorize]: module "eap" returns noop for request 0 > >modcall: group authorize returns ok for request 0 > > Normally, the "files" module comes after "eap" in the "authorize" > section. > > Why did you delete it? Because I stupidly did not uncomment it in radiusd.conf. :-P After doing so, the output is still not much better: [...] Ready to process requests. rad_recv: Access-Request packet from host 10.2.2.101:21645, id=38, length=120 User-Name = "004096471704" User-Password = "004096471704" Called-Station-Id = "000f.34c9.03b0" Calling-Station-Id = "0040.9647.1704" NAS-Port-Type = Wireless-802.11 NAS-Port = 295 Service-Type = Framed-User NAS-IP-Address = 10.2.2.101 NAS-Identifier = "net10-2-52" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "004096471704", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. And I'm using the same users file as in my previous note. Thanks again for any ideas, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beginner's problem - how to authenticate everyone
On Wed 15-Sep-04 at 1130 EDT, Alan DeKok wrote: > > > After doing so, the output is still not much better: > ... > >users: Matched DEFAULT at 4 > > modcall[authorize]: module "files" returns ok for request 0 > > So... it only matches on entry in the "users" file. Did you expect > it to match more? If so, read "man users", and update the "users" file. Sorry for my unclear writing... My confusion is that my users file has now performed DEFAULT Auth-Type := Accept based on this output from radiusd -X: users: Matched DEFAULT at 4 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 According to the FAQ: 5.5 How do I permit access to any user regardless of password? DEFAULT Auth-Type := Accept and yet radiusd still rejects the user in the authenticate section (output immediately follows lines shown above): auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user >From the FAQ and the 'authenticate' section comments in radiusd, I thought "Accept" in the authorize section would give an immediate authenticate without trying to use any authentication modules. I've been reading the 2003 O'Reilly book, freeradius docs, and online searches but haven't connected all the pieces yet. I hope my questions aren't trying patience, and feel free to point me to other sources of freeradius know-how. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Beginner's problem - how to authenticate everyone
On Wed 15-Sep-04 at 1820 EDT, Alan DeKok wrote: > > based on this output from radiusd -X: > > > >users: Matched DEFAULT at 4 > > So... go check line 4. Now. Debug output should say "at line 4". Without units or descriptions, numbers are only marginally useful to new users. (E.g., token 4?, comparison 4?, block 4?) In any case I figured out the problem. A tab in my 'users' file was preceded by a space. After deleting, it started working as expected. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free-Radius install on Solaris
On Fri 24-Sep-04 at 1032 EDT, Alan DeKok wrote: > Stephen Donovan <[EMAIL PROTECTED]> wrote: > > Check the installation lib directory for rlm_eap*. I found that using > > the Sun Workshop C compiler, several modules do not build as they rely > > on gcc features (in particular zero length arrays). > > Can you say which files? > > I can't see any examples of that. I think this was the only one of those we ran into on Solaris: src/modules/rlm_passwd/rlm_passwd.c, line 33 (in v1.0.1), var 'field': struct mypasswd { struct mypasswd *next; char *listflag; char *field[0]; }; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html