Re: WiFi & Mac address authentication
Solved the problem a couple of weeks ago... the error was actually in
eap.conf, the following two attributes were required when the MAC
check was active:
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
I set them both to yes and it worked !
Thanks for your support.
>
> Hmm. I still say you need to read and understand the docs, but try this:
>
> passwd MAC-IP {
> filename = ${raddbdir}/MAC-IP
> format = "*Calling-Station-Id:"
> delimiter = ":"
> }
>
> (...)
>
> authorize {
> preprocess
> MAC-IP {
> # If the MAC isn't in the file, the modules returns notfound
> # in that case, exit "authorize" with reject immediately
> notfound = reject
> }
> files
> eap
> }
>
> That is, have no authtype on the "passwd" module. If that doesn't work,
> you may try something like:
>
> passwd MAC-IP {
> filename = ${raddbdir}/MAC-IP
> format = "*Calling-Station-Id:~Group"
> delimiter = ":"
> }
>
> (...)
>
> authorize {
> preprocess
> MAC-IP
> files
> eap
> }
>
> /etc/raddb/MAC-IP:
>
> 00-11-22-33-44-55:FAKEGROUP
> aa-bb-cc-dd-ee-ff:FAKEGROUP
>
> /etc/raddb/users:
The DEFAULT Group is no longer necessary to make it work.
> DEFAULT Group !* ANY, Auth-Type := Reject
>
> user1 NT-Password := abcdefg...
>
> user2 NT-Password := abcdefg...
> -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi & Mac address authentication
I've tried your recommendations but it does not work as expected:
using "Reject" as rlm_passwd's "authtype" (as you suggested), the user
is always rejected, even when the MAC is in the file and is actually
found:
modcall[authorize]: module "MAC-IP" returns ok for request 0
Furthermore, if I change rlm_passwrd's authtype to "Accept", the
supplicant auth fails and the following warning is shown:
rad_check_password: Found Auth-Type Accept
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'bob'
However, if I comment rlm_passwd sections (MAC-IP in modules and
authorize), all works flawlessly.
The users file has entries like these:
bob NT-Password == 0xa3d411301d637a38f4d22d484f256a04
joe NT-Password == 0xa3d411301d637a38f4d22d484f256a04
(...)
Which are matched correctly in all scenarios I've tested:
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry bob at line 1
According to radius documentation (aaa.txt), it is not correct to
place Auth-Type on check nor reply lists on the users file:
"A quite common mistake is to place the attributes in the wrong lists,
for example placing Auth-Type, Password, NT-Password etc in the check
list, or in the reply list. When run in debugging mode, the server
will normally issue 'WARNING' messages saying that the attributes are
in the wrong list"
So I conclude that users file is correct as it is now. What I'm doing
wrong and what should I do to avoid those warning messages ? If you
want the radiusd -X logs, I can attach them if you wish.
Thanks in advance.
---
passwd MAC-IP {
filename = ${raddbdir}/MAC-IP
format = "*Calling-Station-Id:"
delimiter = ":"
authtype = Reject< Also tried with "Accept"
}
(...)
authorize {
preprocess
MAC-IP {
notfound = reject
}
files
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
On 3/13/06, Phil Mayers <[EMAIL PROTECTED]> wrote:
> brainstorm wrote:
> > I'm trying to implement a similar scenario: I am using PEAP, and I
> > want to check if a given mac is in my database. In my case, the MACs
> > file looks like this:
> >
> > 0030.0996.CF52:192.168.12.1
> >
> > I would like to match the first field (MAC) with the NAS
> > "Calling-Station-Id" attribute, if this check fails, I would like to
> > reject that user. Is it doable with rlm_password ? I've tried, but I
> > cannot figure out which is the right "format" for my case:
> >
> > I've tried the following in radiusd.conf:
> >
> > modules {
> > (...)
> > passwd mac-ip {
> > filename = /etc/raddb/MAC-IP
> > format = "mac-address:Calling-Station-Id"
> > delimiter = ":"
> > }
> > }
>
> Please read the docs. This comments right above the "passwd" module in
> the default config are VERY SPECIFIC. The format is:
>
> format = "*Key-Value:~Request-Value:=Reply-Value:Configure-Value"
>
> That is, the radius attribute "Key-Value" is the first field.
> Request-Value (prefix ~) will be added to the request, Reply-Value
> (prefix =) to the reply, and Configure-Value (no prefix) to the
> configure items.
>
> So you're wrong several ways:
>
> 1. "mac-address" is not a radius attribute
> 2. None of your attributes have * for key
> 3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP
> 3. By itself you can't negate the sense and reject-if-no-match
>
> Try something like this:
>
> passwd mac-ip {
> filename = /etc/raddb/MAC-IP
> format = "*Calling-Station-Id:Class"
> delimiter = ":"
> authtype = Reject
> }
> always fail {
>rcode = fail
> }
>
> authorize {
>mac-ip {
> notfound = reject
>}
># others
> }
>
> ...and note that many/most APs send the MAC as "00-11-22-33-44-55" so
> the file should look like this:
>
> 00-11-22-33-44-55:KnownUser
>
> This is all in the docs.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto reload raddb/users file?
It's documented on freeradius.org FAQ: Quick answer: SIGHUP Longer answer: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#How_do_I_get_radius_to_pick_up_changes_in_the_raddb.2Fusers_file.3F Cheers, Roman On 3/14/06, Chris Leavoy <[EMAIL PROTECTED]> wrote: > How do I reload raddb/users file? Please embarrass me thoroughly by > pointing out where this is documented. > > -- Chris > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi & Mac address authentication
>
> Please read the docs. This comments right above the "passwd" module in
> the default config are VERY SPECIFIC. The format is:
>
> format = "*Key-Value:~Request-Value:=Reply-Value:Configure-Value"
>
> That is, the radius attribute "Key-Value" is the first field.
> Request-Value (prefix ~) will be added to the request, Reply-Value
> (prefix =) to the reply, and Configure-Value (no prefix) to the
> configure items.
Sure, I have missed that valuable info (I was too focused on man page
and /usr/share/doc).
> So you're wrong several ways:
>
> 3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP
That's exactly the field I wish to use (Calling-Station-Id), the IP is
just for other internal purposes, so you can ignore it.
> Try something like this:
>
> passwd mac-ip {
> filename = /etc/raddb/MAC-IP
> format = "*Calling-Station-Id:Class"
> delimiter = ":"
> authtype = Reject
> }
> always fail {
>rcode = fail
> }
>
> authorize {
>mac-ip {
> notfound = reject
>}
># others
> }
That was useful, thank you ! I guess that in my case it's safe to drop
the Class attribute, leaving format just as: "*Calling-Station-Id:".
> ...and note that many/most APs send the MAC as "00-11-22-33-44-55" so
> the file should look like this:
>
> 00-11-22-33-44-55:KnownUser
FYI, the Cisco Aironet 1200 can send the Calling-Station-Id on these
configurable formats:
..
xx-xx-xx-xx-xx-xx
xx:xx:xx:xx:xx:xx
So it's ok right now.
>
> This is all in the docs.
Perhaps this example could be used in the manpage as an EXAMPLE
section, isn't it ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi & Mac address authentication
I'm trying to implement a similar scenario: I am using PEAP, and I
want to check if a given mac is in my database. In my case, the MACs
file looks like this:
0030.0996.CF52:192.168.12.1
I would like to match the first field (MAC) with the NAS
"Calling-Station-Id" attribute, if this check fails, I would like to
reject that user. Is it doable with rlm_password ? I've tried, but I
cannot figure out which is the right "format" for my case:
I've tried the following in radiusd.conf:
modules {
(...)
passwd mac-ip {
filename = /etc/raddb/MAC-IP
format = "mac-address:Calling-Station-Id"
delimiter = ":"
}
}
(...)
authorize {
preprocess
mac-ip <--- I want to Reject the client if that module fails
eap
files
}
But when I run radiusd -X:
rlm_passwd: no field market as key in format: mac-address:Calling-Station-Id
How do I specify that mac-address is a "key" and Calling-Station-Id a "value" ?
Thank you,
Roman
On 3/7/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Guillaume <[EMAIL PROTECTED]> wrote:
> > ok, if i understand the manpage of dictionary & rlm_passwd, i have to
> > add this line in:
> > ##Dictionary file##
> > ATTRIBUTEmac-address 3001 string
>
> Why? That attribute won't ever appear in a packet.
>
> You have to use an attribute that will appear in a packet.
>
> Other than that, it looks like it should work.
>
> Alan DEKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
