Re: FR Using MAC Authentication
Steve Wu wrote: > Thanks Tim, that worked, although is that up to each AP manf as to what > it sends? Pretty much. > I have HP420s. I changed the password field to match the MAC > and it authenticated (I think), but I didn't get an IP. So... did you run the server in debugging mode? The log you showed below is for *accounting* packets, not *authentication* packets. Go run it in debugging mode, and read the output. It will tell you WHY the request was rejected, or WHY the request was authenticated. If it's authenticated, and you don't get an IP, blame the DHCP server for not handing out an IP, or maybe the NAS for not forwarding traffic after the Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
> Thanks Tim, that worked, although is that up to each AP manf as to what it > sends? Yes. > I changed the password field to match the MAC and it > authenticated (I think), but I didn't get an IP. The 420 I'm using hands > out an IP fine when I turn off the MAC auth and have it wide open, so it's > talking to my DHCP server fine. > > Waking up in 6 seconds... > rad_recv: Accounting-Request packet from host 10.10.18.241:9000, id=4, > length=138 > Acct-Delay-Time = 0 > NAS-Identifier = "Enterprise AP" > User-Name = "000e35-84610a" > Acct-Status-Type = Start > Acct-Session-Id = "000e35-84a0414e5" > Acct-Authentic = RADIUS > NAS-IP-Address = 10.10.18.241 > NAS-Port = 1 > NAS-Port-Type = Wireless-802.11 > Calling-Station-Id = "000e3584610a" > Called-Station-Id = "001321ad8e4e" > Service-Type = Framed-User The fact that IP is not in the Start record is not that unusual. Have a look at the Stop record. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Hi Tim -
Thanks Tim, that worked, although is that up to each AP manf as to what it
sends? I have HP420s. I changed the password field to match the MAC and it
authenticated (I think), but I didn't get an IP. The 420 I'm using hands out an
IP fine when I turn off the MAC auth and have it wide open, so it's talking to
my DHCP server fine.
Any more ideas would be greatly appreciated!
Thx - Steve
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.10.18.241:9000, id=4,
length=138
Acct-Delay-Time = 0
NAS-Identifier = "Enterprise AP"
User-Name = "000e35-84610a"
Acct-Status-Type = Start
Acct-Session-Id = "000e35-84a0414e5"
Acct-Authentic = RADIUS
NAS-IP-Address = 10.10.18.241
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "000e3584610a"
Called-Station-Id = "001321ad8e4e"
Service-Type = Framed-User
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 1
modcall[preacct]: module "preprocess" returns noop for request 1
rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address =
10.10.18.241,NAS-IP-Address = 10.10.18.241,Acct-Session-Id =
"000e35-84a0414e5",User-Name = "000e35-84610a"'
rlm_acct_unique: Acct-Unique-Session-ID = "3107f7faaae62984".
modcall[preacct]: module "acct_unique" returns ok for request 1
rlm_realm: No '@' in User-Name = "000e35-84610a", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 1
modcall[preacct]: module "files" returns noop for request 1
modcall: leaving group preacct (returns ok) for request 1
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 1
radius_xlat: '/var/log/freeradius/radacct/10.10.18.241/detail-20090508'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.10.18.241/detail-20090508
modcall[accounting]: module "detail" returns ok for request 1
modcall[accounting]: module "unix" returns ok for request 1
radius_xlat: '/var/log/freeradius/radutmp'
radius_xlat: '000e35-84610a'
modcall[accounting]: module "radutmp" returns ok for request 1
modcall: leaving group accounting (returns ok) for request 1
Sending Accounting-Response of id 4 to 10.10.18.241 port 9000
Finished request 1
- Original Message -
From: "Tim Sylvester"
To: "FreeRadius users mailing list"
Sent: Friday, May 8, 2009 11:42:29 AM GMT -05:00 US/Canada Eastern
Subject: RE: FR Using MAC Authentication
Steve,
Your wireless access point is sending the MAC address as the username and
password. Change the username and password in the users file and the
authentication will work.
rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53
User-Name = "00215c-08b25d" <--- This came from the wireless access point
User-Password = "00215c-08b25d" <--- This came from the wireless access point
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org]
On Behalf Of Steve Wu
Sent: Friday, May 08, 2009 8:35 AM
To: freeradius-users@lists.freeradius.org
Subject: FR Using MAC Authentication
Hi -
I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server
box and installed FR --> sudo apt-get install freeradius*. It installed in a
breeze and tested fine. I have setup a HP420 AP for testing, it's chattering
with the FR box fine (I think).
I want my wireless clients to do MAC authentication via the FR box. I have
setup my users file to auth two of my test laptops:
000E35-84610A Auth-Type := Local, User-Password == "esradius"
00215C-08B25D Auth-Type := Local, User-Password == "esradius"
When either tries to connect up, in the FR debug I see:
rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53
User-Name = "00215c-08b25d"
User-Password = "00215c-08b25d"
Processing the authorize section of radiusd.conf
The authentication eventually fails:
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
Why is the User-Password the MAC address and not what is specified in the users
file? I have only tweaked the users and clients.conf files.
Just simple MAC authentication, that's all I want at this point.
Thanks in advance!
- Steve
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Steve Wu wrote: > I want my wireless clients to do MAC authentication via the FR box. I > have setup my users file to auth two of my test laptops: > > 000E35-84610A Auth-Type := Local, User-Password == "esradius" > 00215C-08B25D Auth-Type := Local, User-Password == "esradius" Those entries are wrong, even in 1.1.7. You should use: 000E35-84610A Cleartext-Password := "000E35-84610A" ... > When either tries to connect up, in the FR debug I see: > > rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 > User-Name = "00215c-08b25d" > User-Password = "00215c-08b25d" Which doesn't match the password you put into the "users" file. > Why is the User-Password the MAC address and not what is specified in > the users file? I have only tweaked the users and clients.conf files. Maybe you're not clear on what's happening. The *NAS* is sending the packet containing that User-Password attribute. The RADIUS server has no control over that. The RADIUS server is supposed to look at that password, and see if it's valid. The configuration I showed above will tell the server to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR Using MAC Authentication
Steve, Your wireless access point is sending the MAC address as the username and password. Change the username and password in the users file and the authentication will work. rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = "00215c-08b25d" <--- This came from the wireless access point User-Password = "00215c-08b25d"<--- This came from the wireless access point Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of Steve Wu Sent: Friday, May 08, 2009 8:35 AM To: freeradius-users@lists.freeradius.org Subject: FR Using MAC Authentication Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR --> sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == "esradius" 00215C-08B25D Auth-Type := Local, User-Password == "esradius" When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = "00215c-08b25d" User-Password = "00215c-08b25d" Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
Am 08.05.2009 um 17:35 schrieb Steve Wu: Hi - I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server box and installed FR --> sudo apt-get install freeradius*. It installed in a breeze and tested fine. I have setup a HP420 AP for testing, it's chattering with the FR box fine (I think). I want my wireless clients to do MAC authentication via the FR box. I have setup my users file to auth two of my test laptops: 000E35-84610A Auth-Type := Local, User-Password == "esradius" 00215C-08B25D Auth-Type := Local, User-Password == "esradius" Try to assign ( := ) the password instead of comparing ( == ) it. When either tries to connect up, in the FR debug I see: rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 User-Name = "00215c-08b25d" User-Password = "00215c-08b25d" Processing the authorize section of radiusd.conf The authentication eventually fails: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Why is the User-Password the MAC address and not what is specified in the users file? I have only tweaked the users and clients.conf files. Just simple MAC authentication, that's all I want at this point. Thanks in advance! - Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Using MAC Authentication
On Fri, May 08, 2009 at 11:35:20AM -0400, Steve Wu wrote: > Hi - > > I have just started tinkering with Freeradius, I built an Ubuntu 8.10 server > box and installed FR --> sudo apt-get install freeradius*. It installed in a > breeze and tested fine. I have setup a HP420 AP for testing, it's chattering > with the FR box fine (I think). > > I want my wireless clients to do MAC authentication via the FR box. I have > setup my users file to auth two of my test laptops: > > 000E35-84610A Auth-Type := Local, User-Password == "esradius" > 00215C-08B25D Auth-Type := Local, User-Password == "esradius" > > When either tries to connect up, in the FR debug I see: > > rad_recv: Access-Request packet from host 10.10.18.241:2160, id=7, length=53 > User-Name = "00215c-08b25d" > User-Password = "00215c-08b25d" > Processing the authorize section of radiusd.conf > > The authentication eventually fails: > > rlm_pap: WARNING! No "known good" password found for the user. Authentication > may fail because of this. > > Why is the User-Password the MAC address and not what is specified in the > users file? I have only tweaked the users and clients.conf files. > That is what MAC authentication is, if the MAC is in the list it can connect. Cheers, Ken > Just simple MAC authentication, that's all I want at this point. > > Thanks in advance! > > - Steve > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
