RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
I apologize for the previous spam! I kind of figured out my problem.
Then I tried to fix it and now I have a new problem!!
So I want to authenticate devices when both User-Name and User-Password
are the same and are both the MAC of the device. My default files look
like:
authorize {
...
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
...
authenticate {
Auth-Type Auth-NHSTB {
if(%{request:User-Password} == %{request:User-Name}) {
ok
}
else{
noop
}
}
}
However when I try to run Radius I keep getting this error:
Expected regular expression at: request:User-Password)
/etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection.
Errors initializing modules
I also tried I lot other syntax and different operators as well but the
error is still there... What is the right syntax?? Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Tuesday, December 29, 2009 11:09 AM
To: FreeRadius users mailing list
Subject: RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I "rewrite" it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.
However it looks like my "if" conditions are all matched during the
process however they all returned "noop" instead of updating the
information I wanted it to.
Here are the configurations I made in the policy.conf and
/sites-avaliable/default files
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
"00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := "%{User-Name}"
}
chap
}
else{
ok
}
}
}
It seems to me that the last "ok" authenticated the device, instead of
using "chap" and the "Cleartext-Password" that I assigned. Any ideas?
Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Should be:
if(request:User-Password == "%{request:User-Name}") {
>
> However when I try to run Radius I keep getting this error:
>
>
>
> Expected regular expression at: request:User-Password)
>
> /etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection.
>
> Errors initializing modules
>
>
>
> I also tried I lot other syntax and different operators as well but
> the error is still there… What is the right syntax?? Thank you!
>
>
>
> Guest-tek, Difan Zhao
>
> difan.z...@guest-tek.com
>
> www.guest-tek.com
>
> Office: 403-509-1010 ext 3048
>
> Cell: 403-689-7514
>
>
>
> *From:*
> freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
> [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org]
> *On Behalf Of *Difan Zhao
> *Sent:* Tuesday, December 29, 2009 11:09 AM
> *To:* FreeRadius users mailing list
> *Subject:* RE: MAC authentication bypass --- How
> amIsupposedto?edit?theusersfile to include multiple MAC addresses??
>
>
>
> Greetings,
>
>
>
> I hope you all had a wonderful Christmas holidays!
>
>
>
> So I continued my work this morning. It looks like it can authenticate
> the devices (with the certain MAC address pattern) however from the
> Radius –X output (which I attached here) it doesn’t seem to
> authenticate it the way I want it.
>
>
>
> Let me repeat my logic here: if the MAC addresses match the pattern,
> use the *User-Name* (or *Calling-station-ID*, since I *“rewrite”* it
> to be the same as the User-name) and the password (which is made to be
> the same as the User-name as well) to authenticate the device.
>
>
>
> However it looks like my *“if”* conditions are all matched during the
> process however they all returned *“noop”* instead of *updating* the
> information I wanted it to.
>
>
>
> Here are the *configurations* I made in the *policy.conf* and
> */sites-avaliable/default* files
>
>
>
> *Policy.conf:*
>
> * *
>
> policy {
>
> …
>
> rewrite_calling_station_id {
>
> if(request:Calling-Station-Id =~
> /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
>
> update request {
>
> Calling-Station-Id := "00a008%{1}%{2}%{3}"
>
> }
>
> }
>
> else {
>
> noop
>
> }
>
> }
>
> }
>
>
>
>
>
> *Default:*
>
>
>
> authorize {
>
> …
>
> rewrite_calling_station_id
>
> if((Service-Type == 'Call-Check') && (User-Name =~
> /^%{Calling-Station-ID}$/i)){
>
> update control {
>
> Auth-Type = 'Auth-NHSTB'
>
> }
>
> }
>
> }
>
>
>
> authenticate {
>
> …
>
> Auth-Type Auth-NHSTB {
>
> if(Chap-Password){
>
> update control {
>
> Cleartext-Password := "%{User-Name}"
>
> }
>
> chap
>
> }
>
> else{
>
> *ok*
>
> }
>
> }
>
> }
>
>
>
> It seems to me that the last *“ok”* authenticated the device, instead
> of using *“chap”* and the *“Cleartext-Password”* that I assigned. Any
> ideas? Thank you!
>
>
>
> Guest-tek, Difan Zhao
>
> difan.z...@guest-tek.com
>
> www.guest-tek.com
>
> Office: 403-509-1010 ext 3048
>
> Cell: 403-689-7514
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao wrote:
...
> if(%{request:User-Password} == %{request:User-Name}) {
Please read "man unlang". It documents the accepted syntax. The
example above is not correct.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Hey guys,
Since I have asked so many questions regarding to this topic I guess you
all know my situation very well so I won't go through the whole thing
again and save your time!
So I found that if I add a "Default" line at the bottom of the users
file, like:
...
DEFAULTAuth-Type = ntlm_auth
The server will always use ntlm for authentication... even I have
updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached
both debug files. What should I do if I want a "Default" line in the
user file while still use the special authentication that I defined for
MAC authentication bypass? Thanks!
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
"00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(request:User-Name == "%{request:User-Password}") {
ok
}
else{
reject
}
}
}
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9,
length=157
User-Name = "00a0080806bd"
User-Password = "00a0080806bd"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 38
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} -> 00a0080806BD
[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 1: Preceding "if" was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') -> TRUE
expand: ^%{Calling-Station-ID}$ -> ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) -> TRUE
++- entering if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=00a0080806bd
[ntlm_auth] expand: --password=%{User-Password} -> --password=00a0080806bd
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [00a0080806bd/00a0080806bd] (from client switches port 50102
cli 00a0080806BD)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 00a0080806bd
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns u
