RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
I apologize for the previous spam! I kind of figured out my problem. Then I tried to fix it and now I have a new problem!! So I want to authenticate devices when both User-Name and User-Password are the same and are both the MAC of the device. My default files look like: authorize { ... if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } ... authenticate { Auth-Type Auth-NHSTB { if(%{request:User-Password} == %{request:User-Name}) { ok } else{ noop } } } However when I try to run Radius I keep getting this error: Expected regular expression at: request:User-Password) /etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection. Errors initializing modules I also tried I lot other syntax and different operators as well but the error is still there... What is the right syntax?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Tuesday, December 29, 2009 11:09 AM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses?? Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I "rewrite" it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my "if" conditions are all matched during the process however they all returned "noop" instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "00a008%{1}%{2}%{3}" } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } } It seems to me that the last "ok" authenticated the device, instead of using "chap" and the "Cleartext-Password" that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Should be: if(request:User-Password == "%{request:User-Name}") { > > However when I try to run Radius I keep getting this error: > > > > Expected regular expression at: request:User-Password) > > /etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection. > > Errors initializing modules > > > > I also tried I lot other syntax and different operators as well but > the error is still there… What is the right syntax?? Thank you! > > > > Guest-tek, Difan Zhao > > difan.z...@guest-tek.com > > www.guest-tek.com > > Office: 403-509-1010 ext 3048 > > Cell: 403-689-7514 > > > > *From:* > freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org > [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] > *On Behalf Of *Difan Zhao > *Sent:* Tuesday, December 29, 2009 11:09 AM > *To:* FreeRadius users mailing list > *Subject:* RE: MAC authentication bypass --- How > amIsupposedto?edit?theusersfile to include multiple MAC addresses?? > > > > Greetings, > > > > I hope you all had a wonderful Christmas holidays! > > > > So I continued my work this morning. It looks like it can authenticate > the devices (with the certain MAC address pattern) however from the > Radius –X output (which I attached here) it doesn’t seem to > authenticate it the way I want it. > > > > Let me repeat my logic here: if the MAC addresses match the pattern, > use the *User-Name* (or *Calling-station-ID*, since I *“rewrite”* it > to be the same as the User-name) and the password (which is made to be > the same as the User-name as well) to authenticate the device. > > > > However it looks like my *“if”* conditions are all matched during the > process however they all returned *“noop”* instead of *updating* the > information I wanted it to. > > > > Here are the *configurations* I made in the *policy.conf* and > */sites-avaliable/default* files > > > > *Policy.conf:* > > * * > > policy { > > … > > rewrite_calling_station_id { > > if(request:Calling-Station-Id =~ > /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { > > update request { > > Calling-Station-Id := "00a008%{1}%{2}%{3}" > > } > > } > > else { > > noop > > } > > } > > } > > > > > > *Default:* > > > > authorize { > > … > > rewrite_calling_station_id > > if((Service-Type == 'Call-Check') && (User-Name =~ > /^%{Calling-Station-ID}$/i)){ > > update control { > > Auth-Type = 'Auth-NHSTB' > > } > > } > > } > > > > authenticate { > > … > > Auth-Type Auth-NHSTB { > > if(Chap-Password){ > > update control { > > Cleartext-Password := "%{User-Name}" > > } > > chap > > } > > else{ > > *ok* > > } > > } > > } > > > > It seems to me that the last *“ok”* authenticated the device, instead > of using *“chap”* and the *“Cleartext-Password”* that I assigned. Any > ideas? Thank you! > > > > Guest-tek, Difan Zhao > > difan.z...@guest-tek.com > > www.guest-tek.com > > Office: 403-509-1010 ext 3048 > > Cell: 403-689-7514 > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao wrote: ... > if(%{request:User-Password} == %{request:User-Name}) { Please read "man unlang". It documents the accepted syntax. The example above is not correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a "Default" line at the bottom of the users file, like: ... DEFAULTAuth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a "Default" line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "00a008%{1}%{2}%{3}" } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == "%{request:User-Password}") { ok } else{ reject } } } Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9, length=157 User-Name = "00a0080806bd" User-Password = "00a0080806bd" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1D-E5-9C-29-04" Calling-Station-Id = "00-A0-08-08-06-BD" Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = "FastEthernet1/0/2" NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 38 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} -> 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding "if" was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') -> TRUE expand: ^%{Calling-Station-ID}$ -> ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE ++? if ((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)) -> TRUE ++- entering if ((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ++- if ((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=00a0080806bd [ntlm_auth] expand: --password=%{User-Password} -> --password=00a0080806bd Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00a0080806BD) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 00a0080806bd attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns u