Re: WiFi Mac address authentication
thanks for your help, i'll try this asap and provide feedback. 2006/4/12, brainstorm [EMAIL PROTECTED]: Solved the problem a couple of weeks ago... the error was actually in eap.conf, the following two attributes were required when the MAC check was active: peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no I set them both to yes and it worked ! Thanks for your support. Hmm. I still say you need to read and understand the docs, but try this: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id: delimiter = : } (...) authorize { preprocess MAC-IP { # If the MAC isn't in the file, the modules returns notfound # in that case, exit authorize with reject immediately notfound = reject } files eap } That is, have no authtype on the passwd module. If that doesn't work, you may try something like: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id:~Group delimiter = : } (...) authorize { preprocess MAC-IP files eap } /etc/raddb/MAC-IP: 00-11-22-33-44-55:FAKEGROUP aa-bb-cc-dd-ee-ff:FAKEGROUP /etc/raddb/users: The DEFAULT Group is no longer necessary to make it work. DEFAULT Group !* ANY, Auth-Type := Reject user1 NT-Password := abcdefg... user2 NT-Password := abcdefg... - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
Solved the problem a couple of weeks ago... the error was actually in eap.conf, the following two attributes were required when the MAC check was active: peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no I set them both to yes and it worked ! Thanks for your support. Hmm. I still say you need to read and understand the docs, but try this: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id: delimiter = : } (...) authorize { preprocess MAC-IP { # If the MAC isn't in the file, the modules returns notfound # in that case, exit authorize with reject immediately notfound = reject } files eap } That is, have no authtype on the passwd module. If that doesn't work, you may try something like: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id:~Group delimiter = : } (...) authorize { preprocess MAC-IP files eap } /etc/raddb/MAC-IP: 00-11-22-33-44-55:FAKEGROUP aa-bb-cc-dd-ee-ff:FAKEGROUP /etc/raddb/users: The DEFAULT Group is no longer necessary to make it work. DEFAULT Group !* ANY, Auth-Type := Reject user1 NT-Password := abcdefg... user2 NT-Password := abcdefg... - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
I've tried your recommendations but it does not work as expected: using Reject as rlm_passwd's authtype (as you suggested), the user is always rejected, even when the MAC is in the file and is actually found: modcall[authorize]: module MAC-IP returns ok for request 0 Furthermore, if I change rlm_passwrd's authtype to Accept, the supplicant auth fails and the following warning is shown: rad_check_password: Found Auth-Type Accept rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'bob' However, if I comment rlm_passwd sections (MAC-IP in modules and authorize), all works flawlessly. The users file has entries like these: bob NT-Password == 0xa3d411301d637a38f4d22d484f256a04 joe NT-Password == 0xa3d411301d637a38f4d22d484f256a04 (...) Which are matched correctly in all scenarios I've tested: modcall[authorize]: module eap returns updated for request 0 users: Matched entry bob at line 1 According to radius documentation (aaa.txt), it is not correct to place Auth-Type on check nor reply lists on the users file: A quite common mistake is to place the attributes in the wrong lists, for example placing Auth-Type, Password, NT-Password etc in the check list, or in the reply list. When run in debugging mode, the server will normally issue 'WARNING' messages saying that the attributes are in the wrong list So I conclude that users file is correct as it is now. What I'm doing wrong and what should I do to avoid those warning messages ? If you want the radiusd -X logs, I can attach them if you wish. Thanks in advance. --- passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id: delimiter = : authtype = Reject Also tried with Accept } (...) authorize { preprocess MAC-IP { notfound = reject } files eap } authenticate { Auth-Type MS-CHAP { mschap } eap } On 3/13/06, Phil Mayers [EMAIL PROTECTED] wrote: brainstorm wrote: I'm trying to implement a similar scenario: I am using PEAP, and I want to check if a given mac is in my database. In my case, the MACs file looks like this: 0030.0996.CF52:192.168.12.1 I would like to match the first field (MAC) with the NAS Calling-Station-Id attribute, if this check fails, I would like to reject that user. Is it doable with rlm_password ? I've tried, but I cannot figure out which is the right format for my case: I've tried the following in radiusd.conf: modules { (...) passwd mac-ip { filename = /etc/raddb/MAC-IP format = mac-address:Calling-Station-Id delimiter = : } } Please read the docs. This comments right above the passwd module in the default config are VERY SPECIFIC. The format is: format = *Key-Value:~Request-Value:=Reply-Value:Configure-Value That is, the radius attribute Key-Value is the first field. Request-Value (prefix ~) will be added to the request, Reply-Value (prefix =) to the reply, and Configure-Value (no prefix) to the configure items. So you're wrong several ways: 1. mac-address is not a radius attribute 2. None of your attributes have * for key 3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP 3. By itself you can't negate the sense and reject-if-no-match Try something like this: passwd mac-ip { filename = /etc/raddb/MAC-IP format = *Calling-Station-Id:Class delimiter = : authtype = Reject } always fail { rcode = fail } authorize { mac-ip { notfound = reject } # others } ...and note that many/most APs send the MAC as 00-11-22-33-44-55 so the file should look like this: 00-11-22-33-44-55:KnownUser This is all in the docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
brainstorm wrote: I've tried your recommendations but it does not work as expected: using Reject as rlm_passwd's authtype (as you suggested), the user is always rejected, even when the MAC is in the file and is actually found: Yes sorry, that was wrong. Clearly authtype = Reject will fail the request if the module matches. Don't know why I said that... modcall[authorize]: module MAC-IP returns ok for request 0 Furthermore, if I change rlm_passwrd's authtype to Accept, the supplicant auth fails and the following warning is shown: That definitely won't work. Don't do it. rad_check_password: Found Auth-Type Accept rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'bob' However, if I comment rlm_passwd sections (MAC-IP in modules and authorize), all works flawlessly. Well, yes. But if it works flawlessly, why are you wanting help? The users file has entries like these: bob NT-Password == 0xa3d411301d637a38f4d22d484f256a04 joe NT-Password == 0xa3d411301d637a38f4d22d484f256a04 (...) Which are matched correctly in all scenarios I've tested: modcall[authorize]: module eap returns updated for request 0 users: Matched entry bob at line 1 According to radius documentation (aaa.txt), it is not correct to place Auth-Type on check nor reply lists on the users file: A quite common mistake is to place the attributes in the wrong lists, for example placing Auth-Type, Password, NT-Password etc in the check list, or in the reply list. When run in debugging mode, the server will normally issue 'WARNING' messages saying that the attributes are in the wrong list So I conclude that users file is correct as it is now. What I'm doing wrong and what should I do to avoid those warning messages ? If you want the radiusd -X logs, I can attach them if you wish. Hmm. I still say you need to read and understand the docs, but try this: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id: delimiter = : } (...) authorize { preprocess MAC-IP { # If the MAC isn't in the file, the modules returns notfound # in that case, exit authorize with reject immediately notfound = reject } files eap } That is, have no authtype on the passwd module. If that doesn't work, you may try something like: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = *Calling-Station-Id:~Group delimiter = : } (...) authorize { preprocess MAC-IP files eap } /etc/raddb/MAC-IP: 00-11-22-33-44-55:FAKEGROUP aa-bb-cc-dd-ee-ff:FAKEGROUP /etc/raddb/users: DEFAULT Group !* ANY, Auth-Type := Reject user1 NT-Password := abcdefg... user2 NT-Password := abcdefg... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
brainstorm wrote: I'm trying to implement a similar scenario: I am using PEAP, and I want to check if a given mac is in my database. In my case, the MACs file looks like this: 0030.0996.CF52:192.168.12.1 I would like to match the first field (MAC) with the NAS Calling-Station-Id attribute, if this check fails, I would like to reject that user. Is it doable with rlm_password ? I've tried, but I cannot figure out which is the right format for my case: I've tried the following in radiusd.conf: modules { (...) passwd mac-ip { filename = /etc/raddb/MAC-IP format = mac-address:Calling-Station-Id delimiter = : } } Please read the docs. This comments right above the passwd module in the default config are VERY SPECIFIC. The format is: format = *Key-Value:~Request-Value:=Reply-Value:Configure-Value That is, the radius attribute Key-Value is the first field. Request-Value (prefix ~) will be added to the request, Reply-Value (prefix =) to the reply, and Configure-Value (no prefix) to the configure items. So you're wrong several ways: 1. mac-address is not a radius attribute 2. None of your attributes have * for key 3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP 3. By itself you can't negate the sense and reject-if-no-match Try something like this: passwd mac-ip { filename = /etc/raddb/MAC-IP format = *Calling-Station-Id:Class delimiter = : authtype = Reject } always fail { rcode = fail } authorize { mac-ip { notfound = reject } # others } ...and note that many/most APs send the MAC as 00-11-22-33-44-55 so the file should look like this: 00-11-22-33-44-55:KnownUser This is all in the docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
Please read the docs. This comments right above the passwd module in the default config are VERY SPECIFIC. The format is: format = *Key-Value:~Request-Value:=Reply-Value:Configure-Value That is, the radius attribute Key-Value is the first field. Request-Value (prefix ~) will be added to the request, Reply-Value (prefix =) to the reply, and Configure-Value (no prefix) to the configure items. Sure, I have missed that valuable info (I was too focused on man page and /usr/share/doc). So you're wrong several ways: 3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP That's exactly the field I wish to use (Calling-Station-Id), the IP is just for other internal purposes, so you can ignore it. Try something like this: passwd mac-ip { filename = /etc/raddb/MAC-IP format = *Calling-Station-Id:Class delimiter = : authtype = Reject } always fail { rcode = fail } authorize { mac-ip { notfound = reject } # others } That was useful, thank you ! I guess that in my case it's safe to drop the Class attribute, leaving format just as: *Calling-Station-Id:. ...and note that many/most APs send the MAC as 00-11-22-33-44-55 so the file should look like this: 00-11-22-33-44-55:KnownUser FYI, the Cisco Aironet 1200 can send the Calling-Station-Id on these configurable formats: .. xx-xx-xx-xx-xx-xx xx:xx:xx:xx:xx:xx So it's ok right now. This is all in the docs. Perhaps this example could be used in the manpage as an EXAMPLE section, isn't it ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
I'm trying to implement a similar scenario: I am using PEAP, and I want to check if a given mac is in my database. In my case, the MACs file looks like this: 0030.0996.CF52:192.168.12.1 I would like to match the first field (MAC) with the NAS Calling-Station-Id attribute, if this check fails, I would like to reject that user. Is it doable with rlm_password ? I've tried, but I cannot figure out which is the right format for my case: I've tried the following in radiusd.conf: modules { (...) passwd mac-ip { filename = /etc/raddb/MAC-IP format = mac-address:Calling-Station-Id delimiter = : } } (...) authorize { preprocess mac-ip --- I want to Reject the client if that module fails eap files } But when I run radiusd -X: rlm_passwd: no field market as key in format: mac-address:Calling-Station-Id How do I specify that mac-address is a key and Calling-Station-Id a value ? Thank you, Roman On 3/7/06, Alan DeKok [EMAIL PROTECTED] wrote: Guillaume [EMAIL PROTECTED] wrote: ok, if i understand the manpage of dictionary rlm_passwd, i have to add this line in: ##Dictionary file## ATTRIBUTEmac-address 3001 string Why? That attribute won't ever appear in a packet. You have to use an attribute that will appear in a packet. Other than that, it looks like it should work. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
2006/3/3, Alan DeKok [EMAIL PROTECTED]: Guillaume [EMAIL PROTECTED] wrote: I try to set a mac authentication and a certificates based authentication, but in the freeradius.cnf i dont find any entry for loading a list of authorised MAC address. That's because the server doesn't come pre-configured to run on your local system. Instead, it comes with examples and documentation describing how to solve general problems. The idea is that you read those, and use them to create local solutions. My suggestion is to read the rlm_passwd man page. The grouping it does there for User-Name can also be applied to MAC addresses. Alan DeKok. ok, if i understand the manpage of dictionary rlm_passwd, i have to add this line in: ##Dictionary file## ATTRIBUTEmac-address 3001 string ## ##radiusd.conf file## passwd MAC_list { filename = /etc/radd/MAC_list format = mac-address:::*,User-Name hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes delimiter = : and then, i have to create a file in /etc/radd named mac_list and add my mapping with user and mac address? i'am wrong or is it the good solution? guillaume. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiFi Mac address authentication
Hi guys! I recently install a freeradius for test purpose in a WiFi environement. But, i still a a problem, and I hope that you will be able to help me. The radius server version is: 1.0.4. I try to set a mac authentication and a certificates based authentication, but in the freeradius.cnf i dont find any entry for loading a list of authorised MAC address. Is there any option to create it, or i have to configure this mac address list on each APs? thanks for your replies. Guillaume - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiFi Mac address authentication
Guillaume [EMAIL PROTECTED] wrote: I try to set a mac authentication and a certificates based authentication, but in the freeradius.cnf i dont find any entry for loading a list of authorised MAC address. That's because the server doesn't come pre-configured to run on your local system. Instead, it comes with examples and documentation describing how to solve general problems. The idea is that you read those, and use them to create local solutions. My suggestion is to read the rlm_passwd man page. The grouping it does there for User-Name can also be applied to MAC addresses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html