> > > Do something like: > > > > > > modules { > > > passwd mac2ok { > > > filename = /etc/raddb/mac2ok > > > format = "*Calling-Station-Id:~My-Local-String" > > > hashsize = 100 > > > } > > > > > > # other modules > > > } > > > > > > authorize { > > > preprocess > > > mac2ok > > > files > > > # other modules > > > } > > > > > > Make "/etc/raddb/mac2ok" read: > > > > > > 008012323244:ok > > > 002938475473:ok > > > > > > ...then in "users" put: > > > > > > DEFAULT My-Local-String != "ok", Auth-Type := Reject > > Reply-Message = > > > "calling station id not allowed", Fall-Through = No > > > > > > # Other config items > > > > > > Depending on the version of the server, you might need the > > following > > > in > > > /etc/raddb/dictionary: > > > > > > ATTRIBUTE My-Local-String 3000 string > > > > OK, It almost works fine, but if there is no mac in my mac2ok > > file then users file doesn't put REJECT into Auth-Type. > > I have added that line at the begining of users file: > > > > DEFAULT Auth-Type := REJECT, My-Local-String !* "a"
OK. I have noticed that one request is 'processed' twice. First time there is calling station it etc and mac2ok put 'good' into request. And then login is encapsulated from eap-message and freeradius process the request again, but there is no My-Local-String etc. So reject from users file cause eap-peap failure. I have added at the end of users file: # for first process of request DEFAULT My-Local-String == "good" Fall-Through = No # for second process of request (login is known from eap-message...) DEFAULT NAS-IP-Address == "127.0.0.1" Fall-Through = No DEFAULT Auth-Type := Reject Thanks!!! Norbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html