Two networks: WEP+MAC Filtering and WPA(PEAP)
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 28 13:37:42 CET 2008
> Could you please correct me about mac authorization.
>
> In my debug log I see mac authorization request :
>
> rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7,
> length=115
>
> User-Name = "00-18-de-4e-8f-1d"
>
> User-Password = "secret"
>
> NAS-IP-Address = x.x.x.139
>
> Called-Station-Id = "00-20-a6-64-66-a3:A"
>
> Calling-Station-Id = "00-18-de-4e-8f-1d"
>
> NAS-Port = 2
>
> NAS-Port-Type = Wireless-802.11
>
> I have this entry in my users file :
>
> 00-18-de-4e-8f-1d Auth-Type:=Local, User-Password == "secret"
That's incorrect. On a recent (1.1.7 or 2.x) version of the server,
assuming you haven't fiddled with the default config too much, do this:
00-18-de-4e-8f-1d Cleartext-Password := "secret"
However, this system has some disadvantages; specifically if you use
another NAS (AP, switch) that doesn't send "secret" or formats the
username differently.
>
>
>
> Is this correct(right) way to control MAC addresses thought radius?
There's no one "correct" way. It depends on your environment.
We (for example) lookup the Calling-Station-Id in SQL and allow or deny
based on that.
>
>
>
> Another question is : what is correct way to separate two
> types(MAC&PEAP) of requests to radius server?
Yes. You didn't say what version of the server you're using, but in
1.1.x you can do this:
modules {
files {
..
}
files macauth {
...
}
}
authorize {
preprocess
files
Autz-Type MACAUTH {
files_macauth
}
Autz-Type OTHER {
ldap
eap
mschap
}
}
...then in "users":
# match mac addresses, set autz-type
DEFAULT User-Name =~ "..-..-..-..-..-..", Autz-Type := MACAUTH
Fall-Through = no
# everything else is eap, ldap
DEFAULT Autz-Type := OTHER
...see doc/Autz-Type for more info.
In 2.x you can make use of the virtual server capabilities.
More information about the Freeradius-Users
mailing list