MAC authentication bypass --- How am I supposed to edit?theusers file to include multiple MAC addresses??
Alexander Clouter
alex at digriz.org.uk
Sun Dec 20 12:16:33 CET 2009
Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>> If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case?
>
> for using AD - not without difficulty because it will want both bits. you could
> use FreeRADIUS itself and a bit of unlang...for example.
>
> if you really dont care about the actual MAC address? in which case you could
> use unlang to check if its a MAC address ..and that its come from a particular group of
> switches eg something like
>
> authorise {
>
> if("%{User-Name}" =~ /[0-9a-z]{12}/i
>
....some would say that is a controversial MAC address regexp, but I
guess you just do things differently 'up north' eh? :)
'cheese112233xxyyzzTASTY' would even match that :)
For detecting if MAC auth is being requested, I recommend something like
what I described for Cisco kit in:
http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00423.html
I think it was Aaron who wrote the following:
http://wiki.freeradius.org/Mac-Auth
Between the two you should be able to do something for your kit; I
recommend you have a play with tcpdump/wireshark so work out what your
NAS is actually sending.
Other than Alan's interesting regexp, I would suggest a number of NAS
'sanitisers' to put in policy.conf:
----
rewrite.called_station_id {
if( "%{request:Called-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})(:(.+))?$/i ){
# does it have an SSID componment?
if ( "%{7}" ) {
update request {
Called-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}%{7}"
}
}
else {
update request {
Called-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
}
else {
noop
}
}
rewrite.calling_station_id {
if( "%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ){
update request {
Calling-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
else {
noop
}
}
----
Then in your authorize section, after you have called 'preprocess', you
call 'rewrite.called_station_id' and 'rewrite.calling_station_id' to
RFC-ise those attributes. It means you do not have to add kludges for
NAS's that use ':' seperated MAC's, or Cisco IOS style MACS. It is all
translated to the '00-11-22-33-44-55' RFC 'approved' format.
Another hint is just before you make your SQL/LDAP query, use something
like this (MAC-Address-Trimmed is something I have put in my
/etc/freeradius/dictionary file for local use only):
----
if (Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i) {
update control {
MAC-Address-Trimmed := "%{1}%{2}%{3}%{4}%{5}%{6}"
}
}
----
Then all MAC addresses in your database are just in the format
'001122334455'. Just a recommendation.
Another hint is when it comes to SQL logging (*strongly* recommended)
you use some SQL syntax to force the RFC format MAC address lowercase
before it gets INSERTed. This means later on why you are looking
through your logs you are not running into case-sensitive issues (LDAP
lookups are not case sensitive so for authorisation, it does not
matter).
Cheers
--
Alexander Clouter
.sigmonster says: Don't get even -- get odd!
More information about the Freeradius-Users
mailing list