http://wiki.freeradius.org/Mac-Auth is wrong

Arran Cudbard-Bell a.cudbardb at googlemail.com
Sun Nov 21 08:07:07 CET 2010


The return code issue is debatable, probably should be notfound but
noop is acceptable.

I've fixed the wiki page.

Thanks for bringing this to the lists attention.

-Arran

On 20/11/2010, Tóth István <stoty at stoty.hu> wrote:
> Hello!
>
> I tried to set up MAC authorization for testing purposes according to
> the instructions at
> http://wiki.freeradius.org/Mac-Auth.
>
> The solution there almost worked, except for the
>
> raddb/sites-available/default post-auth{} section.
>
> The wiki contains the code:
>
> if(control:Auth-Type == 'CSID'){
>      # Authorization happens here
>      authorized_macs.authorize
>      if(notfound){
>          reject
>      }
> }
>
> However, when the rlm_files module can't find the user, it returns noop,
> not notfound.
>
> As a result, EVERY mac authentication attempt is successful.
>
> When I changed the section to
>
>          if(control:Auth-Type == 'CSID'){
>                  # Authorization happens here
>                  authorized_macs.authorize
>                  if(!ok){
>                          reject
>                  }
>          }
>
> I got correct rejects in reply to the MACs not listed in the file.
>
> The funny thing is that I actually think that the snippet on wiki page
> should work,
> and the rlm_files module is returning the wrong result code.
>
> As far as I understand the result codes, noop should be returned when
> the module ignores the request, because it thinks it should not handle
> it, and notfound should be returned when the module accepted and tried
> to handle the requests, but cannot find the user in its "database".
>
> Either way, the documentation and the code do not match, and one of them
> should be fixed.
> Currently if  somene just blindly copies the sample config, and does not
> test for correct rejects, he'll have  wide-open network.
>
> I have tested on fedora 13, with the latest
> freeradius-2.1.10-1.fc13.x86_64 rpm.
>
> best regards
>
> István Tóth
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list