Mac-auth. authorized_macs file sintax

Roberto Ortega Ramiro roberto.ortega at esj.es
Fri Jun 21 14:29:49 CEST 2013


Hi again.

Matthew, you are rigth, i have no Access-Accept.

I have this response:

Fri Jun 21 14:18:02 2013 : Info: [authorized_macs]     expand: Device with
MAC Address %{Calling-Station-Id} authorized for network access -> Device
with MAC Address 98-0c-82-b5-00-f2 authorized for network access
Fri Jun 21 14:18:02 2013 : Info: +++[authorized_macs] returns ok
Fri Jun 21 14:18:02 2013 : Info: +++? if (!ok)
Fri Jun 21 14:18:02 2013 : Info: ? Evaluating !(ok) -> FALSE
Fri Jun 21 14:18:02 2013 : Info: +++? if (!ok) -> FALSE
Fri Jun 21 14:18:02 2013 : Info: +++- entering else else {...}
Fri Jun 21 14:18:02 2013 : Info: ++++[control] returns ok
Fri Jun 21 14:18:02 2013 : Info: +++- else else returns ok
Fri Jun 21 14:18:02 2013 : Info: ++- if (EAP-Message) returns ok
Fri Jun 21 14:18:02 2013 : Info: ++ ... skipping else for request 1:
Preceding "if" was taken
Fri Jun 21 14:18:02 2013 : Info: Found Auth-Type = Accept
Fri Jun 21 14:18:02 2013 : Info: Auth-Type = Accept, accepting the user
Fri Jun 21 14:18:02 2013 : Info: # Executing section post-auth from file
/etc/raddb/sites-enabled/default
Fri Jun 21 14:18:02 2013 : Info: +- entering group post-auth {...}
Fri Jun 21 14:18:02 2013 : Info: [reply_log]     expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.202.252/reply-detail-20130621
Fri Jun 21 14:18:02 2013 : Info: [reply_log]
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.202.252/reply-detail-20130621
Fri Jun 21 14:18:02 2013 : Info: [reply_log]     expand: %t -> Fri Jun 21
14:18:02 2013
Fri Jun 21 14:18:02 2013 : Info: ++[reply_log] returns ok
Fri Jun 21 14:18:02 2013 : Info: [auth_log]     expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.202.252/auth-detail-20130621
Fri Jun 21 14:18:02 2013 : Info: [auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.202.252/auth-detail-20130621
Fri Jun 21 14:18:02 2013 : Info: [auth_log]     expand: %t -> Fri Jun 21
14:18:02 2013
Fri Jun 21 14:18:02 2013 : Info: ++[auth_log] returns ok
Fri Jun 21 14:18:02 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 129 to 192.168.202.252 port 35856
    Reply-Message = "Device with MAC Address 98-0c-82-b5-00-f2 authorized
for network access"
Fri Jun 21 14:18:02 2013 : Info: Finished request 1.

I have follow this configuration:
http://wiki.freeradius.org/guide/Mac%20Auth#raddb/sites-available/default

    authorized_macs
    if (!ok) {
      reject
    }
    else {
      # accept
      update control {
        Auth-Type := Accept
      }
    }
  }

But i have no conection.

Thank you.


2013/6/21 Matthew Newton <mcn4 at leicester.ac.uk>

> On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote:
> > Hello, I have configured freeradius for accept one host conection over
> host
> > mac address
>
> On the assumtion this is an instantation of 'files', then the
> format for the file would be
>
> 98-0c-82-b5-00-f2    Auth-Type := Accept
>
> >     NAS-Port-Type = Wireless-802.11
> >     Connect-Info = "CONNECT 802.11g"
> >     EAP-Message = 0x02010010016c756e612e20626f726a61
>
> However, you can't do MAC address authentication with a plain
> 'Access-Accept' when you're doing EAP, so this isn't going to
> work anyway. The client won't see the Accept (this goes to the
> NAS) and will disconnect without an EAP Success.
>
> You probably want EAP-TLS if you want host (rather than user)
> based authentication on wireless.
>
>



> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
-- 
Un saludo.
____________________

Roberto Ortega
Profesor de Informática.
http://www.proyectoret.es

Escuelas San José Valencia
Avd.Cortes Valencianas nº1
46015 Valencia
R4600489A
Tf:963499011 ext. 262
Fax:963488835
http://www.escuelassj.com

No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130621/b08dee25/attachment.html>


More information about the Freeradius-Users mailing list