MAC authentication with freeradius

Daniel Lopez danilogo1991 at gmail.com
Tue Nov 3 16:54:14 CET 2015


Exelent, It was that,
you were a great help, thanks a lot.

2015-11-03 9:17 GMT-05:00 Alan DeKok <aland at deployingradius.com>:

> On Nov 3, 2015, at 9:04 AM, Daniel Lopez <danilogo1991 at gmail.com> wrote:
> >
> > Hi, I'm using free radius 2.1.12
>
>   Ugh.  Upgrade.
>
> > with mysql module (freeradius-mysql) I want
> > to authenticate users by MAC address, so in radcheck table I set the
> > attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work,
> user
> > can't authenticate, when I delete this row, user can authenticate
> > perfectly, so it seems this is not the way I should configure server to
> > perform MAC authentication. Could somebody help me with this?
>
>   Reading the debug output usually helps.
>
> > [this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}:
> >
> > rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158,
> > length=158
> >        User-Name = "dprueba"
> >        NAS-IP-Address = 192.168.0.1
> >        NAS-Port = 0
> >        Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
> >        Calling-Station-Id = "10-68-3F-82-42-16"
> >        Framed-MTU = 1400
> >        NAS-Port-Type = Wireless-802.11
> >        Connect-Info = "CONNECT 0Mbps 802.11"
> >        EAP-Message = 0x0200000c0164707275656261
> >        Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a
>
>   That is the OUTER authentication session.
>
> ...
> > [sql]   expand: SELECT id, username, attribute, value, op           FROM
> > radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
> > id -> SELECT id, username, attribute, value, op           FROM
> > radcheck           WHERE username = 'dprueba'           ORDER BY id
> > [sql] User found in radcheck table
>
>   Which is clear.  The server prints out these SQL queries so you can
> check them for yourself.
>
>   ... and lots of debug output later, we have the INNER session
>
> > [peap] Setting default EAP type for tunneled EAP session.
> > [peap] Got tunneled request
> >        EAP-Message = 0x0206000c0164707275656261
> > server  {
> > [peap] Setting User-Name to dprueba
> > Sending tunneled request
> >        EAP-Message = 0x0206000c0164707275656261
> >        FreeRADIUS-Proxied-To = 127.0.0.1
> >        User-Name = "dprueba"
>
>   Note: No Calling-Station-Id.
>
>   Please *read* raddb/eap.conf.  Look for "copy_request_to_tunnel".
>
>   This is documented.
>
> > server inner-tunnel {
> > # Executing section authorize from file
> > /etc/freeradius/sites-enabled/inner-tunnel
> > ...
> > [sql]   expand: SELECT id, username, attribute, value, op           FROM
> > radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
> > id -> SELECT id, username, attribute, value, op           FROM
> > radcheck           WHERE username = 'dprueba'           ORDER BY id
>
>   And note there's no "user found in radcheck" message.
>
>   Because there's no Calling-Station-Id attribute in the inner tunnel.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list