Getting Reject response from Server for MAC Auth

Victor Credidio victorbreda1 at gmail.com
Wed Aug 15 13:59:05 CEST 2018


Hello masters!

I'm trying to use a freeradius server 3 (running on CentOS7) with my ruckus
AP (model R610).
I followed this wiki article, specifically this two topics below to
configure it properly:

https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth

https://wiki.freeradius.org/guide/mac-auth#additional-modifications_mac-auth-authorisation-by-ssid

I'm trying to log to my WLAN with my phone. It's MAC is already in the
"authorized_macs" file (/etc/raddb/authorized_macs),  and the server is
receiving it's requests. I can see my phone's MAC Address, my AP MAC
Address, the AP SSID, and some other stuff.
Problem is, I still get rejected.
For more than three days I've been trying to make it work like that, but
still no progress, so I thought it was better to consult the experts.

Here's the output of the radiusd -X command. I put the line numbers so it
would be easier to locate or reference something. The first "reject" I get
is on line 72:

     1 (0) Received Access-Request Id 47 from 10.85.0.222:40680 to
10.85.2.46:1812 length 197
     2 (0)   User-Name = "70-4d-7b-53-cb-38"
     3 (0)   User-Password = "70-4d-7b-53-cb-38"
     4 (0)   Calling-Station-Id = "70-4D-7B-53-CB-38"
     5 (0)   NAS-IP-Address = 10.85.0.222
     6 (0)   Called-Station-Id = "90-3A-72-65-47-AC:PMJG-AD-ACC"
     7 (0)   Service-Type = Framed-User
     8 (0)   NAS-Port-Type = Wireless-802.11
     9 (0)   NAS-Identifier = "90-3A-72-65-47-AC"
    10 (0)   Ruckus-SSID = "PMJG-AD-ACC"
    11 (0)   Message-Authenticator = 0x5d564ee23f2090acd3bc2002e4b8a23b
    12 (0) # Executing section authorize from file
/etc/raddb/sites-enabled/default
    13 (0)   authorize {
    14 (0)     policy filter_username {
    15 (0)       if (&User-Name) {
    16 (0)       if (&User-Name)  -> TRUE
    17 (0)       if (&User-Name)  {
    18 (0)         if (&User-Name =~ / /) {
    19 (0)         if (&User-Name =~ / /)  -> FALSE
    20 (0)         if (&User-Name =~ /@[^@]*@/ ) {
    21 (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    22 (0)         if (&User-Name =~ /\.\./ ) {
    23 (0)         if (&User-Name =~ /\.\./ )  -> FALSE
    24 (0)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))  {
    25 (0)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
    26 (0)         if (&User-Name =~ /\.$/)  {
    27 (0)         if (&User-Name =~ /\.$/)   -> FALSE
    28 (0)         if (&User-Name =~ /@\./)  {
    29 (0)         if (&User-Name =~ /@\./)   -> FALSE
    30 (0)       } # if (&User-Name)  = notfound
    31 (0)     } # policy filter_username = notfound
    32 (0)     policy rewrite_called_station_id {
    33 (0)       if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
    34 (0)       if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
    35 (0)       if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
    36 (0)         update request {
    37 (0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
    38 (0)              --> 90-3A-72-65-47-AC
    39 (0)           &Called-Station-Id := 90-3A-72-65-47-AC
    40 (0)         } # update request = noop
    41 (0)         if ("%{8}") {
    42 (0)         EXPAND %{8}
    43 (0)            --> PMJG-AD-ACC
    44 (0)         if ("%{8}")  -> TRUE
    45 (0)         if ("%{8}")  {
    46 (0)           update request {
    47 (0)             EXPAND %{8}
    48 (0)                --> PMJG-AD-ACC
    49 (0)             &Called-Station-SSID := PMJG-AD-ACC
    50 (0)           } # update request = noop
    51 (0)         } # if ("%{8}")  = noop
    52 (0)         [updated] = updated
    53 (0)       } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
    54 (0)       ... skipping else: Preceding "if" was taken
    55 (0)     } # policy rewrite_called_station_id = updated
    56 (0)     policy rewrite_calling_station_id {
    57 (0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
    58 (0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
    59 (0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
    60 (0)         update request {
    61 (0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
    62 (0)              --> 70-4D-7B-53-CB-38
    63 (0)           &Calling-Station-Id := 70-4D-7B-53-CB-38
    64 (0)         } # update request = noop
    65 (0)         [updated] = updated
    66 (0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
    67 (0)       ... skipping else: Preceding "if" was taken
    68 (0)     } # policy rewrite_calling_station_id = updated
    69 (0)     if (!ok) {
    70 (0)     if (!ok)  -> TRUE
    71 (0)     if (!ok)  {
    72 (0)       [reject] = reject
    73 (0)     } # if (!ok)  = reject
    74 (0)   } # authorize = reject
    75 (0) Using Post-Auth-Type Reject
    76 (0) # Executing group from file /etc/raddb/sites-enabled/default
    77 (0)   Post-Auth-Type REJECT {
    78 (0) attr_filter.access_reject: EXPAND %{User-Name}
    79 (0) attr_filter.access_reject:    --> 70-4d-7b-53-cb-38
    80 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
    81 (0)     [attr_filter.access_reject] = updated
    82 (0)     [eap] = noop
    83 (0)     policy remove_reply_message_if_eap {
    84 (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
    85 (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    86 (0)       else {
    87 (0)         [noop] = noop
    88 (0)       } # else = noop
    89 (0)     } # policy remove_reply_message_if_eap = noop
    90 (0)   } # Post-Auth-Type REJECT = updated
    91 (0) Delaying response for 1.000000 seconds
    92 Waking up in 0.3 seconds.
    93 Waking up in 0.6 seconds.
    94 (0) Sending delayed response
    95 (0) Sent Access-Reject Id 47 from 10.85.2.46:1812 to
10.85.0.222:40680 length 20
    96 Waking up in 3.9 seconds.
    97 (0) Cleaning up request packet ID 47 with timestamp +11


Greetings,
-- 
Victor B. C.


More information about the Freeradius-Users mailing list