Hi, I installed freeradius2-2.1.7-7.el5.x86_64 and set it up for MAC_auth as explained in this freeradius wiki page <http://wiki.freeradius.org/Mac-Auth> But its not working. I am attaching the output of radiusd -X, and the policy.conf files I went through the output myself, I notice these: a) it has not executed "rewrite_calling_station", going by the mac format in the debug output. b) The wifi client has a window which prompts for username/password (not expected in simple mac_auth) Can someone point out what mistake I am doing? Thanks a lot. Nagaraj -- +----------------------------------+--------------------------------------+ Nagaraj Panyam | Office tel: +91-22-22782126 Dept of High Energy Physics | Office fax: +91-22-22804610 Tata Instt. of Fundamental Research| Home tel : +91-22-22804936 Mumbai - 400 005, INDIA | **Email** : pn@tifr.res.in +----------------------------------+--------------------------------------+ ad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=57, length=185 User-Name = "TEST\\test-1804" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001301544553545c746573742d31383034 Message-Authenticator = 0x8012a54d51c5aa3c6a6a96aa75aa18cd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 57 to xx.xx.xx.xx port 3072 EAP-Message = 0x010100160410bcac0552383c8987ceeedb8259d7512e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1c30f25f1c20b7f17369eba55349056 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=58, length=184 User-Name = "TEST\\test-1804" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xf1c30f25f1c20b7f17369eba55349056 Message-Authenticator = 0x9a186d278c1f81fb746473363ed32079 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 58 to xx.xx.xx.xx port 3072 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1c30f25f0c1167f17369eba55349056 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=59, length=308 User-Name = "TEST\\test-1804" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202008219800000007816030100730100006f03014d2465745b05fc2eeed27aa497d088ce5d8db0996b6a4a9486280ddf78927653000018002f00350005000ac009c00ac013c01400320038001300040100002e00000013001100000e746573745c746573742d31383034000a00080006001700180019000b00020100ff01000100 State = 0xf1c30f25f0c1167f17369eba55349056 Message-Authenticator = 0xc79d3a7230dc27da64618790895b12f4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 130 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 120 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0073], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 59 to xx.xx.xx.xx port 3072 EAP-Message = 0x0103040019c0000008a216030100310200002d03014d24658e440cdb90c5cf5817264cd7a51def1ffe8a170d51d4916929ded259cf00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3131303130333131343735385a170d3132303130333131343735385a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e9ce0d20797f9d5a1d956453494dc3093fd6e4a816c41e0f287b56ac6000101537f12d02201a3a31a9e50dd8ed5f99a0d914e3389fca43 EAP-Message = 0x4ab5fa7821da3d5bc3492570e61024827d03917ab768326078804225ab57136d89997c5746ac5441671265cfe93ad9d36b72351d39f88b879b164502b5f20fd66efd76dec45e7d77597c25266ffc1d10ff38aa4c8e2de86e0d114183c4833e02f39e003d001b9a1921c7e61b3d6f6063237aca41a18e6a9bbdcd268685df6d66c1d644474a3be69e3a771554e6caceb9f9a930b9375a970ace830edf4b21baaccf669a462b18f2cb108dbeb6849ec0d6582cdded75442a6532f18a8ccf5066fa1c90394aeded6d1e590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009985 EAP-Message = 0x10e2b6a56e12676ab2c5cd1621418113f71ab254589459d5f509782e85c692446a86a0fac92cc5b60613e165251fc20bbe76c2cb969f934c4be73577fc59b9a3a639b2ba7f05712c1c07c4fd5b89358b2475002bb87fc880dd7239aa3bd46984338818ec7290c30ed5046b986c56f412602492b508550a5eaa12a437988f609701a051d12ba2ec9507cfe6f58f44f0167054d21f7971af197bf3145dded0906a85c58db37364565caf20d110893a26a9908a1008aff0fba755e5812d73731e7de519949d80f37e02024b1eeb2b557d91e2443462f1d716122a82089a282de906089eacaece3013ee68ed21175b263a80a2febe033d2e86fa626a819a45 EAP-Message = 0xf60004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1c30f25f3c0167f17369eba55349056 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=60, length=184 User-Name = "TEST\\test-1804" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xf1c30f25f3c0167f17369eba55349056 Message-Authenticator = 0x261da0e043b9bfb64e89e09348b83a45 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 60 to xx.xx.xx.xx port 3072 EAP-Message = 0x010403fc1940a003020102020900b703e3654b392aed300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303130333131343735385a170d3132303130333131343735385a308193310b3009060355040613024652310f300d0603550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5f36f8fe6bc13068e2daaadac4acac248ce11a0d13c5cab7b8b7dbd8084681e4cb9a9d3145b4e43b6462d71d4426a0aeaa641a0f9a5662cd522d345d87e3ab405c91692c2b5d4613c828191acc54b3e6e2421603eef58c716b2801eef3b79ad38943efab044f9ef EAP-Message = 0x6952c7b635961ed24273e357186d1070ff869f5747993caa0e7bf944f3c4e88e64c411fe3f60bb35b835a931d851cecea15e05d06b46b9f581aaed78e88392fb4cf9fec4f75e03384bc4af1e345dc82339a0fc7cd2f6047def8e61a0cd4e2d8206aa708cb5f6ab123f5e41735cd97fe41b8a49960c7597ed51066249e4e88bd910fc9385f828568573edada97b2fff45a57671f476c7992b0203010001a381fb3081f8301d0603551d0e041604145209f0d910b833d8c2bf21013979a67fbcc16c093081c80603551d230481c03081bd80145209f0d910b833d8c2bf21013979a67fbcc16c09a18199a48196308193310b300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b703e3654b392aed300c0603551d13040530030101ff300d06092a864886f70d010105050003820101001837a0d066840811146ee1438a22673ee350f09c19e284ff5da1e1725b8019bb089f4eac597f0381be89dfccfb98375c86128b2833bfe61122d3c8530da1d3fe8efe2cf6164c2560eda60d EAP-Message = 0x93a5a16694df2a56 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1c30f25f2c7167f17369eba55349056 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=61, length=184 User-Name = "TEST\\test-1804" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xf1c30f25f2c7167f17369eba55349056 Message-Authenticator = 0x47f450d8911252a7359fb4aca48d6de0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 61 to xx.xx.xx.xx port 3072 EAP-Message = 0x010500bc1900adf270039788633910428185442e7440ff8ee7c3c78d36f887e5137eeb0e7c3656e0c266b7fdbf30222d944164df65826d7ff08636f9272aa22ffe9123ead878173bb5b40938fc6600ea8c4a907a469a9542ae8aaedcf93a6a69edac75135e899d231022c6656be3091333a11e31943a7e306170683a98a2f3fd51f109e31d9b7706eca3748f7707d09d0e9b52d254ca8d86d1aacacd188fd789a6a5dba4f1fbde15f7d0063786469fce43fae316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1c30f25f5c6167f17369eba55349056 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=62, length=184 User-Name = "TEST\\test-1804" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0xf1c30f25f5c6167f17369eba55349056 Message-Authenticator = 0xd8967a29a74719843bd5e7b6a8640645 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 62 to xx.xx.xx.xx port 3072 EAP-Message = 0x010600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf1c30f25f4c5167f17369eba55349056 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 57 with timestamp +39 Cleaning up request 1 ID 58 with timestamp +39 Cleaning up request 2 ID 59 with timestamp +39 Cleaning up request 3 ID 60 with timestamp +39 Cleaning up request 4 ID 61 with timestamp +39 Cleaning up request 5 ID 62 with timestamp +39 Ready to process requests. # -*- text -*- ## ## policy.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## # # Policies are virtual modules, similar to those defined in the # "instantate" section of radiusd.conf. # # Defining a policy here means that it can be referenced in multiple # places as a *name*, rather than as a series of conditions to match, # and actions to take. # # Policies are something like subroutines in a normal language, but # they cannot be called recursively. They MUST be defined in order. # If policy A calls policy B, then B MUST be defined before A. # policy { # # Forbid all EAP types. # forbid_eap { if (EAP-Message) { reject } } # # Forbid all non-EAP types outside of an EAP tunnel. # permit_only_eap { if (!EAP-Message) { # We MAY be inside of a TTLS tunnel. # PEAP and EAP-FAST require EAP inside of # the tunnel, so this check is OK. # If so, then there MUST be an outer EAP message. if (!"%{outer.request:EAP-Message}") { reject } } } # # Forbid all attempts to login via realms. # deny_realms { if (User-Name =~ /@|\\/) { reject } } # # If you want the server to pretend that it is dead, # then use the "do_not_respond" policy. # do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } # # The following policies are for the Chargeable-User-Identity # (CUI) configuration. # # # The client indicates it can do CUI by sending a CUI attribute # containing one zero byte # cui_authorize { update request { Chargeable-User-Identity:='\\000' } } # # Add a CUI attribute based on the User-Name, and a secret key # known only to this server. # cui_postauth { if (FreeRadius-Proxied-To == 127.0.0.1) { if (outer.request:Chargeable-User-Identity) { update outer.reply { Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } else { if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } } # # If there is a CUI attribute in the reply, add it to the DB. # cui_updatedb { if (reply:Chargeable-User-Identity) { cui } } # # Rewrite called station id attribute into a standard format. # rewrite_calling_station_id { if(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" } } else { noop } } # # If we had stored a CUI for the User, add it to the request. # cui_accounting { # # If the CUI isn't in the packet, see if we can find it # in the DB. # if (!Chargeable-User-Identity) { update control { Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" } } # # If it exists now, then write out when we last saw # this CUI. # if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { cui } } }