Sorry if the file's format isn't correct but unless that I didn't understand documentation correctly I follow what's on the following url https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth_raddb-authorized_m... . Here's the authorized mac module section [root@radius-corp-01_{{PROD}} raddb]# cat mods-enabled/stingray-authorize-mac files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. #compat = no } And this is the the content of "user/mac" address that should be authorized [root@radius-corp-01_{{PROD}} raddb]# cat authorized_macs 18-65-90-CB-4C-69 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" And here the debug output starting from rewrite_calling_station_id section (9) policy rewrite_calling_station_id { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (9) update request { (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (9) --> 18-65-90-CB-4C-69 (9) &Calling-Station-Id := 18-65-90-CB-4C-69 (9) } # update request = noop (9) [updated] = updated (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (9) ... skipping else: Preceding "if" was taken (9) } # policy rewrite_calling_station_id = updated (9) authorized_macs: EXPAND %{Calling-Station-ID} (9) authorized_macs: --> 18-65-90-CB-4C-69 (9) [authorized_macs] = noop (9) if (!ok) { (9) if (!ok) -> TRUE (9) if (!ok) { (9) update reply { (9) Tunnel-Type := VLAN (9) Tunnel-Medium-Type := IEEE-802 (9) Tunnel-Private-Group-Id := 155 (9) } # update reply = noop (9) } # if (!ok) = noop (9) ... skipping else: Preceding "if" was taken (9) [exec] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = updated (9) Login OK: [lpaulin] (from client clx3-fw-1 port 1 cli 18-65-90-CB-4C-69) (9) Sent Access-Accept Id 113 from 10.250.33.157:1812 to 10.1.0.81:1507 length 0 (9) MS-MPPE-Recv-Key = 0x6348f6c554161e58e38f723fb920ebdc99ddc48c18fcb74796f63d1eeb881f82 (9) MS-MPPE-Send-Key = 0x2f4ad046e69da27b4afe756aedd922a65e0ec1095ed728e70f315a77f7c3c788 (9) EAP-Message = 0x03790004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "lpaulin" (9) Tunnel-Type := VLAN (9) Tunnel-Private-Group-Id := "155" (9) Tunnel-Medium-Type := IEEE-802 (9) Idle-Timeout := 60 (9) Session-Timeout := 60 (9) Termination-Action := RADIUS-Request (9) Juniper-Local-User-Name := "SU" (9) Juniper-Junosspace-Profile := "devops_users" (9) Finished request -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2018-01-31 15:22 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Jan 31, 2018, at 3:16 PM, Luc Paulin <paulinster@gmail.com> wrote:
Great thanx Alan, I agree that mac can be easilly spoofed, but the goal here is mainly to move the user's device to another vlan than corp and
not
doing authentication. We may eventually move to EAP-TLS, but this is at least a first step.
Yes I check the format and it's exacly the same ... Here's the output of the debug section for authorized_mac.
======= <------ LINES BEFORE REWRITE_CALLING_STATION_ID REMOVED --->
Including deleting the "authorized_mac" config...
And here's the authorized_macs file content [root@radius-corp-01_{{PROD}} raddb]# cat authorized_macs 18-65-90-CB-4C-69 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
What the heck is that?
You can't just invent a configuration file format and use it. You MUST read the docs.
So.. what is the "authorized_macs" module? How did you configure it? Why do you think that putting random things into it will make it do what you want?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html