Hi, In my previous mail while asking for help, I did not fully explain what I wanted to configure. So here goes: I want to configure freeradius to setup MAC based authentication for laptops and hand held devices in my organization. My first preference is to make it purely MAC based and paswordless. I have installed freeradius2 (debug output and conf files pasted below). For testing, I configured the NAS to use "WPA Radius", and gave it my radius servers IP and secret. When I select the SSID, the laptop pops up a window asking for usename, password and logon domain. (is there a way to avoid this?) I see that authorized_macs.authorize returns noop. But why, I don't understand. Because I want just CSID auth, I commented out the eap in default authorize{}. Is that my mistake? Here is the debug output. ------ Debug output: rad_recv: Access-Request packet from host 192.168.55.107 port 3072, id=35, length=175 User-Name = "TEST\\test" NAS-IP-Address = 192.168.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x0fc7203c788350352965da25a7a1049e +- entering group authorize {...} ++[control] returns notfound Found Auth-Type = CSID +- entering group CSID {...} ++? if (Chap-Password) ? Evaluating (Chap-Password) -> FALSE ++? if (Chap-Password) -> FALSE ++- entering else else {...} +++[ok] returns ok ++- else else returns ok +- entering group post-auth {...} ++? if (control:Auth-Type == 'CSID') ? Evaluating (control:Auth-Type == 'CSID') -> TRUE ++? if (control:Auth-Type == 'CSID') -> TRUE ++- entering if (control:Auth-Type == 'CSID') {...} [authorized_macs] expand: %{Calling-Station-ID} -> 001a734337c9 +++[authorized_macs.authorize] returns noop +++? if (!ok) ? Evaluating !(ok) -> TRUE +++? if (!ok) -> TRUE +++- entering if (!ok) {...} ++++[reject] returns reject +++- if (!ok) returns reject ++- if (control:Auth-Type == 'CSID') returns reject Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Ready to process requests. ---- cat raddb/sites-available/default authorize { #eap update control { Auth-Type = 'CSID' } } authenticate { Auth-Type CSID { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } } post-auth { if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject } } } ---- cat raddb/modules/file ------ files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs compat = no } ---- cat raddb/authorized_macs --- 001a734337c9 Reply-Message = "OK.." What is the mistake I am doing? Thanks a lot! Nagaraj Phil Mayers wrote:
On 06/01/11 12:48, Nagaraj Panyam wrote:
Dear experts,
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered? if () unlang statements in the "authenticate" section and calling a module .authorize method in post-auth don't seem necessary?
Anyone who wrote the page, and why it uses that method?
requesting for help! It correctly sets Auth-Type to CSID. but authorized_macs.authorize] returns noop I have pasted debug output and the relevant files below.
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072, id=62, length=175 User-Name = "TEST\\test" NAS-IP-Address = 158.144.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
This is not a mac-auth request. It's an EAP request, likely from an 802.11 wireless point using WPA-Enterprise.
You can't mac-auth EAP.
Start by describing what you want to do please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- +----------------------------------+--------------------------------------+ Nagaraj Panyam | Office tel: +91-22-22782126 Dept of High Energy Physics | Office fax: +91-22-22804610 Tata Instt. of Fundamental Research| Home tel : +91-22-22804936 Mumbai - 400 005, INDIA | **Email** : pn@tifr.res.in +----------------------------------+--------------------------------------+