Hello again I have this (LDAP string has been modified because of security considerations) server macauth { authorize { preprocess # clean the Calling-Station-ID rewrite_calling_station_id # now authenticate against LDAP if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") { reject } else { # accept update control { Auth-Type := Accept } } } authenticate { Auth-Type LDAP { ldap } } } When i try with echo "Calling-Station-Id=f0:1f:af:35:c8:02" | radclient -s localhost:1812 auth radiusTest2015 I get an access-accept reply. If i setup my AP and try to connect with a client where the MAC address is in LDAP i get: Ready to process requests (2) Received Access-Request Id 9 from xxxxxxxxxx:44620 to xxxxxxxxxx:1812 length 167 (2) User-Name = 'user' (2) NAS-IP-Address = xxxxxxxxxxxx (2) NAS-Identifier = '0418d66a5934' (2) NAS-Port = 0 (2) Called-Station-Id = '0A-18-D6-6B-59-34:test' (2) Calling-Station-Id = '30-75-12-EE-63-AA' (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = 'CONNECT 0Mbps 802.11b' (2) EAP-Message = 0x0276000d017473746174686572 (2) Message-Authenticator = 0x708c606acafcf02e4706c7729288354f (2) # Executing section authorize from file /etc/raddb/sites-enabled/macauth (2) authorize { (2) [preprocess] = ok (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (2) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (2) update request { (2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} (2) --> 30:75:12:ee:63:aa (2) &Calling-Station-Id := "30:75:12:ee:63:aa" (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (2) ... skipping else for request 2: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if (!"%{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}"){ rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 103 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 103 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 155 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You probably need to increase "spare" rlm_ldap (ldap): Opening additional connection (8) rlm_ldap (ldap): Connecting to ldap://ldap1.xxxxxxxxxxxxx:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (8) (2) Performing search in 'ou=hosts,dc=.......' with filter '(&(objectClass=ieee802Device)(macAddress=30:75:12:ee:63:aa))', scope 'sub' (2) Waiting for search result... rlm_ldap (ldap): Released connection (8) rlm_ldap (ldap): 0 of 1 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (9) rlm_ldap (ldap): Connecting to ldap://ldap1.xxxxxxxxxxxxx:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (2) EXPAND %{ldap:ldaps:///ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))} (2) --> test01.mydomain.local (2) if (!"%{ldap:ldaps:///ou=hosts,dc=ou=hosts,dc=.....?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") -> FALSE (2) else { (2) update control { (2) Auth-Type := Accept (2) } # update control = noop (2) } # else = noop (2) } # authorize = updated (2) Found Auth-Type = Accept (2) Auth-Type = Accept, accepting the user (2) Sent Access-Accept Id 9 from xxxxxxxxxx:1812 to xxxxxxxxxx:44620 length 20 (2) Finished request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (2) <done>: Cleaning up request packet ID 9 with timestamp +247 Ready to process requests Is this ok from the RADIUS side? Because i still cannot get any connection using wifi (no DHCP request) and when using Windows 7 i even get prompted for my credentials. What am i doing wrong? Best,, Thomas Am 16.04.15 06:16 nachm. schrieb Alan DeKok <aland@deployingradius.com>:
On Apr 16, 2015, at 6:22 AM, Thomas Stather <Thomas.Stather@mpimf-heidelberg.mpg.de> wrote:
I tried to set it up but i failed
Following directions helps. Reading the debug output helps.
if (!"%{ldap:(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {
Is that a valid LDAP query? Probably not.
radtest f0-1f-af-35-c8-10 f0-1f-af-35-c8-10 127.0.0.1 10 test123 (the mac address exists in LDAP as f0:1f:af:35:c8:10)
Which doesn't send a Calling-Station-Id attribute.
Ready to process requests (0) Received Access-Request Id 126 from 127.0.0.1:36895 to 127.0.0.1:1812 length 103 (0) User-Name = 'f0-1f-af-35-c8-10' (0) User-Password = 'f0-1f-af-35-c8-10' (0) NAS-IP-Address = 192.168.1.1 (0) NAS-Port = 10 (0) Message-Authenticator = 0x2e1129946169764255df311101b1f418 (0) # Executing section authorize from file /etc/raddb/sites-enabled/mpimf-macauth
And there's no Calling-Station-Id in the packet. How do you expect to use policies based on Calling-Station-Id when it's not in the packet?
See "man radclient". Or even read the "radtest" script. It's a shell script. You need to *explicitly* add a Calling-Station-Id attribute to the packet.
... Calling-Station-Id = f0-1f-af-35-c8-10 ...
Read the debug output for packets sent by the NAS. Use them as a template, and create files which radclient will read. You will then be sure that your tests match the packets sent by the NAS.
What have i done wrong?
I had given detailed instructions in my previous message. Following them would be a good idea.
And additionally, how can i define that the LDAP query should only look in the "ou=hosts" on the LDAP server?
You should write an LDAP query that uses "ou=hosts".
I told you to write an LDAP query, and test it via "ldapsearch". You seem to have skipped that step. Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html