Bode Benjamin wrote:
we got freeradius working and are using only eap-tls. Now we are trying to check if the users MAC-Address is the right one. Each user gets one public IP-Address (via dhcp); to assure that they don't do mac-spoofing we need this feature.
That's pretty standard.
Right now our problem is, when using eap-tls, the sql module don't seem to check the calling-station-id in the radcheck-table against the calling-station-id in the request.
Please read doc/rlm_sql, or the same file on the Wiki. Simply *checking* for a Calling-Station-Id does nothing. You have to tell the server what to *do*, also. The SQL module doesn't return reject if the entry doesn't match. Another module may authenticate the user, and therefore accept them.
When trying the same thing with the user blub (and using a incorrect MAC) sql returns user notfound (that is what we want) and the request gets rejected. So it don't seems to be a problem with our NAS.
The server is the one sending Access-Accept or Access-Reject. So to change the return packet type, change the server. The NAS has nothing to do with it.
Any idea why this is not working with eap-tls? What have we done wrong?
You're not telling the server to *reject* the user when the Calling-Station-Id fails to match.
Our tables are: radcheck id | username | attribute | op | value ----+---------------+--------------------+----+------------------- 1 | laptop | Auth-Type | := | EAP 2 | RAT | Auth-Type | := | EAP
There's no need to set Auth-Type. And in 99% of situations, it's wrong
3 | laptop | Calling-Station-Id | == | aa-bb-cc-dd-ee-ff
Read the rlm_sql docs. The "laptop" entries say: if Calling-Station-Id == aa-bb-cc-dd-ee-ff then set Auth-Type := EAP That doesn't match, but the user isn't rejected. (For good reasons). The EAP module *also* sets Auth-Type := EAP, so EAP-TLS ends up working. You have to update the tables to do what you want. The problem here is you're thinking "check Calling-Station-Id in the table against the one in the request". Yes, it's doing that. Exactly that. But you want it to do *more*. What you want is the following: if the calling station Id DOESN'T match, reject. Which should be simple enough to do: id | username | attribute | op | value ----+---------------+--------------------+----+------------------- 1 | laptop | Auth-Type | := | Reject 3 | laptop | Calling-Station-Id | != | aa-bb-cc-dd-ee-ff Forcing a Reject is about the only time you need to set Auth-Type. Alan DeKok.