I'm referencing the Mac-Auth wiki page at: http://wiki.freeradius.org/Mac-Auth Alan DeKok wrote:
Jason Antman wrote:
I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC Auth Bypass. I got everything functioning correctly using the Mac-Auth Wiki page as a guide, including placement of the actual CSID authentication code in the post-auth section. However, I just enabled SQL in the post-auth section, and everything is getting logged to SQL with reply Access-Accept, even if it matched the "reject" statement.
I don't see how that is possible. Are you sure you know what it's doing? Have you run the server in debugging mode?
Yes, I have, and am. As per the wiki page... I have in authenticate {}: ### snip ### Auth-Type CSID { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } ### end snip### which ALWAYS returns OK. Period. And in post-auth{}: ### snip ### if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject } } ### end snip ### If I put a "sql" line before this, it always logs with Access-Accept, since that's what authenticate{} ALWAYS returns, and the sql module is being called before . If I put a "sql" line after this, it never gets executed for "reject" statements...
It seems to me that it's pretty logical that post-auth would be entered with Auth-Type == Access-Accept, the SQL log would happen, and *then* the "reject" statement would get executed
That makes no sense. "If it's accept, it runs reject" ?
See above.
. What I don't understand is why I shouldn't move the actual authentication (authorized_macs.authorize) to the auth { } section, or else how I go about logging rejected requests.
I have no idea what that means.
Why is the authorize statement in the post-auth { } section? That seems to be the cause of these problems...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html