Thanks Alan, I moved the "authorized_macs" checksĀ inside the site configuration file (tlcamb-tag) and now it works as expected. Dario Barbon Il 20/03/2024 22:49, Alan DeKok ha scritto:
On Mar 20, 2024, at 8:50 PM, Dario Barbon <dbarbon@olicom.eu> wrote:
Hi all, I need to configure my client's FreeRadius to allow connection to the WiFi network only to specific smartphones. I can establish EAP-PWD connection but the MAC address list of authorized devices isn't checked so connection works for every device. (a) test EAP-PWD all by itself. You'll need to do this with the user device
(b) test MAC address authorization with PAP. You can use "radclient" to send packets
(c) put the two together.
Here the debug log; could someone point me to what is wrong?
(2) Received Access-Request Id 124 from 172.31.190.2:32771 to 172.31.189.84:1812 length 300 (2) User-Name = "sistemi" (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "7c-6c-f0-49-67-4b" That's the MAC, which is good.
(2) eap_pwd: Sending tunneled request (2) eap_pwd: User-Name = "sistemi" (2) eap_pwd: server inner-tunnel { Note: No Calling-Station-ID.
The "inner-tunnel" virtual server is used to get passwords for the user. But by default, it doesn't get a copy of all of the attributes.
(2) authorized_macs: EXPAND %{Calling-Station-ID} (2) authorized_macs: --> (2) [authorized_macs] = noop Because the inner-tunnel virtual server doesn't have a copy of the Calling-Station-Id.
Move the "authorized_macs" checks to the sites-enabled/tlcamb-tag file, and the module will have access to the Calling-Station-Id.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html