On Sep 27, 2024, at 12:10 PM, FreeRAD <yetifreerad@gmail.com> wrote:
I'm asking questions about the MAC auth documentation because this is what I am trying to achieve. I have also looked at other documentation and understand the different sections but I am trying to work out how the MAC auth fits into it.
MAC auth isn't magic. You keep treating it as if it's magic. Stop. MAC works like _everything_ else in the server. A packet comes in, the data in the packet is used to look up information in DBs. The server replies. It's that easy.
I have followed your advice on the Autz-Type and it works but I want to know why specifically the Autz-Type is not to be in there but all my other authorize modules should be. I'm not trying to be argumentative so apologies, there are just some things that I clearly don't fully understand from the documentation alone.
Autz-Type is documented. I'm not going to copy & paste that documentation here.
From my understanding of the documentation and the debug logs, FreeRADIUS checks the MAC address against the authorized MACs file, if it is correct and it's not an EAP message it Accepts it. Further information is then sent in the form of a username and password (with EAP information in the Access-Request) from the supplicant and FreeRADIUS sees the EAP attributes and sets the Auth-Type to EAP meaning that the authentication section can take it from there performing EAP auth. I would also hope that my understanding of why the Autz-Type is there is correct. If not then please let me know.
You configured FreeRADIUS to take specific actions based on specific rules. Either you understand those rules, or you treat them a magic spells which are not understandable. Only one approach will get you to where you want. Alan DeKok.