Exelent, It was that, you were a great help, thanks a lot. 2015-11-03 9:17 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Nov 3, 2015, at 9:04 AM, Daniel Lopez <danilogo1991@gmail.com> wrote:
Hi, I'm using free radius 2.1.12
Ugh. Upgrade.
with mysql module (freeradius-mysql) I want to authenticate users by MAC address, so in radcheck table I set the attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user can't authenticate, when I delete this row, user can authenticate perfectly, so it seems this is not the way I should configure server to perform MAC authentication. Could somebody help me with this?
Reading the debug output usually helps.
[this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}:
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158, length=158 User-Name = "dprueba" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti" Calling-Station-Id = "10-68-3F-82-42-16" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200000c0164707275656261 Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a
That is the OUTER authentication session.
...
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id [sql] User found in radcheck table
Which is clear. The server prints out these SQL queries so you can check them for yourself.
... and lots of debug output later, we have the INNER session
[peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000c0164707275656261 server { [peap] Setting User-Name to dprueba Sending tunneled request EAP-Message = 0x0206000c0164707275656261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "dprueba"
Note: No Calling-Station-Id.
Please *read* raddb/eap.conf. Look for "copy_request_to_tunnel".
This is documented.
server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel ... [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dprueba' ORDER BY id
And note there's no "user found in radcheck" message.
Because there's no Calling-Station-Id attribute in the inner tunnel.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html