Hi Alan, Thank you so much for this, this works, here is what I did in the configuration - perhaps others will get benefit as well. 1) created rejectmac.conf addded content : passwd rejectmac { filename = /etc/raddb/rejectmacaddress.txt delimiter = , format = "*Calling-Station-Id" } 2) created file rejectmacaddress.txt included macaddress as seen in Calling-Station-Id 3) added line in radiusd.conf $INCLUDE rejectmac.conf 4) in /etc/raddb/site-enabled/default authorize section I added : rejectmac if (ok) { reject } This seem to work. Here is the output : # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[rejectmac] returns ok ++? if (ok) ? Evaluating (ok) -> TRUE ++? if (ok) -> TRUE ++- entering if (ok) {...} +++[reject] returns reject ++- if (ok) returns reject Invalid user: [test@test.com] (from client mytesthost port 487 cli 0021.5c5b.8ef3) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test@test.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 28 to 192.168.1.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 28 with timestamp +165 Ready to process requests Maybe good idea would be log the reject message (the reason of reject i.e Hacked mac address ) in the radius.log Have a good weekend. Regards, K On Wed, Mar 12, 2014 at 2:38 PM, Alan DeKok <aland@deployingradius.com>wrote:
Khapare Joshi wrote:
I have list of MAC address which I want to reject. So the question is how do I tell freeradius server to the file rejectmacaddres.txt file which has banned mac addresses ?
See "man rlm_passwd". It can be configured to read data from a text file.
You probably want something like:
passwd rejectmac { filename = ${confdir}/rejectmacaddress.txt delimiter = , format = "*Calling-Station-Id" }
Which looks up the Calling-Station-Id in the file. The contents of the file MUST be MAC addresses in the SAME format as you see in the Calling-Station-ID attribute when you read "radiusd -X".
Then in the "authorize" section, do:
authorize { ...
rejectmac if (ok) { reject } ...
}
That says "look up the Calling-Station-Id in the file. If it's found, reject the user".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html