Hi Alan,

Thank you so much for this, this works, here is what I did in the configuration - perhaps others will get benefit as well.

1) created rejectmac.conf
     addded content :
     passwd rejectmac {
        filename = /etc/raddb/rejectmacaddress.txt
        delimiter = ,
        format = "*Calling-Station-Id"
     }
2) created file rejectmacaddress.txt 
     included macaddress as seen in Calling-Station-Id
3) added line in radiusd.conf
      $INCLUDE rejectmac.conf
4) in /etc/raddb/site-enabled/default authorize section I added :  
          rejectmac
                if (ok) {
                        reject
                }

This seem to work.

Here is the output :

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[rejectmac] returns ok
++? if (ok)
? Evaluating (ok) -> TRUE
++? if (ok) -> TRUE
++- entering if (ok) {...}
+++[reject] returns reject
++- if (ok) returns reject
Invalid user: [test@test.com] (from client mytesthost port 487 cli 0021.5c5b.8ef3)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test@test.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 28 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 28 with timestamp +165
Ready to process requests



Maybe good idea would be log the reject message (the reason of reject i.e Hacked mac address ) in the radius.log

Have a good weekend.

Regards,
K





On Wed, Mar 12, 2014 at 2:38 PM, Alan DeKok <aland@deployingradius.com> wrote:
Khapare Joshi wrote:
> I have list of MAC address which I want to reject. So the question is
> how do I tell freeradius server  to the file rejectmacaddres.txt file
> which has banned mac addresses ?

  See "man rlm_passwd".  It can be configured to read data from a text file.

  You probably want something like:

passwd rejectmac {
        filename = ${confdir}/rejectmacaddress.txt
        delimiter = ,
        format = "*Calling-Station-Id"
}

  Which looks up the Calling-Station-Id in the file.  The contents of
the file MUST be MAC addresses in the SAME format as you see in the
Calling-Station-ID attribute when you read "radiusd -X".

  Then in the "authorize" section, do:

authorize {
        ...

        rejectmac
        if (ok) {
                reject
        }
        ...

}

  That says "look up the Calling-Station-Id in the file.  If it's found,
reject the user".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html