I'm asking questions about the MAC auth documentation because this is what I am trying to achieve. I have also looked at other documentation and understand the different sections but I am trying to work out how the MAC auth fits into it. I have followed your advice on the Autz-Type and it works but I want to know why specifically the Autz-Type is not to be in there but all my other authorize modules should be. I'm not trying to be argumentative so apologies, there are just some things that I clearly don't fully understand from the documentation alone.
From my understanding of the documentation and the debug logs, FreeRADIUS checks the MAC address against the authorized MACs file, if it is correct and it's not an EAP message it Accepts it. Further information is then sent in the form of a username and password (with EAP information in the Access-Request) from the supplicant and FreeRADIUS sees the EAP attributes and sets the Auth-Type to EAP meaning that the authentication section can take it from there performing EAP auth. I would also hope that my understanding of why the Autz-Type is there is correct. If not then please let me know.
Is there anything wrong with what I have said above. On Fri, Sep 27, 2024 at 10:52 AM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 27, 2024, at 11:18 AM, FreeRAD <yetifreerad@gmail.com> wrote:
The problem is that the only documentation for this specific implementation states "Normal virtual server configuration goes here" and that's it. If I was taking it literally I would have assumed it meant the rest of the virtual server configuration since that's what it says.
You're treating the MAC auth documentation as magic. i.e. it's perfect, you have to follow it exactly, and you are forbidden from reading any other documentation, or learning from any other documentation.
This is the wrong approach.
The way I understand the authorize section to work is that it receives an Access-Request first, validates the information within the Access-Request, and ensures, based on the enabled modules, that the correct attributes are in the Access-Request for the Authentication section to be able to process. If they are, it then sets the Auth-Type for the Authentication section accordingly. Autz-Type is only going to be used if no other module takes responsibility for Authorization similar to how Auth-Type works in Authentication.
I've told you that you can't put the Auto-Type into an "else" statement. Did you read that? Are you going to update your configuration to fix that?
It seems like your approach here is to argue about just about everything, and not follow any advice other than the MAC auth guide. I have no idea why. It's not productive.
Either follow instructions, or stop asking questions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html