On Mar 20, 2024, at 8:50 PM, Dario Barbon <dbarbon@olicom.eu> wrote:
Hi all, I need to configure my client's FreeRadius to allow connection to the WiFi network only to specific smartphones. I can establish EAP-PWD connection but the MAC address list of authorized devices isn't checked so connection works for every device.
(a) test EAP-PWD all by itself. You'll need to do this with the user device (b) test MAC address authorization with PAP. You can use "radclient" to send packets (c) put the two together.
Here the debug log; could someone point me to what is wrong?
(2) Received Access-Request Id 124 from 172.31.190.2:32771 to 172.31.189.84:1812 length 300 (2) User-Name = "sistemi" (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "7c-6c-f0-49-67-4b"
That's the MAC, which is good.
(2) eap_pwd: Sending tunneled request (2) eap_pwd: User-Name = "sistemi" (2) eap_pwd: server inner-tunnel {
Note: No Calling-Station-ID. The "inner-tunnel" virtual server is used to get passwords for the user. But by default, it doesn't get a copy of all of the attributes.
(2) authorized_macs: EXPAND %{Calling-Station-ID} (2) authorized_macs: --> (2) [authorized_macs] = noop
Because the inner-tunnel virtual server doesn't have a copy of the Calling-Station-Id. Move the "authorized_macs" checks to the sites-enabled/tlcamb-tag file, and the module will have access to the Calling-Station-Id. Alan DeKok.