Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered?
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage. That *is* needed unless you are quite-quite-mad and enjoy twenty different representations for your MAC addresses in your databases :) I have cranked things up a notch further by putting into my policy file (it also fixes a regex bug that produced truncated MAC addresses): ---- mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) rewrite.called_station_id { if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID componment? if ("%{7}") { update request { Called-Station-Id := "%{request:Called-Station-Id}%{7}" } } updated } else { noop } } rewrite.calling_station_id { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated } else { noop } } ----
if () unlang statements in the "authenticate" section and calling a module .authorize method in post-auth don't seem necessary?
Anyone who wrote the page, and why it uses that method?
The page looks fine to me, is it the enforcing and checking for RFCness that seems overkill to you? Cisco switches use PAP instead of CHAP, but other than that whats the problem? Cheers
requesting for help! It correctly sets Auth-Type to CSID. but authorized_macs.authorize] returns noop I have pasted debug output and the relevant files below.
'noop' means it did not match and is *not* a MAC auth request...
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072, id=62, length=175 User-Name = "TEST\\test" NAS-IP-Address = 158.144.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
This is not a mac-auth request. It's an EAP request, likely from an 802.11 wireless point using WPA-Enterprise.
You can't mac-auth EAP.
...as Phil says, this is EAP over a wireless connection. Mac-Auth *only* works on the wire and with switches that support it (Cisco and HP are two vendors I know of). Cheers -- Alexander Clouter .sigmonster says: QUESTION AUTHORITY. (Sez who?)