On 08/09/2022 11:08, Vieri Di Paola wrote:
On Wed, Sep 7, 2022 at 3:42 PM Alan DeKok <aland@deployingradius.com> wrote:
Then, write "unlang" rules to match the MAB packets (but not the 802.1X packets!). Something like:
The only thing I found that could identify the packet as being MAB (well, Cisco's MAB implementation) is:
Cisco-AVPair = "method=mab"
It seems to always be in 3rd position, but I don't know if this is reliable.
You can enable "with_cisco_vsa_hack" in the preprocess module and add a new local attribute "method" in /etc/raddb/dictionary. Then the preprocess module will convert the fake Cisco AVpair attribute into a real one. Makes things easier. Other usual checks for MAB are that there is no EAP-Message attribute, User-Name and User-Password are identical, and both are a MAC address format.
This seems to work fine for me:
if ("%{request:Cisco-AVPair[2]}" == "method=mab" && !EAP-Message) -> TRUE
Use the preprocess hack and you should then be able to do if (&method == "mab" && !EAP-Message) {
I don't know if I should also check for the presence of "service-type=Call Check".
Doubt it, if you can work out what's going on from other attributes.
So anyway, I can set the following condition in authorize and "accept" without filtering:
if ("%{request:Cisco-AVPair[*]}" =~ /method=mab/ && !EAP-Message) { accept }
You could look up the MAC address here and reject if it is not found, assuming you don't want to allow all MAB auths.
In post-auth I will then add a condition to lookup the MAC addr. in local DB, eg:
Seems OK to me. -- Matthew