brainstorm wrote:
I've tried your recommendations but it does not work as expected: using "Reject" as rlm_passwd's "authtype" (as you suggested), the user is always rejected, even when the MAC is in the file and is actually found:
Yes sorry, that was wrong. Clearly "authtype = Reject" will fail the request if the module matches. Don't know why I said that...
modcall[authorize]: module "MAC-IP" returns ok for request 0
Furthermore, if I change rlm_passwrd's authtype to "Accept", the supplicant auth fails and the following warning is shown:
That definitely won't work. Don't do it.
rad_check_password: Found Auth-Type Accept rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'bob'
However, if I comment rlm_passwd sections (MAC-IP in modules and authorize), all works flawlessly.
Well, yes. But if it works flawlessly, why are you wanting help?
The users file has entries like these:
bob NT-Password == 0xa3d411301d637a38f4d22d484f256a04 joe NT-Password == 0xa3d411301d637a38f4d22d484f256a04 (...)
Which are matched correctly in all scenarios I've tested:
modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry bob at line 1
According to radius documentation (aaa.txt), it is not correct to place Auth-Type on check nor reply lists on the users file:
"A quite common mistake is to place the attributes in the wrong lists, for example placing Auth-Type, Password, NT-Password etc in the check list, or in the reply list. When run in debugging mode, the server will normally issue 'WARNING' messages saying that the attributes are in the wrong list"
So I conclude that users file is correct as it is now. What I'm doing wrong and what should I do to avoid those warning messages ? If you want the radiusd -X logs, I can attach them if you wish.
Hmm. I still say you need to read and understand the docs, but try this: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = "*Calling-Station-Id:" delimiter = ":" } (...) authorize { preprocess MAC-IP { # If the MAC isn't in the file, the modules returns notfound # in that case, exit "authorize" with reject immediately notfound = reject } files eap } That is, have no authtype on the "passwd" module. If that doesn't work, you may try something like: passwd MAC-IP { filename = ${raddbdir}/MAC-IP format = "*Calling-Station-Id:~Group" delimiter = ":" } (...) authorize { preprocess MAC-IP files eap } /etc/raddb/MAC-IP: 00-11-22-33-44-55:FAKEGROUP aa-bb-cc-dd-ee-ff:FAKEGROUP /etc/raddb/users: DEFAULT Group !* ANY, Auth-Type := Reject user1 NT-Password := abcdefg... user2 NT-Password := abcdefg...