brainstorm wrote:
I'm trying to implement a similar scenario: I am using PEAP, and I want to check if a given mac is in my database. In my case, the MACs file looks like this:
0030.0996.CF52:192.168.12.1
I would like to match the first field (MAC) with the NAS "Calling-Station-Id" attribute, if this check fails, I would like to reject that user. Is it doable with rlm_password ? I've tried, but I cannot figure out which is the right "format" for my case:
I've tried the following in radiusd.conf:
modules { (...) passwd mac-ip { filename = /etc/raddb/MAC-IP format = "mac-address:Calling-Station-Id" delimiter = ":" } }
Please read the docs. This comments right above the "passwd" module in the default config are VERY SPECIFIC. The format is: format = "*Key-Value:~Request-Value:=Reply-Value:Configure-Value" That is, the radius attribute "Key-Value" is the first field. Request-Value (prefix ~) will be added to the request, Reply-Value (prefix =) to the reply, and Configure-Value (no prefix) to the configure items. So you're wrong several ways: 1. "mac-address" is not a radius attribute 2. None of your attributes have * for key 3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP 3. By itself you can't negate the sense and reject-if-no-match Try something like this: passwd mac-ip { filename = /etc/raddb/MAC-IP format = "*Calling-Station-Id:Class" delimiter = ":" authtype = Reject } always fail { rcode = fail } authorize { mac-ip { notfound = reject } # others } ...and note that many/most APs send the MAC as "00-11-22-33-44-55" so the file should look like this: 00-11-22-33-44-55:KnownUser This is all in the docs.