Rejecting User By their Calling-Station-Id (Mac Address)
Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Here is what I tried: *radusergroup* (username, groupename, priority) <all user-names registered> Ban 9999 Test_User Home 1 *radgroupcheck* (groupname, attribute, op, value) Ban Calling-Station-Id == 00:0b:6a:xx:xx:xx Ban Reply-Message == You have been banned Ban Auth-Type := Reject *radcheck* (username, attribute, op, value) Test_User password == letmein So far that dint work at all... I tried changing priority but no matter what I do the user still authorized to enter the network. I'm sure I did something wrong but im not sure what? So maybe some one can help me out? Thanks a lot!
Alex M wrote:
Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x
So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here.
Create a table called "blocked MACs", and put the MAC addresses in there. Then, in the "authorize" section, do: if (Calling-Station-Id == "%{sql: SELECT ....}") { reject } Fix the SQL statement to SELECT the row containing the Calling-Station-Id. Alan DeKok.
wow... i managed to make it work w/ groups but i like your way better =) Thank you! On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok <aland@deployingradius.com>wrote:
Alex M wrote:
Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x
So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here.
Create a table called "blocked MACs", and put the MAC addresses in there. Then, in the "authorize" section, do:
if (Calling-Station-Id == "%{sql: SELECT ....}") { reject }
Fix the SQL statement to SELECT the row containing the Calling-Station-Id.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? If I have Calling-Station-Id and reply reject spesified for the same user what should happen? what if i have 100 MAC addressed entered how do we check for that? I had 1 MAC address entered and geting rejected well. If 1 MAC is entered but not my MAC then im not getting rejected, yet when 2 Mac addresses entered im geting rejected regardless of my mac address. (My ban group has priority of 1) I would love to solve my problem w/ groups so I don't have to edit radius xinfig files,,, but if im geting this trange results or if its not possible i'm more or less ok w. adding more settings to configs... Thanks for helping me out! On Tue, Dec 15, 2009 at 2:41 PM, Alex M <freeradius@lrcommunications.net>wrote:
wow... i managed to make it work w/ groups but i like your way better =) Thank you!
On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok <aland@deployingradius.com>wrote:
Alex M wrote:
Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x
So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here.
Create a table called "blocked MACs", and put the MAC addresses in there. Then, in the "authorize" section, do:
if (Calling-Station-Id == "%{sql: SELECT ....}") { reject }
Fix the SQL statement to SELECT the row containing the Calling-Station-Id.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alex M wrote:
Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :(
Can some one tell me how the logic works for groupcheck?
Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution. Alan DeKok.
ok fair enough =) will go dig config file... How can I send the reason for rejection? Just add reply command somewhere along the lines? Can I link reply message to the reply message associated with reply in groups? Tnx again! On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok <aland@deployingradius.com>wrote:
Alex M wrote:
Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :(
Can some one tell me how the logic works for groupcheck?
Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need to ask again for help. So I added this code to Autorize section of Default config file.... it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far... So maybe some one can tell me how to add reply-message to this logic? Thank you a lot and Marry Xmas if (Calling-Station-Id == "%{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}") { reject #reply := "Your account has been disabled." } On Wed, Dec 16, 2009 at 4:07 PM, Alex M <freeradius@lrcommunications.net>wrote:
ok fair enough =) will go dig config file... How can I send the reason for rejection? Just add reply command somewhere along the lines? Can I link reply message to the reply message associated with reply in groups? Tnx again!
On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok <aland@deployingradius.com>wrote:
Alex M wrote:
Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :(
Can some one tell me how the logic works for groupcheck?
Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need to ask again for help. So I added this code to Autorize section of Default config file.... it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far...
So maybe some one can tell me how to add reply-message to this logic?
Thank you a lot and Marry Xmas
if (Calling-Station-Id == "%{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}") { reject
update reply { Reply-Message = "Your account has been disabled." }
#reply := "Your account has been disabled."
}
Ivan Kalik
o no wonder all my trys didnt work =) Thanks a lot! On Fri, Dec 25, 2009 at 7:10 PM, <tnt@kalik.net> wrote:
I need to ask again for help. So I added this code to Autorize section of Default config file.... it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far...
So maybe some one can tell me how to add reply-message to this logic?
Thank you a lot and Marry Xmas
if (Calling-Station-Id == "%{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}") { reject
update reply { Reply-Message = "Your account has been disabled." }
#reply := "Your account has been disabled."
}
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok I still having trouble with this. Here is my code: ======================================================================================== if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") { reject update reply { Reply-Message = "Hello Hello Hello" } } ======================================================================================== The problem is that I don't see the Reply Message... I see other one that i got from the Usergroup. My userr is the member of default user group that sends reply message to every one saying that "Username is incorrect" that is my way to output the message where Usename >< Password (Probably there should be a better way to do that and maybe that is a problem) but that what i have now. So that message is getting outputed even though the mac address is banned.... Here is copy of my output.. Hope you can help me out? TNX =========================== rad_recv: Access-Request packet from host x4.xxx.74.xxx port 62760, id=111, length=139 NAS-IP-Address = 192.168.0.104 NAS-Identifier = "xxxxxxx.com" User-Name = "alexus7" User-Password = "open" Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 5 Framed-IP-Address = 192.168.1.199 Called-Station-Id = "00:0d:b9:06:xx:xx" Calling-Station-Id = "00:0b:6a:29:xx:xx" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "alexus7", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> alexus7 [sql] sql_set_user escaped user --> 'alexus7' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alexus7' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alexus7' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alexus7' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alexus7' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alexus7' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'alexus7' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Ban' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Ban' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'All' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'All' ORDER BY id [sql] User found in group All [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'All' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'All' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++? if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") sql_xlat expand: %{User-Name} -> alexus7 sql_set_user escaped user --> 'alexus7' expand: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}' -> SELECT mac FROM `lrc_banlist` WHERE mac='00:0b:6a:xx:xx:xx' expand: /usr/local/var/log/radius/sqltrace.sql -> /usr/local/var/log/radius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT mac FROM `lrc_banlist` WHERE mac='00:0b:6a:29:d6:bb' sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand: %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'} -> 00:0b:6a:xx:xx:xx ? Evaluating (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") -> TRUE ++? if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") -> TRUE ++- entering if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") {...} +++[reject] returns reject ++- if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") returns reject Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alexus7 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.5 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 111 to xxx.186.xxx.xxx port 6260 Reply-Message = "Your username/password is incorrect. Please try again." Waking up in 4.9 seconds. Cleaning up request 0 ID 111 with timestamp +20 =========================== On Fri, Dec 25, 2009 at 7:10 PM, <tnt@kalik.net> wrote:
I need to ask again for help. So I added this code to Autorize section of Default config file.... it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far...
So maybe some one can tell me how to add reply-message to this logic?
Thank you a lot and Marry Xmas
if (Calling-Station-Id == "%{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}") { reject
update reply { Reply-Message = "Your account has been disabled." }
#reply := "Your account has been disabled."
}
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 26/12/2009 08:05, Alex M wrote:
Ok I still having trouble with this. Here is my code:
======================================================================================== if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}") { reject
update reply { Reply-Message = "Hello Hello Hello" }
}
Wrong operator. You want := to overwrite the attribute value that already exists... update reply { Reply-Message := "Hello Hello Hello" }
participants (4)
-
Alan DeKok -
Alex M -
Arran Cudbard-Bell -
tnt@kalik.net