[authorized_macs.authorize] returns noop
Dear experts, I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further. requesting for help! It correctly sets Auth-Type to CSID. but authorized_macs.authorize] returns noop I have pasted debug output and the relevant files below. ## Debug output of radiusd: rad_recv: Access-Request packet from host 158.144.55.107 port 3072, id=62, length=175 User-Name = "TEST\\test" NAS-IP-Address = 158.144.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac +- entering group authorize {...} ++[control] returns notfound Found Auth-Type = CSID +- entering group CSID {...} ++? if (Chap-Password) ? Evaluating (Chap-Password) -> FALSE ++? if (Chap-Password) -> FALSE ++- entering else else {...} +++[ok] returns ok ++- else else returns ok +- entering group post-auth {...} ++? if (control:Auth-Type == 'CSID') ? Evaluating (control:Auth-Type == 'CSID') -> TRUE ++? if (control:Auth-Type == 'CSID') -> TRUE ++- entering if (control:Auth-Type == 'CSID') {...} [authorized_macs] expand: %{Calling-Station-ID} -> 001a734337c9 +++[authorized_macs.authorize] returns noop +++? if (!ok) ? Evaluating !(ok) -> TRUE +++? if (!ok) -> TRUE +++- entering if (!ok) {...} ++++[reject] returns reject +++- if (!ok) returns reject ++- if (control:Auth-Type == 'CSID') returns reject Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. ###### cat sites-available/default authorize { #eap update control { Auth-Type = 'CSID' } } authenticate { Auth-Type CSID { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } } post-auth { if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject } } } ##### cat modules/file files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs compat = no } #### cat {confdir}/authorized_macs 001a734337c9 Reply-Message = "OK" Thank you for helping! -- +----------------------------------+--------------------------------------+ Nagaraj Panyam | Office tel: +91-22-22782126 Dept of High Energy Physics | Office fax: +91-22-22804610 Tata Instt. of Fundamental Research| Home tel : +91-22-22804936 Mumbai - 400 005, INDIA | **Email** : pn@tifr.res.in +----------------------------------+--------------------------------------+
On 06/01/11 12:48, Nagaraj Panyam wrote:
Dear experts,
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This: http://wiki.freeradius.org/index.php?title=Mac-Auth ...seems like it's a bit... over-engineered? if () unlang statements in the "authenticate" section and calling a module .authorize method in post-auth don't seem necessary? Anyone who wrote the page, and why it uses that method?
requesting for help! It correctly sets Auth-Type to CSID. but authorized_macs.authorize] returns noop I have pasted debug output and the relevant files below.
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072, id=62, length=175 User-Name = "TEST\\test" NAS-IP-Address = 158.144.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
This is not a mac-auth request. It's an EAP request, likely from an 802.11 wireless point using WPA-Enterprise. You can't mac-auth EAP. Start by describing what you want to do please.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered?
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage. That *is* needed unless you are quite-quite-mad and enjoy twenty different representations for your MAC addresses in your databases :) I have cranked things up a notch further by putting into my policy file (it also fixes a regex bug that produced truncated MAC addresses): ---- mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) rewrite.called_station_id { if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID componment? if ("%{7}") { update request { Called-Station-Id := "%{request:Called-Station-Id}%{7}" } } updated } else { noop } } rewrite.calling_station_id { if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated } else { noop } } ----
if () unlang statements in the "authenticate" section and calling a module .authorize method in post-auth don't seem necessary?
Anyone who wrote the page, and why it uses that method?
The page looks fine to me, is it the enforcing and checking for RFCness that seems overkill to you? Cisco switches use PAP instead of CHAP, but other than that whats the problem? Cheers
requesting for help! It correctly sets Auth-Type to CSID. but authorized_macs.authorize] returns noop I have pasted debug output and the relevant files below.
'noop' means it did not match and is *not* a MAC auth request...
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072, id=62, length=175 User-Name = "TEST\\test" NAS-IP-Address = 158.144.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
This is not a mac-auth request. It's an EAP request, likely from an 802.11 wireless point using WPA-Enterprise.
You can't mac-auth EAP.
...as Phil says, this is EAP over a wireless connection. Mac-Auth *only* works on the wire and with switches that support it (Cisco and HP are two vendors I know of). Cheers -- Alexander Clouter .sigmonster says: QUESTION AUTHORITY. (Sez who?)
On 06/01/11 15:58, Alexander Clouter wrote:
Phil Mayers<p.mayers@imperial.ac.uk> wrote:
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered?
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage. That *is* needed unless you are quite-quite-mad and enjoy twenty different representations for your MAC addresses in your databases :)
Sure; we have something similar We *actually* abuse Postgres' macaddr datatype by doing this: update request { Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}" } ...which handles all the various cases quite nicely, but returns Postgres' :-separated version, which is fine (and what we prefer). It might be nice if FreeRadius had a "tomac" xlat.
Anyone who wrote the page, and why it uses that method?
The page looks fine to me, is it the enforcing and checking for RFCness
*What* RFCness?
that seems overkill to you? Cisco switches use PAP instead of CHAP, but other than that whats the problem?
I've never seen a mac-auth implementation sending CHAP requests, which seems like lunacy, so have never considered there might be a need to execute the "authenticate" section, or synthesise a Cleartext-Password. But even so, I don't see the value in executing a modules .authorize handler in the post-auth section, or having a whole separate Auth-Type value. Why not just do all that you need after the comparison to check it's a mac-auth request i.e.: authorize { clean_mac if ((Service-Type == Call-Check) || ...) { authorized_macs if (!ok) { reject } if (CHAP-Password) { update control { Cleartext-Password := "%{User-Name}" } } else { update control { Auth-Type = Accept } } } chap mschap eap # etc. } What am I missing? Shrug. Not a big deal really. To each his own.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage. That *is* needed unless you are quite-quite-mad and enjoy twenty different representations for your MAC addresses in your databases :)
Sure; we have something similar
We *actually* abuse Postgres' macaddr datatype by doing this:
Goddamnit, first I discover all the CIDR bits and think how great that is, but I never thought to look if there was a MAC address one.
update request { Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}" }
Not quite there, but it could be IC's entry for the DWTF? ;P On a serious note, that is going to be a ballache if your SQL server goes walkies...
...which handles all the various cases quite nicely, but returns Postgres' :-separated version, which is fine (and what we prefer).
My brain prefers ':', however '-' was in an RFC I read some time back when reading about Called-Station-Id's and SSID's: http://tools.ietf.org/html/rfc3580#section-3.20
Anyone who wrote the page, and why it uses that method?
The page looks fine to me, is it the enforcing and checking for RFCness
*What* RFCness?
Apparently, guessing this is Aaran spending too much absorbing the IETF website, RFC2865 says "though shalt use 'Call-Check' for mac-auth", I have not read it myself.
that seems overkill to you? Cisco switches use PAP instead of CHAP, but other than that whats the problem?
I've never seen a mac-auth implementation sending CHAP requests, which seems like lunacy, so have never considered there might be a need to execute the "authenticate" section, or synthesise a Cleartext-Password.
...but this is what makes HP special :) http://wiki.freeradius.org/index.php?title=HP#Mac-Based I agree, is is rather daft, I'm surprised User-Password even appears for a PAP approach.
But even so, I don't see the value in executing a modules .authorize handler in the post-auth section, or having a whole separate Auth-Type value.
Right, this I agree with, I nuke the request in authorize too.
Shrug. Not a big deal really. To each his own.
Many ways to skin this cat... Cheers -- Alexander Clouter .sigmonster says: Really?? What a coincidence, I'm shallow too!!
*What* RFCness?
Apparently, guessing this is Aaran spending too much absorbing the IETF website, RFC2865 says "though shalt use 'Call-Check' for mac-auth", I have not read it myself.
that seems overkill to you? Cisco switches use PAP instead of CHAP, but other than that whats the problem?
I've never seen a mac-auth implementation sending CHAP requests,
HP Networking equipment does.
which seems like lunacy, so have never considered there might be a need to execute the "authenticate" section, or synthesise a Cleartext-Password.
...but this is what makes HP special :)
The problem is you can't always distinguish between CHAP authentication (e.g. web-auth) and mac-authentication. Both provide a CHAP-Password attribute, and HP Networking gear doesn't provide additional attributes, so someone could enter their mac-address as the user-name and password in a web-auth form and trick the server into performing mac-auth. In newer firmware releases all HP Networking (ProCurve) equipment will send call-check as the Service-Type to indicate Mac-Based authentication, we (ESSW security team) decided that amongst the different options, this was closest to the original intent of the RFC.
http://wiki.freeradius.org/index.php?title=HP#Mac-Based
I agree, is is rather daft, I'm surprised User-Password even appears for a PAP approach.
Its either CHAP or PAP in every Mac-Auth implementation that i've seen either sends the MAC-Address or a predefined passphrase in the CHAP or PAP attribute. I guess the advantage is that it will work with less advanced RADIUS servers that require a password attribute of some kind, and that the shared secret is required to create valid values for User-Password and CHAP-Password.
But even so, I don't see the value in executing a modules .authorize handler in the post-auth section, or having a whole separate Auth-Type value.
Right, this I agree with, I nuke the request in authorize too.
See previous mail.
Shrug. Not a big deal really. To each his own.
Many ways to skin this cat...
Mmm skinned cat. -Arran
On 01/06/2011 05:48 PM, Alexander Clouter wrote:
We *actually* abuse Postgres' macaddr datatype by doing this:
Goddamnit, first I discover all the CIDR bits and think how great that is, but I never thought to look if there was a MAC address one.
Be sure to checkout: trunc('00:11:22:33:44:55')='00:11:22:00:00:00' Useful for OUI lookups if you combine it with an import of the "manuf" file from wireshark.
update request { Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}" }
Not quite there, but it could be IC's entry for the DWTF? ;P
On a serious note, that is going to be a ballache if your SQL server goes walkies...
The SQL server runs locally on each radius server, holding a read-only replica of the main DB. If the SQL server goes away, the radius server can't do anything useful anyway (all mac->vlan lookups require the SQL to be working) We used to use an rlm_passwd map, but the SQL is just too useful. I concentrate on making sure that anything which kills the SQL server would have rendered the whole radius server useless anyway.
On Jan 6, 2011, at 7:58 AM, Alexander Clouter wrote:
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered?
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage.
Was not! If anything you palmed it off me! I moved 2.* long before you'd given up those ugly rewrite module calls :P Are those awesome string rewrite functions in a stable release yet? -Arran
Arran Cudbard-Bell <a.cudbardb@googlemail.com> wrote:
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage.
Was not! If anything you palmed it off me! I moved 2.* long before you'd given up those ugly rewrite module calls :P
Are those awesome string rewrite functions in a stable release yet?
They got slipped into 2.1.10 at the last moment. Cheers -- Alexander Clouter .sigmonster says: fortune: cpu time/usefulness ratio too high -- core dumped.
On Jan 6, 2011, at 6:17 AM, Phil Mayers wrote:
On 06/01/11 12:48, Nagaraj Panyam wrote:
Dear experts,
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered? if () unlang statements in the "authenticate" section and calling a module .authorize method in post-auth don't seem necessary?
Anyone who wrote the page, and why it uses that method?
Because the server does things in the wrong order. The default configuration is very inefficient when processing complex policies for authorisation and multi-round authentication. Although this isn't multi-round authentication it does give an example of how a request *should* pass through the server. That said it probably is over engineered for novice users- feel free to create an alternate config. -Arran
Hi, In my previous mail while asking for help, I did not fully explain what I wanted to configure. So here goes: I want to configure freeradius to setup MAC based authentication for laptops and hand held devices in my organization. My first preference is to make it purely MAC based and paswordless. I have installed freeradius2 (debug output and conf files pasted below). For testing, I configured the NAS to use "WPA Radius", and gave it my radius servers IP and secret. When I select the SSID, the laptop pops up a window asking for usename, password and logon domain. (is there a way to avoid this?) I see that authorized_macs.authorize returns noop. But why, I don't understand. Because I want just CSID auth, I commented out the eap in default authorize{}. Is that my mistake? Here is the debug output. ------ Debug output: rad_recv: Access-Request packet from host 192.168.55.107 port 3072, id=35, length=175 User-Name = "TEST\\test" NAS-IP-Address = 192.168.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x0fc7203c788350352965da25a7a1049e +- entering group authorize {...} ++[control] returns notfound Found Auth-Type = CSID +- entering group CSID {...} ++? if (Chap-Password) ? Evaluating (Chap-Password) -> FALSE ++? if (Chap-Password) -> FALSE ++- entering else else {...} +++[ok] returns ok ++- else else returns ok +- entering group post-auth {...} ++? if (control:Auth-Type == 'CSID') ? Evaluating (control:Auth-Type == 'CSID') -> TRUE ++? if (control:Auth-Type == 'CSID') -> TRUE ++- entering if (control:Auth-Type == 'CSID') {...} [authorized_macs] expand: %{Calling-Station-ID} -> 001a734337c9 +++[authorized_macs.authorize] returns noop +++? if (!ok) ? Evaluating !(ok) -> TRUE +++? if (!ok) -> TRUE +++- entering if (!ok) {...} ++++[reject] returns reject +++- if (!ok) returns reject ++- if (control:Auth-Type == 'CSID') returns reject Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Ready to process requests. ---- cat raddb/sites-available/default authorize { #eap update control { Auth-Type = 'CSID' } } authenticate { Auth-Type CSID { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } } post-auth { if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject } } } ---- cat raddb/modules/file ------ files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs compat = no } ---- cat raddb/authorized_macs --- 001a734337c9 Reply-Message = "OK.." What is the mistake I am doing? Thanks a lot! Nagaraj Phil Mayers wrote:
On 06/01/11 12:48, Nagaraj Panyam wrote:
Dear experts,
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered? if () unlang statements in the "authenticate" section and calling a module .authorize method in post-auth don't seem necessary?
Anyone who wrote the page, and why it uses that method?
requesting for help! It correctly sets Auth-Type to CSID. but authorized_macs.authorize] returns noop I have pasted debug output and the relevant files below.
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072, id=62, length=175 User-Name = "TEST\\test" NAS-IP-Address = 158.144.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
This is not a mac-auth request. It's an EAP request, likely from an 802.11 wireless point using WPA-Enterprise.
You can't mac-auth EAP.
Start by describing what you want to do please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- +----------------------------------+--------------------------------------+ Nagaraj Panyam | Office tel: +91-22-22782126 Dept of High Energy Physics | Office fax: +91-22-22804610 Tata Instt. of Fundamental Research| Home tel : +91-22-22804936 Mumbai - 400 005, INDIA | **Email** : pn@tifr.res.in +----------------------------------+--------------------------------------+
Nagaraj Panyam <pn@tifr.res.in> wrote:
In my previous mail while asking for help, I did not fully explain what I wanted to configure. So here goes: I want to configure freeradius to setup MAC based authentication for laptops and hand held devices in my organization. My first preference is to make it purely MAC based and paswordless.
You are not reading what we have been telling you, please re-read the replies in this thread. You *cannot* do mac-auth on 802.1X networks, period, end of story, game-over, FIN. WPA Enterprise enabled wireless networks *are* 802.1X networks, so you cannot do mac-auth. The request your RADIUS server is receiving (that you have given below) is a 802.1X request because it has an EAP-Message attribute. What you want to do cannot be done. Cheers
------ Debug output: rad_recv: Access-Request packet from host 192.168.55.107 port 3072, id=35, length=175 User-Name = "TEST\\test" NAS-IP-Address = 192.168.55.107 NAS-Port = 0 Called-Station-Id = "001f1fd74ce9" Calling-Station-Id = "001a734337c9" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01544553545c74657374 Message-Authenticator = 0x0fc7203c788350352965da25a7a1049e
-- Alexander Clouter .sigmonster says: Illegally parked cars will be towed at owner's expense.
On 01/07/2011 06:49 AM, Nagaraj Panyam wrote:
Hi,
In my previous mail while asking for help, I did not fully explain what I wanted to configure.
No need to CC me; I read the lsit.
So here goes: I want to configure freeradius to setup MAC based authentication for laptops and hand held devices in my organization. My first preference is to make it purely MAC based and paswordless.
First: I do not advise this. This is wildly insecure in modern wireless networks. Second: If you want this, configure your wireless point for it. WPA is NOT passwordless - WPA means username/password auth using EAP.
participants (4)
-
Alexander Clouter -
Arran Cudbard-Bell -
Nagaraj Panyam -
Phil Mayers