Re: Problems regarding MAC address authentication
yeah upgrading is high on my list :) rlm_passwd says it provides authorization via files but i need it via LDAP. I didnt get much from your reply, here's what am doing presently plz suggest how should i proceed. ********************************************************************************************************* LDAP user: dn: uid=ashimece,cn=Ece08,cn=Students,dc=itweb uid: ashimece userPassword: jindal objectClass: account objectClass: simpleSecurityObject objectClass: top objectClass: radiusprofile cn: Ashim Dutta radiusCallingStationId: 00-90-4B-ED-AB-52 Logs of authentication : ********************************************************************************************************* when MAC ID is correct Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.9.1.2:1088, id=8, length=249 Message-Authenticator = 0x1aefde709d0282b89e74ef5d2df3e4ac Service-Type = Framed-User User-Name = "ashimece" Framed-MTU = 1488 State = 0xefc4f78cf9a0a3f62c93cd748bf36547 Called-Station-Id = "00-15-E9-C9-5F-C0: Dr.CVR24" Calling-Station-Id = "00-90-4B-ED-AB-52" NAS-Identifier = "D-link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020800261900170301001bb0362047836069aff6d4a653b9d47e05dcaa105bfa0926b49c0ab2 NAS-IP-Address = 10.9.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "ashimece", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 18 rlm_ldap: - authorize rlm_ldap: performing user authorization for ashimece radius_xlat: '(uid=ashimece)' radius_xlat: 'dc=itweb' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=itweb, with filter (uid=ashimece) rlm_ldap: checking if remote access for ashimece is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-90-4B-ED-AB-52 & op=21 rlm_ldap: Adding userPassword as User-Password, value jindal & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user ashimece authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 18 modcall: group authorize returns updated for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 18 modcall: group authenticate returns ok for request 18 Sending Access-Accept of id 8 to 10.9.1.2:1088 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-MPPE-Recv-Key = 0xfdd87b133b79449727654aa3a681ee48d891ee6ff1685344159acbc3ff02d820 MS-MPPE-Send-Key = 0xdcbb432b81d40d6e1d189527a911932a7b161f8b68ba2ee06e862c455967699e EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ashimece" Finished request 18 Going to the next request Waking up in 6 seconds... ********************************************************************************************************* when MAC ID is *NOT* correct but is authenticated successfully Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.9.1.2:1088, id=17, length=249 Message-Authenticator = 0xaab5be28b7a3198b4432458ae62e1905 Service-Type = Framed-User User-Name = "ashimece" Framed-MTU = 1488 State = 0xdfdb9e22d8d2452e0a4c3daf52e757f6 Called-Station-Id = "00-15-E9-C9-5F-C0:Dr.CVR24" Calling-Station-Id = " 00-90-4B-ED-AB-52" NAS-Identifier = "D-link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021100261900170301001ba1bc4bf393dc67e00b5d456b4eda44e73fdef7b14ba0558ecbe493 NAS-IP-Address = 10.9.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 27 modcall[authorize]: module "preprocess" returns ok for request 27 modcall[authorize]: module "chap" returns noop for request 27 modcall[authorize]: module "mschap" returns noop for request 27 rlm_realm: No '@' in User-Name = "ashimece", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 27 rlm_eap: EAP packet type response id 17 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 27 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 27 rlm_ldap: - authorize rlm_ldap: performing user authorization for ashimece radius_xlat: '(uid=ashimece)' radius_xlat: 'dc=itweb' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=itweb, with filter (uid=ashimece) rlm_ldap: checking if remote access for ashimece is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-90-4B-ED-AB-00 & op=21 rlm_ldap: Adding userPassword as User-Password, value jindal & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user ashimece authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 27 modcall: group authorize returns updated for request 27 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 27 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 27 modcall: group authenticate returns ok for request 27 Sending Access-Accept of id 17 to 10.9.1.2:1088 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-MPPE-Recv-Key = 0x777bb3e1d089ab4d06e5d17cc4e75e1ce71c8a31f7ac06cf193ac2aca893eca9 MS-MPPE-Send-Key = 0x485bd639e4f35fb4fe39fe954d6a1959f3d25f149b53d22c180716bac82abac9 EAP-Message = 0x03110004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ashimece" Finished request 27 Going to the next request Waking up in 5 seconds... ********************************************************************************************************* when MAC ID is correct BUT ldap *filter* is changed from uid to radiusCallingStationId but is *NOT* authenticated Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.9.1.2:1089, id=7, length=249 Message-Authenticator = 0xef805c6611b81ccd4e57f0a01b5a56b2 Service-Type = Framed-User User-Name = "ashimece" Framed-MTU = 1488 State = 0xaf77bba9c6823b2507d129594c59a524 Called-Station-Id = "00-15-E9-C9-5F-C0: Dr.CVR24" Calling-Station-Id = "00-90-4B-ED-AB-52" NAS-Identifier = "D-link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700261900170301001bd7bb65c7f80981315f61ec2779f602c81f4ec09c0c92babb82aacb NAS-IP-Address = 10.9.1.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 modcall[authorize]: module "chap" returns noop for request 15 modcall[authorize]: module "mschap" returns noop for request 15 rlm_realm: No '@' in User-Name = "ashimece", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 15 rlm_eap: EAP packet type response id 7 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 15 rlm_ldap: - authorize rlm_ldap: performing user authorization for ashimece radius_xlat: '(radiusCallingStationId=00-90-4B-ED-AB-52)' radius_xlat: 'dc=itweb' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=itweb, with filter (radiusCallingStationId=00-90-4B-ED-AB-52) rlm_ldap: checking if remote access for ashimece is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-90-4B-ED-AB-52 & op=21 rlm_ldap: Adding userPassword as User-Password, value jindal & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user ashimece authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 15 modcall: group authorize returns updated for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 15 modcall: group authenticate returns invalid for request 15 auth: Failed to validate the user. Delaying request 15 for 1 seconds Finished request 15 Going to the next request Waking up in 6 seconds... -- Registerd Linux User #426561 - Shobhit Jindal B.Tech. Part-III, Department Of Electronics Engineering, ITBHU INDIA
Shobhit Jindal wrote:
yeah upgrading is high on my list :)
rlm_passwd says it provides authorization via files but i need it via LDAP. I didnt get much from your reply, here's what am doing presently plz suggest how should i proceed.
...
radiusCallingStationId: 00-90-4B-ED-AB-52
Please read the documentation and the debug output. This entry in LDAP says "send the Calling-Station-Id attribute in the Access-Accept". It is documented as doing that, and the debug log shows it's doing that. You can't just list things in configurations, and magically expect it to do what you want. If you put the MAC into another field in LDAP, you can query the LDAP server for that field, and see if it matches the field in the packet. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 2/13/07, Alan DeKok <aland@deployingradius.com> wrote:
radiusCallingStationId: 00-90-4B-ED-AB-52
Please read the documentation and the debug output. This entry in LDAP says "send the Calling-Station-Id attribute in the Access-Accept". It is documented as doing that, and the debug log shows it's doing that.
how can a field alone say that it is a reply item or a check item? my ldap.attrmap says checkItem Calling-Station-Id radiusCallingStationId You can't just list things in configurations, and magically expect it
to do what you want.
yeah, am a newbie for freeradius server but am trying my best :) If you put the MAC into another field in LDAP, you can query the LDAP
server for that field, and see if it matches the field in the packet.
how to implement the above?(this is the question that eludes me) PS: i would really like to know why filtering the ldap database using uid works and fails while using radiusCallingStationId cheers for helping out :) -- Registerd Linux User #426561 - Shobhit Jindal B.Tech. Part-III, Department Of Electronics Engineering, ITBHU INDIA
Shobhit Jindal wrote:
how to implement the above?(this is the question that eludes me)
PS: i would really like to know why filtering the ldap database using uid works and fails while using radiusCallingStationId
See your LDAP documentation. Run LDAP queries by hand until you get the result you want, and then configure the server to use those queries. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
ldap queries are working fine, below is the log.. Plz just explain the overview of how to enable mac address based authentication where all the three parameters (uid, userPassword and radiusCallingStationId are matched from the ldap database).. PS: A paper presentation contest is to begin from tomorrow (www.*prastuti*.org) in our college.. I will be highly grateful if i could provide wifi access during the event... (at present am doing auth based on uid+password and need to extend it to mac address).. plz help 12:38:37@jindal # ldapsearch -x -h 10.9.1.250 -D "uid=Manager,dc=itweb" -w secret123 -LLL -vv -b "dc=itweb" "uid=ashimece" ldap_initialize( ldap://10.9.1.250 ) filter: uid=ashimece requesting: All userApplication attributes dn: uid=ashimece,cn=Ece08,cn=Students,dc=itweb uid: ashimece userPassword:: amluZGFs objectClass: account objectClass: simpleSecurityObject objectClass: top objectClass: radiusprofile cn: Ashim Dutta radiusCallingStationId: 00-90-4B-ED-AB-52 12:38:58@jindal # ldapsearch -x -h 10.9.1.250 -D "uid=Manager,dc=itweb" -w secret123 -LLL -vv -b "dc=itweb" "radiusCallingStationId=00-90-4B-ED-AB-52" ldap_initialize( ldap://10.9.1.250 ) filter: radiusCallingStationId=00-90-4B-ED-AB-52 requesting: All userApplication attributes dn: uid=ashimece,cn=Ece08,cn=Students,dc=itweb uid: ashimece userPassword:: amluZGFs objectClass: account objectClass: simpleSecurityObject objectClass: top objectClass: radiusprofile cn: Ashim Dutta radiusCallingStationId: 00-90-4B-ED-AB-52 On 2/13/07, Alan DeKok <aland@deployingradius.com> wrote:
Shobhit Jindal wrote:
how to implement the above?(this is the question that eludes me)
PS: i would really like to know why filtering the ldap database using uid works and fails while using radiusCallingStationId
See your LDAP documentation.
Run LDAP queries by hand until you get the result you want, and then configure the server to use those queries.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Registerd Linux User #426561 - Shobhit Jindal B.Tech. Part-III, Department Of Electronics Engineering, ITBHU INDIA
participants (2)
-
Alan DeKok -
Shobhit Jindal