Getting Reject response from Server for MAC Auth
Hello masters! I'm trying to use a freeradius server 3 (running on CentOS7) with my ruckus AP (model R610). I followed this wiki article, specifically this two topics below to configure it properly: https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth https://wiki.freeradius.org/guide/mac-auth#additional-modifications_mac-auth... I'm trying to log to my WLAN with my phone. It's MAC is already in the "authorized_macs" file (/etc/raddb/authorized_macs), and the server is receiving it's requests. I can see my phone's MAC Address, my AP MAC Address, the AP SSID, and some other stuff. Problem is, I still get rejected. For more than three days I've been trying to make it work like that, but still no progress, so I thought it was better to consult the experts. Here's the output of the radiusd -X command. I put the line numbers so it would be easier to locate or reference something. The first "reject" I get is on line 72: 1 (0) Received Access-Request Id 47 from 10.85.0.222:40680 to 10.85.2.46:1812 length 197 2 (0) User-Name = "70-4d-7b-53-cb-38" 3 (0) User-Password = "70-4d-7b-53-cb-38" 4 (0) Calling-Station-Id = "70-4D-7B-53-CB-38" 5 (0) NAS-IP-Address = 10.85.0.222 6 (0) Called-Station-Id = "90-3A-72-65-47-AC:PMJG-AD-ACC" 7 (0) Service-Type = Framed-User 8 (0) NAS-Port-Type = Wireless-802.11 9 (0) NAS-Identifier = "90-3A-72-65-47-AC" 10 (0) Ruckus-SSID = "PMJG-AD-ACC" 11 (0) Message-Authenticator = 0x5d564ee23f2090acd3bc2002e4b8a23b 12 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default 13 (0) authorize { 14 (0) policy filter_username { 15 (0) if (&User-Name) { 16 (0) if (&User-Name) -> TRUE 17 (0) if (&User-Name) { 18 (0) if (&User-Name =~ / /) { 19 (0) if (&User-Name =~ / /) -> FALSE 20 (0) if (&User-Name =~ /@[^@]*@/ ) { 21 (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE 22 (0) if (&User-Name =~ /\.\./ ) { 23 (0) if (&User-Name =~ /\.\./ ) -> FALSE 24 (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { 25 (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE 26 (0) if (&User-Name =~ /\.$/) { 27 (0) if (&User-Name =~ /\.$/) -> FALSE 28 (0) if (&User-Name =~ /@\./) { 29 (0) if (&User-Name =~ /@\./) -> FALSE 30 (0) } # if (&User-Name) = notfound 31 (0) } # policy filter_username = notfound 32 (0) policy rewrite_called_station_id { 33 (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { 34 (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE 35 (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { 36 (0) update request { 37 (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} 38 (0) --> 90-3A-72-65-47-AC 39 (0) &Called-Station-Id := 90-3A-72-65-47-AC 40 (0) } # update request = noop 41 (0) if ("%{8}") { 42 (0) EXPAND %{8} 43 (0) --> PMJG-AD-ACC 44 (0) if ("%{8}") -> TRUE 45 (0) if ("%{8}") { 46 (0) update request { 47 (0) EXPAND %{8} 48 (0) --> PMJG-AD-ACC 49 (0) &Called-Station-SSID := PMJG-AD-ACC 50 (0) } # update request = noop 51 (0) } # if ("%{8}") = noop 52 (0) [updated] = updated 53 (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated 54 (0) ... skipping else: Preceding "if" was taken 55 (0) } # policy rewrite_called_station_id = updated 56 (0) policy rewrite_calling_station_id { 57 (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { 58 (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE 59 (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { 60 (0) update request { 61 (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} 62 (0) --> 70-4D-7B-53-CB-38 63 (0) &Calling-Station-Id := 70-4D-7B-53-CB-38 64 (0) } # update request = noop 65 (0) [updated] = updated 66 (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated 67 (0) ... skipping else: Preceding "if" was taken 68 (0) } # policy rewrite_calling_station_id = updated 69 (0) if (!ok) { 70 (0) if (!ok) -> TRUE 71 (0) if (!ok) { 72 (0) [reject] = reject 73 (0) } # if (!ok) = reject 74 (0) } # authorize = reject 75 (0) Using Post-Auth-Type Reject 76 (0) # Executing group from file /etc/raddb/sites-enabled/default 77 (0) Post-Auth-Type REJECT { 78 (0) attr_filter.access_reject: EXPAND %{User-Name} 79 (0) attr_filter.access_reject: --> 70-4d-7b-53-cb-38 80 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 81 (0) [attr_filter.access_reject] = updated 82 (0) [eap] = noop 83 (0) policy remove_reply_message_if_eap { 84 (0) if (&reply:EAP-Message && &reply:Reply-Message) { 85 (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE 86 (0) else { 87 (0) [noop] = noop 88 (0) } # else = noop 89 (0) } # policy remove_reply_message_if_eap = noop 90 (0) } # Post-Auth-Type REJECT = updated 91 (0) Delaying response for 1.000000 seconds 92 Waking up in 0.3 seconds. 93 Waking up in 0.6 seconds. 94 (0) Sending delayed response 95 (0) Sent Access-Reject Id 47 from 10.85.2.46:1812 to 10.85.0.222:40680 length 20 96 Waking up in 3.9 seconds. 97 (0) Cleaning up request packet ID 47 with timestamp +11 Greetings, -- Victor B. C.
On Aug 15, 2018, at 7:59 AM, Victor Credidio <victorbreda1@gmail.com> wrote:
I'm trying to use a freeradius server 3 (running on CentOS7) with my ruckus AP (model R610). I followed this wiki article, specifically this two topics below to configure it properly:
https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
https://wiki.freeradius.org/guide/mac-auth#additional-modifications_mac-auth...
Please read the debug log. It does NOT show you have configured the "authorized_macs" module as per the documentation. In addition, you're running the "rewrite_calling_station_id" policy twice. i.e. you've done this: rewrite_calling_station_id rewrite_calling_station_id if (!ok) { reject } instead of this: rewrite_calling_station_id authorized_macs if (!ok) { reject } The debug log contains everything necessary to reach the above conclusion. Alan DeKok.
Hey Alan, instead of this:
rewrite_calling_station_id authorized_macs if (!ok) { reject }
Thank you, that really helped. About reading the debug, well I did it a lot, but since it's the first time I'm interacting with Freeradius I wasn't sure what to look for. As I said before, I was following the Wiki and I really missed this part!! *My bad.* I really appreciate your help. Greetings, -- Victor B. C. Em qua, 15 de ago de 2018 às 09:56, Alan DeKok <aland@deployingradius.com> escreveu:
On Aug 15, 2018, at 7:59 AM, Victor Credidio <victorbreda1@gmail.com> wrote:
I'm trying to use a freeradius server 3 (running on CentOS7) with my
ruckus
AP (model R610). I followed this wiki article, specifically this two topics below to configure it properly:
https://wiki.freeradius.org/guide/mac-auth#additional-modifications_mac-auth...
Please read the debug log. It does NOT show you have configured the "authorized_macs" module as per the documentation.
In addition, you're running the "rewrite_calling_station_id" policy twice.
i.e. you've done this:
rewrite_calling_station_id rewrite_calling_station_id if (!ok) { reject }
instead of this:
rewrite_calling_station_id authorized_macs if (!ok) { reject }
The debug log contains everything necessary to reach the above conclusion.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Victor Credidio