MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??
Hey experts!! I am having another dilemma here. I am trying to configure MAC authentication bypass feature on my Cisco 3750 switch to authenticate some devices which don't support 802.1x. The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with "00:a0:08". I want a logic like: If a request is for a user with first 3 octets like the above one, use its MAC address (in this case will be also its username) as the password and grant the access. Is it possible to do it in FreeRadius 2.1.6?? I have attached the output of a success authentication for a device with MAC: 00a0080806bd. Of course I manually added this user in my users file. My users file looks like: 00a0080806bd Cleartext-Password := "00a0080806bd" I appreciate any advice!! Thank you guys!! Difan Zhao, CCNP Network Engineer difan.zhao@guest-tek.com www.guest-tek.com <http://www.guest-tek.com/> Office: 403-509-1010 ext 3048 Cell: 403-689-7514
Hi,
The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn’t support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device!
correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote "00a0080806bd" (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address!
That brings my dilemma! I have like 200 devices like this. I don’t want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with “00:a0:08”. I want a logic like:
many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bd Cleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan
Hi Alan, Thank you very much for quick response! Actually you are right. The password is in MD5 hash, not in clear text! I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other devices! For these 00a008 device, my real purpose actually is NOT to "Authenticate" them but rather assign them to a specific VLAN by using dynamic vlan assignment feature of the switch. I have figured it out and tested it. I just have to put in special attributes under each user (in this case the MAC of the device) in the users file. If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? BTW I'd rather not to use the SQL because I know pretty much nothing about it lol I appreciate your advice! Thank you! Difan ________________________________ From: freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org on behalf of Alan Buxey Sent: Sat 12/19/2009 2:34 AM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses?? Hi,
The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device!
correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote "00a0080806bd" (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address!
That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with "00:a0:08". I want a logic like:
many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bd Cleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case?
for using AD - not without difficulty because it will want both bits. you could use FreeRADIUS itself and a bit of unlang...for example. if you really dont care about the actual MAC address? in which case you could use unlang to check if its a MAC address ..and that its come from a particular group of switches eg something like authorise { if("%{User-Name}" =~ /[0-9a-z]{12}/i && "%{Huntgroup-Name}" == "MAB-switches"){ update control { Auth-Type := MAB } ok = return } } authenticate { Auth-Type MAB { ok } } you can then add the bits into unlang for post-auth for returning the correct VLAN. with older MAB you could do simple User-Name == Cleartext-Password - but with MD5 now in play I think you then enter the world of PERL or python on the FR box to deal with that. PS my example was just roughly typed up - there may well be errors and it'll only work if you've got eg MAB-switches NAS-IP-Address == 172.16.1.4 MAB-switches NAS-IP-Address == 172.16.1.5 MAB-switches NAS-IP-Address == 172.16.1.6 in the raddb/huntgroups file (and ensure preprocess module is called before the unlang in authorise section! alan
Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case?
for using AD - not without difficulty because it will want both bits. you could use FreeRADIUS itself and a bit of unlang...for example.
if you really dont care about the actual MAC address? in which case you could use unlang to check if its a MAC address ..and that its come from a particular group of switches eg something like
authorise {
if("%{User-Name}" =~ /[0-9a-z]{12}/i
....some would say that is a controversial MAC address regexp, but I guess you just do things differently 'up north' eh? :) 'cheese112233xxyyzzTASTY' would even match that :) For detecting if MAC auth is being requested, I recommend something like what I described for Cisco kit in: http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00423.html I think it was Aaron who wrote the following: http://wiki.freeradius.org/Mac-Auth Between the two you should be able to do something for your kit; I recommend you have a play with tcpdump/wireshark so work out what your NAS is actually sending. Other than Alan's interesting regexp, I would suggest a number of NAS 'sanitisers' to put in policy.conf: ---- rewrite.called_station_id { if( "%{request:Called-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})(:(.+))?$/i ){ # does it have an SSID componment? if ( "%{7}" ) { update request { Called-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}%{7}" } } else { update request { Called-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" } } } else { noop } } rewrite.calling_station_id { if( "%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ){ update request { Calling-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" } } else { noop } } ---- Then in your authorize section, after you have called 'preprocess', you call 'rewrite.called_station_id' and 'rewrite.calling_station_id' to RFC-ise those attributes. It means you do not have to add kludges for NAS's that use ':' seperated MAC's, or Cisco IOS style MACS. It is all translated to the '00-11-22-33-44-55' RFC 'approved' format. Another hint is just before you make your SQL/LDAP query, use something like this (MAC-Address-Trimmed is something I have put in my /etc/freeradius/dictionary file for local use only): ---- if (Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i) { update control { MAC-Address-Trimmed := "%{1}%{2}%{3}%{4}%{5}%{6}" } } ---- Then all MAC addresses in your database are just in the format '001122334455'. Just a recommendation. Another hint is when it comes to SQL logging (*strongly* recommended) you use some SQL syntax to force the RFC format MAC address lowercase before it gets INSERTed. This means later on why you are looking through your logs you are not running into case-sensitive issues (LDAP lookups are not case sensitive so for authorisation, it does not matter). Cheers -- Alexander Clouter .sigmonster says: Don't get even -- get odd!
Hi,
....some would say that is a controversial MAC address regexp, but I guess you just do things differently 'up north' eh? :)
hey, it was a quick hackup example to deal with the question.
'cheese112233xxyyzzTASTY' would even match that :)
yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-) thats why some decent stuff needs to be done elsewhere....I dont like Mac auth bypass. not a fan of it at all - its a horrible kludge to deal with devices that cant do 802.1X the real answer is to get the vendors to sort their cheap shoddy kit out ;-) alan
On 20/12/2009 22:44, Alan Buxey wrote:
Hi,
....some would say that is a controversial MAC address regexp, but I guess you just do things differently 'up north' eh? :)
hey, it was a quick hackup example to deal with the question.
'cheese112233xxyyzzTASTY' would even match that :)
yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-)
Hmm yes, maybe add a !EAP-Message condition somewhere in there...
thats why some decent stuff needs to be done elsewhere....I dont like Mac auth bypass. not a fan of it at all - its a horrible kludge to deal with devices that cant do 802.1X
the real answer is to get the vendors to sort their cheap shoddy kit out ;-)
Ahem *Vendor :P - - Sorry I have to do it or they beat me :( -Arran
Arran Cudbard-Bell <a.cudbard-bell@sussex.ac.uk> wrote:
the real answer is to get the vendors to sort their cheap shoddy kit out ;-)
Ahem *Vendor :P - - Sorry I have to do it or they beat me :(
....dare I ask why you do not use you new 'formal' email address? ;) Cheers -- Alexander Clouter .sigmonster says: Oh no, not again. -- Manoj Srivastava
On 21/12/2009 09:05, Alexander Clouter wrote:
Arran Cudbard-Bell <a.cudbard-bell@sussex.ac.uk> wrote:
the real answer is to get the vendors to sort their cheap shoddy kit out ;-)
Ahem *Vendor :P - - Sorry I have to do it or they beat me :(
....dare I ask why you do not use you new 'formal' email address? ;)
Because i'm not on site, they've not worked out how to do webmail outside of the intranet, and they've disabled the entourage connector in exchange. arran.cudbard-bell@popular british manufacturer of tomatoe and brown sauce.com Should be back for January *sigh*.
Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
'cheese112233xxyyzzTASTY' would even match that :)
yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-)
Not when you say !EAP-Message too :)
thats why some decent stuff needs to be done elsewhere....I dont like Mac auth bypass. not a fan of it at all - its a horrible kludge to deal with devices that cant do 802.1X
the real answer is to get the vendors to sort their cheap shoddy kit out ;-)
Bah, I wrote a "you have to jump this high to connect to the Intertubes" document for work. The venduhs cannot even get past the tendering phase now :) Although it does nothing about the legacy guff, it stops new guff connecting. Cheers -- Alexander Clouter .sigmonster says: A sinking ship gathers no moss. -- Donald Kaul
Hi,
yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-)
Not when you say !EAP-Message too :)
...and how does that stop, lets just say for example, some user coming along with 802.1X configured on their wired interface and logging it with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-)
Bah, I wrote a "you have to jump this high to connect to the Intertubes" document for work. The venduhs cannot even get past the tendering phase now :)
Although it does nothing about the legacy guff, it stops new guff connecting.
thats true in so much that it controls those things...but lets more evil people on due to it being a nice new hole. oh well. alan
On 21/12/2009 09:15, Alan Buxey wrote:
Hi,
yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-)
Not when you say !EAP-Message too :)
...and how does that stop, lets just say for example, some user coming along with 802.1X configured on their wired interface and logging it with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-)
Last time I checked EAP-MD5-Response was still carried in the EAP-Message attribute, and the documentation in the wiki suggests that the username and Calling-Station-ID are canonicalized and compared before attempting Mac-Auth, so you need to fake the mac-address in your EAPOL frames too.
Although it does nothing about the legacy guff, it stops new guff connecting.
thats true in so much that it controls those things...but lets more evil people on due to it being a nice new hole. oh well.
Well no. You need to know the Mac-Address of a target machine before you can connect to the network/VLAN. In order to find out the Mac-Address you need to physically locate yourself at a terminal, if you can physically locate yourself at a terminal, you generally have access to the network connection of the terminal anyway. The only thing it lets you do which you could do before, is to do your cracking in a cafe instead of in a cluster room :). The real danger is someone gaining access to the uplink from one your switches... which is why 802.1X-REV/Mac-Sec is so frickin awesome! -Arran
Hey guys, So I finally started configuring this MAC auth bypass thing... I am editing the raddb/policy.conf to include the "rewrite_calling_station_id" function/module however when I am trying to run the radiusd -X I got this error: "/etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)" error Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file. rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" } } else { noop } } My Calling-Station-Id is MAC addresses which are made of numbers and capital letters and - between octets. However my User-Name is all lower case letters and numbers and there is no - or :. I want to rewrite the calling station id to be the same as the User-Name. Am I doing it right? How can I convert it to lower cases or do I need to do it at all?? PS the MAC addresses will all start with 00-A0-08. Thank you and merry Christmas!! Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514
Difan Zhao wrote:
Hey guys,
So I finally started configuring this *MAC auth bypass* thing... I am editing the *raddb/policy.conf* to include the "*rewrite_calling_station_id*" function/module however when I am trying to run the *radiusd –X* I got this error:
"/etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)" error
Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file.
Curly braces need to be inline... don't assume the parser is clever.
Lol Thank you Arran... You found the problem! Now it's good. Thanks again! Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -----Original Message----- From: freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradi us.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, December 24, 2009 1:13 PM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses?? Difan Zhao wrote:
Hey guys,
So I finally started configuring this *MAC auth bypass* thing... I am editing the *raddb/policy.conf* to include the "*rewrite_calling_station_id*" function/module however when I am trying to run the *radiusd -X* I got this error:
"/etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)" error
Here is what I added in the policy.conf. I appended to the back of the
file. I never changed anything else in this file.
Curly braces need to be inline... don't assume the parser is clever. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I "rewrite" it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my "if" conditions are all matched during the process however they all returned "noop" instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "00a008%{1}%{2}%{3}" } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } } It seems to me that the last "ok" authenticated the device, instead of using "chap" and the "Cleartext-Password" that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514
I apologize for the previous spam! I kind of figured out my problem. Then I tried to fix it and now I have a new problem!! So I want to authenticate devices when both User-Name and User-Password are the same and are both the MAC of the device. My default files look like: authorize { ... if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } ... authenticate { Auth-Type Auth-NHSTB { if(%{request:User-Password} == %{request:User-Name}) { ok } else{ noop } } } However when I try to run Radius I keep getting this error: Expected regular expression at: request:User-Password) /etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection. Errors initializing modules I also tried I lot other syntax and different operators as well but the error is still there... What is the right syntax?? Thank you! Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 ________________________________ From: freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Tuesday, December 29, 2009 11:09 AM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses?? Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I "rewrite" it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my "if" conditions are all matched during the process however they all returned "noop" instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "00a008%{1}%{2}%{3}" } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } } It seems to me that the last "ok" authenticated the device, instead of using "chap" and the "Cleartext-Password" that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514
Should be: if(request:User-Password == "%{request:User-Name}") {
However when I try to run Radius I keep getting this error:
Expected regular expression at: request:User-Password)
/etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection.
Errors initializing modules
I also tried I lot other syntax and different operators as well but the error is still there… What is the right syntax?? Thank you!
Guest-tek, Difan Zhao
difan.zhao@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
------------------------------------------------------------------------
*From:* freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org] *On Behalf Of *Difan Zhao *Sent:* Tuesday, December 29, 2009 11:09 AM *To:* FreeRadius users mailing list *Subject:* RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius –X output (which I attached here) it doesn’t seem to authenticate it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use the *User-Name* (or *Calling-station-ID*, since I *“rewrite”* it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device.
However it looks like my *“if”* conditions are all matched during the process however they all returned *“noop”* instead of *updating* the information I wanted it to.
Here are the *configurations* I made in the *policy.conf* and */sites-avaliable/default* files
*Policy.conf:*
* *
policy {
…
rewrite_calling_station_id {
if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id := "00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
*Default:*
authorize {
…
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
…
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := "%{User-Name}"
}
chap
}
else{
*ok*
}
}
}
It seems to me that the last *“ok”* authenticated the device, instead of using *“chap”* and the *“Cleartext-Password”* that I assigned. Any ideas? Thank you!
Guest-tek, Difan Zhao
difan.zhao@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Difan Zhao wrote: ...
if(%{request:User-Password} == %{request:User-Name}) {
Please read "man unlang". It documents the accepted syntax. The example above is not correct. Alan DeKok.
Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a "Default" line at the bottom of the users file, like: ... DEFAULT Auth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a "Default" line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "00a008%{1}%{2}%{3}" } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == "%{request:User-Password}") { ok } else{ reject } } } Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514
Hey guys, I am still waiting for a possible solution for this problem that I have... Please let me know even there is no easy fix. To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the "users" file takes precedence than "sites-available/default". Whenever there is a default entry in the "users" file, freeradius server doesn't try to run the module/function in the "authentication" section... I have attached the debug for the both cases. Please take a look whenever you can. Thank you! Difan ________________________________ From: freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Wednesday, December 30, 2009 12:19 PM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses?? Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a "Default" line at the bottom of the users file, like: ... DEFAULT Auth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a "Default" line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := "00a008%{1}%{2}%{3}" } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == "%{request:User-Password}") { ok } else{ reject } } } Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514
Difan Zhao wrote:
To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the “users” file takes precedence than “sites-available/default”.
No. You are setting "Auth-Type = ..." in the "users" file, and then trying to se "Auth-Type = ..." *again* elsewhere. See "man unlang" for the meaning of the operators. If you want to over-ride a previous value, use ":=", not "=". Alan DeKok.
Lol Alan you found the problem again! I just read the manual of "users" and "unlang" again and now I know clearly what the problem was... Thank you very much for the help! So radiusd -X won't show whether a check attribute was updated or not? Here is my radiusd -X output. It's the same no matter I use : or := ... ... ++? if ((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)) -> TRUE ++- entering if ((Service-Type == 'Call-Check') && (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ... It's supposed to update the "auth-type" value but nothing is shown whether the value has been successfully updated or not... Is this about right or it's actually showing at somewhere else and I am looking at the wrong place?? Thank you! Guest-tek, Difan Zhao difan.zhao@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -----Original Message----- From: freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Monday, January 04, 2010 4:10 PM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses?? Difan Zhao wrote:
To refresh your memory, I am doing MAC address authentication bypass. It
looks to me that the "users" file takes precedence than
"sites-available/default".
No. You are setting "Auth-Type = ..." in the "users" file, and then trying to se "Auth-Type = ..." *again* elsewhere. See "man unlang" for the meaning of the operators. If you want to over-ride a previous value, use ":=", not "=". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Difan Zhao wrote:
So radiusd -X won't show whether a check attribute was updated or not?
No. There are a LOT of things that can happen when the server runs. It doesn't print out all of them.
It’s supposed to update the “auth-type” value but nothing is shown whether the value has been successfully updated or not…
Yes. Alan DeKok.
participants (5)
-
Alan Buxey -
Alan DeKok -
Alexander Clouter -
Arran Cudbard-Bell -
Difan Zhao