Re: Two networks: WEP+MAC Filtering and WPA(PEAP)
Could you please correct me about mac authorization.
In my debug log I see mac authorization request :
rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7, length=115
User-Name = "00-18-de-4e-8f-1d"
User-Password = "secret"
NAS-IP-Address = x.x.x.139
Called-Station-Id = "00-20-a6-64-66-a3:A"
Calling-Station-Id = "00-18-de-4e-8f-1d"
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
I have this entry in my users file :
00-18-de-4e-8f-1d Auth-Type:=Local, User-Password == "secret"
That's incorrect. On a recent (1.1.7 or 2.x) version of the server, assuming you haven't fiddled with the default config too much, do this: 00-18-de-4e-8f-1d Cleartext-Password := "secret" However, this system has some disadvantages; specifically if you use another NAS (AP, switch) that doesn't send "secret" or formats the username differently.
Is this correct(right) way to control MAC addresses thought radius?
There's no one "correct" way. It depends on your environment. We (for example) lookup the Calling-Station-Id in SQL and allow or deny based on that.
Another question is : what is correct way to separate two types(MAC&PEAP) of requests to radius server?
Yes. You didn't say what version of the server you're using, but in 1.1.x you can do this: modules { files { .. } files macauth { ... } } authorize { preprocess files Autz-Type MACAUTH { files_macauth } Autz-Type OTHER { ldap eap mschap } } ...then in "users": # match mac addresses, set autz-type DEFAULT User-Name =~ "..-..-..-..-..-..", Autz-Type := MACAUTH Fall-Through = no # everything else is eap, ldap DEFAULT Autz-Type := OTHER ...see doc/Autz-Type for more info. In 2.x you can make use of the virtual server capabilities.
participants (1)
-
Phil Mayers