Ubuntu client always connect to wlan even if it is not allowed by Freeradius
Hello, I set up Freeradius 2.1.11 to authenticate against ActiveDirectory (with ntlm) after having validated the mac Address (with mac-auth), for a wireless Lan (Netgear WPAN320). Everything is working fine on Windows but I have a problem with workstation on Ubuntu 11.04 : on the first connection, everything is working fine : it checks if the MAC address and login/password are correct and allow connection or not. But if the connection is correct at the first time and if I then change one of those parameters (ie, disable MAC address on the radius server or change login on my Ubuntu workstation), I can still connect to my WLAN. The only way to correct this problem is to physically switch off and on the wlan card on Ubuntu workstation. It seems that it has a kind of cache but I can't determine where and how to disable it (on my Radius server). Here is a freeradius log extract of the first connection where we can see that it checks the MAC address Mon Oct 3 11:55:51 2011 : Info: ++- entering policy rewrite.calling_station_id {...} Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) Mon Oct 3 11:55:51 2011 : Info: ?? Evaluating (Calling-Station-Id) -> TRUE Mon Oct 3 11:55:51 2011 : Info: expand: %{Calling-Station-Id} -> 00-18-DE-55-61-7F Mon Oct 3 11:55:51 2011 : Info: expand: policy.mac-addr -> policy.mac-addr Mon Oct 3 11:55:51 2011 : Info: expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ Mon Oct 3 11:55:51 2011 : Info: ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Mon Oct 3 11:55:51 2011 : Info: +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} Mon Oct 3 11:55:51 2011 : Info: expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 00-18-DE-55-61-7F Mon Oct 3 11:55:51 2011 : Info: expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 00-18-de-55-61-7f Mon Oct 3 11:55:51 2011 : Info: ++++[request] returns ok Mon Oct 3 11:55:51 2011 : Info: ++++[updated] returns updated Mon Oct 3 11:55:51 2011 : Info: +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated Mon Oct 3 11:55:51 2011 : Info: +++ ... skipping else for request 11: Preceding "if" was taken Mon Oct 3 11:55:51 2011 : Info: ++- policy rewrite.calling_station_id returns updated Mon Oct 3 11:55:51 2011 : Info: [authorized_macs] expand: %{Calling-Station-ID} -> 00-18-de-55-61-7f Mon Oct 3 11:55:51 2011 : Info: [authorized_macs] users: Matched entry 00-18-de-55-61-7f at line 2 Mon Oct 3 11:55:51 2011 : Info: ++[authorized_macs] returns ok Mon Oct 3 11:55:51 2011 : Info: ++? if (!ok) Mon Oct 3 11:55:51 2011 : Info: ? Evaluating !(ok) -> FALSE Mon Oct 3 11:55:51 2011 : Info: ++? if (!ok) -> FALSE Mon Oct 3 11:55:51 2011 : Info: ++? if (!EAP-Message) Mon Oct 3 11:55:51 2011 : Info: ? Evaluating !(EAP-Message) -> FALSE Here is the Freeradius log file for the second connection, after disable MAC Address and restarted FreeRadius (it connects directly without checking MAC address) : rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, length=152 Acct-Session-Id = "4E8592C9-00000140" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "salons" NAS-IP-Address = 192.168.2.15 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "20-4E-7F-3C-EF-00:mdwifi" Calling-Station-Id = "00-18-DE-55-61-7F" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" Mon Oct 3 11:50:16 2011 : Info: # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default Mon Oct 3 11:50:16 2011 : Info: +- entering group preacct {...} Mon Oct 3 11:50:16 2011 : Info: ++[preprocess] returns ok Mon Oct 3 11:50:16 2011 : Info: [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.2.15,NAS-IP-Address = 192.168.2.15,Acct-Session-Id = "4E8592C9-00000140",User-Name = "salons"' Mon Oct 3 11:50:16 2011 : Info: [acct_unique] Acct-Unique-Session-ID = "94477ec3eb897dd7". Mon Oct 3 11:50:16 2011 : Info: ++[acct_unique] returns ok Mon Oct 3 11:50:16 2011 : Info: [suffix] No '@' in User-Name = "salons", looking up realm NULL Mon Oct 3 11:50:16 2011 : Info: [suffix] No such realm "NULL" Mon Oct 3 11:50:16 2011 : Info: ++[suffix] returns noop Mon Oct 3 11:50:16 2011 : Info: ++[files] returns noop Mon Oct 3 11:50:16 2011 : Info: # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default Mon Oct 3 11:50:16 2011 : Info: +- entering group accounting {...} Mon Oct 3 11:50:16 2011 : Info: [detail] expand: %{Packet-Src-IP-Address} -> 192.168.2.15 Mon Oct 3 11:50:16 2011 : Info: [detail] expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003 Mon Oct 3 11:50:16 2011 : Info: [detail] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003 Mon Oct 3 11:50:16 2011 : Info: [detail] expand: %t -> Mon Oct 3 11:50:16 2011 Mon Oct 3 11:50:16 2011 : Info: ++[detail] returns ok Mon Oct 3 11:50:16 2011 : Info: ++[unix] returns ok Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand: %{User-Name} -> salons Mon Oct 3 11:50:16 2011 : Info: ++[radutmp] returns ok Mon Oct 3 11:50:16 2011 : Info: ++[exec] returns noop Mon Oct 3 11:50:16 2011 : Info: [attr_filter.accounting_response] expand: %{User-Name} -> salons Mon Oct 3 11:50:16 2011 : Debug: attr_filter: Matched entry DEFAULT at line 12 Mon Oct 3 11:50:16 2011 : Info: ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 2 to 192.168.2.15 port 32847 Mon Oct 3 11:50:16 2011 : Info: Finished request 1. Mon Oct 3 11:50:16 2011 : Info: Cleaning up request 1 ID 2 with timestamp +17 Mon Oct 3 11:50:16 2011 : Debug: Going to the next request Mon Oct 3 11:50:16 2011 : Info: Ready to process requests. Do you have any idea of how to correct this ? Thank you very much, Regards, Fred
2011/10/3 PROST Frédéric <f.prost@mb-line.com>:
But if the connection is correct at the first time and if I then change one of those parameters (ie, disable MAC address on the radius server or change login on my Ubuntu workstation), I can still connect to my WLAN. The only way to correct this problem is to physically switch off and on the wlan card on Ubuntu workstation.
Have you tried restarting radius?
Mon Oct 3 11:55:51 2011 : Info: ++- entering policy rewrite.calling_station_id {...} Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
AFAIK changes to config file (e.g. policy.conf) is re-read only when FR is restarted or HUP-ed.
Here is the Freeradius log file for the second connection, after disable MAC Address and restarted FreeRadius (it connects directly without checking MAC address) :
rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, length=152
That's accounting request, not access request. -- Fajar
On 3 Oct 2011, at 12:04, Fajar A. Nugraha wrote:
2011/10/3 PROST Frédéric <f.prost@mb-line.com>:
But if the connection is correct at the first time and if I then change one of those parameters (ie, disable MAC address on the radius server or change login on my Ubuntu workstation), I can still connect to my WLAN. The only way to correct this problem is to physically switch off and on the wlan card on Ubuntu workstation.
Have you tried restarting radius?
Mon Oct 3 11:55:51 2011 : Info: ++- entering policy rewrite.calling_station_id {...} Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
AFAIK changes to config file (e.g. policy.conf) is re-read only when FR is restarted or HUP-ed.
Or in this case the users file :) -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
PROST Frédéric wrote:
It seems that it has a kind of cache but I can't determine where and how to disable it (on my Radius server).
FreeRADIUS doesn't cache authentications. The issue is likely that your switch is caching the status of the MAC address.
Here is a freeradius log extract of the first connection where we can see that it checks the MAC address
I'm *presuming* that this is for an Access-Request. I don't know, because you've deleted most of the debug output.
Here is the Freeradius log file for the second connection, after disable MAC Address and restarted FreeRadius (it connects directly without checking MAC address) :
Read it:
rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, length=152
That's not an Access-Request. The NAS (or switch) is starting an accounting session without first authenticating the user.
Do you have any idea of how to correct this ?
Fix the switch so that it sends Access-Requests when a user connects to it. Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Fajar A. Nugraha -
PROST Frédéric