MAC authorization with rlm_sql not working
Hi, our Freeradius is working fine with PEAP (NT hash passwords stored in Openldap). We'd like to add MAC authorization using Mysql: only people with MAC contained in radcheck should have access (provided they also type in the right password!). Radcheck has only one entry: +----+----------------------------+--------------------+----+-------------------+ | id | username | attribute | op | value | +----+----------------------------+--------------------+----+-------------------+ | 1 | uto.ughi@studenti.unipd.it | Calling-Station-Id | == | 98-4B-4A-F5-BF-40 | +----+----------------------------+--------------------+----+-------------------+ The problem is that uto.ughi@studenti.unipd.it gets an AccessAccept packet, regardless of his Calling-Station-Id. Don't know if it's related but strangely (to me) when uto.ughi@studenti.unipd.it has Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radcheck) radiusd performs this sql query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'uto.ughi@studenti.unipd.it' ORDER BY id and the radiusd -X output shows "[sql] User found in radcheck table" Same user, different Calling-Station-Id (73-1C-5C-B4-E0-55, not the one in radcheck), shows "[sql] User uto.ughi@studenti.unipd.it not found." Still, in both cases the user gets an AccessAccept packet. I can't see what I'm doing wrong, any help would be greaty appreciated! I enclose these files: - sites-enabled/eduroam-inner-tunnel - sites-enabled/eduroam - eap.conf Attached is the output of radiusd -X when uto.ughi@studenti.unipd.it is accessing with Calling-Station-Id 73-1C-5C-B4-E0-55, not present in radcheck. [eduroam-inner-tunnel file]: server eduroam-inner-tunnel { authorize { auth_log eap sql openldap mschap } authenticate { ntlm_auth Auth-Type MS-CHAP { mschap } eap } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } } [sites-enabled/eduroam file]: server eduroam { authorize { auth_log suffix eap { ok = return } } authenticate { ntlm_auth eap } preacct { suffix } accounting { } post-auth { reply_log Post-Auth-Type REJECT { reply_log } } pre-proxy { pre_proxy_log if (Packet-Type != Accounting-Request) { attr_filter.pre-proxy } } post-proxy { post_proxy_log attr_filter.post-proxy } } [/etc/raddb/eap.conf]: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = klabssrlviasalgari17 private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = gtc copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } }
And here's the output of radiusd -X for uto.ughi@studenti.unipd.it accessing with Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radtest). Thanks again for your help, Stefano
Stefano Zanmarchi wrote:
Hi, our Freeradius is working fine with PEAP (NT hash passwords stored in Openldap). We'd like to add MAC authorization using Mysql: only people with MAC contained in radcheck should have access (provided they also type in the right password!).
So you need to check passwords, and allow only known MACs.
Radcheck has only one entry: +----+----------------------------+--------------------+----+-------------------+ | id | username | attribute | op | value | +----+----------------------------+--------------------+----+-------------------+ | 1 | uto.ughi@studenti.unipd.it | Calling-Station-Id | == | 98-4B-4A-F5-BF-40 | +----+----------------------------+--------------------+----+-------------------+
See the rlm_sql documentation. This entry says: for user "uto.ughi@studenti.unipd.it", check that Calling-Station-Id is "98-4B-4A-F5-BF-40". It doesn't *do* anything with that information.
The problem is that uto.ughi@studenti.unipd.it gets an AccessAccept packet, regardless of his Calling-Station-Id.
Yes. Because you're probably also checking passwords, and allowing good passwords with bad MACs.
Don't know if it's related but strangely (to me) when uto.ughi@studenti.unipd.it has Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radcheck) radiusd performs this sql query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'uto.ughi@studenti.unipd.it' ORDER BY id and the radiusd -X output shows "[sql] User found in radcheck table" Same user, different Calling-Station-Id (73-1C-5C-B4-E0-55, not the one in radcheck), shows "[sql] User uto.ughi@studenti.unipd.it not found."
Exactly. The "user and MAC" entry is found when it matches. It's not found when it doesn't match.
I enclose these files:
Please don't. You can fix the issue by doing: authorize { ... sql if (notfound) { reject } ... } Alan DeKok.
Thank you very much Alan, for the thorough and concise explanation (it's working!), as well as for the great job you're doing.
participants (2)
-
Alan DeKok -
Stefano Zanmarchi