Trouble Getting Mac-Auth to Work
I'm new to FreeRadius, but have managed to get LDAP authentication working properly. Now I am trying to add in mac-auth as well for certain devices, but all devices are being rejected when they connect to the SSID regardless if the MAC is in the file. Based on what I am seeing, the calling-station-Id is being rewritten to the proper format, which matches what I have in the mac file, but RADIUS still rejects the connection. Can somebody help direct me as to what the issue may be? *NOTE: The end goal is actually to block certain MAC's from connecting to an SSID, which is why the file is called blocked_macs instead of authorized_mac like the documentation. I'm just trying to follow the guide for mac_auth atm before I try using it to restrict by MAC.* This is what I have under the Authorize section of default.conf. * preprocess* * # If cleaning up the Calling-Station-Id...* * rewrite_calling_station_id* * # Now check against the blocked_macs file* * blocked_macs* * if (!ok) {* * # No match was found, so reject* * reject* * }* * else {* * # The MAC address was found, so update Auth-Type* * # to accept this auth.* * update control {* * Auth-Type := Accept* * }* * }* This is what I get while running radiusd -X. Hopefully that is the proper logging needed for troubleshooting. *(0) [preprocess] = ok* *(0) policy rewrite_calling_station_id {* *(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {* *(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE* *(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {* *(0) update request {* *(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}* *(0) --> 60-D8-19-D4-F0-83* *(0) &Calling-Station-Id := 60-D8-19-D4-F0-83* *(0) } # update request = noop* *(0) [updated] = updated* *(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated* *(0) ... skipping else: Preceding "if" was taken* *(0) } # policy rewrite_calling_station_id = updated* *(0) blocked_macs: EXPAND %{Calling-Station-ID}* *(0) blocked_macs: --> 60-D8-19-D4-F0-83* *(0) [blocked_macs] = noop* *(0) if (!ok) {* *(0) if (!ok) -> TRUE* *(0) if (!ok) {* *(0) [reject] = reject* *(0) } # if (!ok) = reject* *(0) } # authorize = reject* *(0) Using Post-Auth-Type Reject* -- *Seth Turner*Gasconade County R-2 School District Network Manager OHS Hunting and Fishing Club Sponsor Phone (573)-437-2172
I'm wondering if setting the MAC address to all uppercase characters (toupper) will be fruitful when later you're matching against a regex only containing lowercase characters. On February 6, 2019 10:58:40 PM GMT+01:00, Seth Turner <sturner@dutchmen.us> wrote:
I'm new to FreeRadius, but have managed to get LDAP authentication working properly. Now I am trying to add in mac-auth as well for certain devices, but all devices are being rejected when they connect to the SSID regardless if the MAC is in the file. Based on what I am seeing, the calling-station-Id is being rewritten to the proper format, which matches what I have in the mac file, but RADIUS still rejects the connection. Can somebody help direct me as to what the issue may be?
*NOTE: The end goal is actually to block certain MAC's from connecting to an SSID, which is why the file is called blocked_macs instead of authorized_mac like the documentation. I'm just trying to follow the guide for mac_auth atm before I try using it to restrict by MAC.*
This is what I have under the Authorize section of default.conf.
* preprocess*
* # If cleaning up the Calling-Station-Id...* * rewrite_calling_station_id*
* # Now check against the blocked_macs file* * blocked_macs*
* if (!ok) {* * # No match was found, so reject* * reject* * }*
* else {* * # The MAC address was found, so update Auth-Type* * # to accept this auth.* * update control {* * Auth-Type := Accept* * }* * }*
This is what I get while running radiusd -X. Hopefully that is the proper logging needed for troubleshooting.
*(0) [preprocess] = ok* *(0) policy rewrite_calling_station_id {* *(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {* *(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE* *(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {* *(0) update request {* *(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}* *(0) --> 60-D8-19-D4-F0-83* *(0) &Calling-Station-Id := 60-D8-19-D4-F0-83* *(0) } # update request = noop* *(0) [updated] = updated* *(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated* *(0) ... skipping else: Preceding "if" was taken* *(0) } # policy rewrite_calling_station_id = updated* *(0) blocked_macs: EXPAND %{Calling-Station-ID}* *(0) blocked_macs: --> 60-D8-19-D4-F0-83* *(0) [blocked_macs] = noop* *(0) if (!ok) {* *(0) if (!ok) -> TRUE* *(0) if (!ok) {* *(0) [reject] = reject* *(0) } # if (!ok) = reject* *(0) } # authorize = reject* *(0) Using Post-Auth-Type Reject*
--
*Seth Turner*Gasconade County R-2 School District Network Manager OHS Hunting and Fishing Club Sponsor Phone (573)-437-2172 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well you pointed me in the right direction. The issue was I had the MAC
entries in the blocked_macs file listed with lower case letters instead of
upper case. I'm now able to reject by MAC address. Now I just need to dig
deeper and tie in an SSID check.
On Thu, Feb 7, 2019 at 1:20 AM <jm+freeradiususer@roth.lu> wrote:
> I'm wondering if setting the MAC address to all uppercase characters
> (toupper) will be fruitful when later you're matching against a regex only
> containing lowercase characters.
>
> On February 6, 2019 10:58:40 PM GMT+01:00, Seth Turner <
> sturner@dutchmen.us> wrote:
> >I'm new to FreeRadius, but have managed to get LDAP authentication
> >working
> >properly. Now I am trying to add in mac-auth as well for certain
> >devices,
> >but all devices are being rejected when they connect to the SSID
> >regardless
> >if the MAC is in the file. Based on what I am seeing, the
> >calling-station-Id is being rewritten to the proper format, which
> >matches
> >what I have in the mac file, but RADIUS still rejects the connection.
> >Can
> >somebody help direct me as to what the issue may be?
> >
> >*NOTE: The end goal is actually to block certain MAC's from connecting
> >to
> >an SSID, which is why the file is called blocked_macs instead of
> >authorized_mac like the documentation. I'm just trying to follow the
> >guide
> >for mac_auth atm before I try using it to restrict by MAC.*
> >
> >This is what I have under the Authorize section of default.conf.
> >
> >* preprocess*
> >
> >* # If cleaning up the Calling-Station-Id...*
> >* rewrite_calling_station_id*
> >
> >* # Now check against the blocked_macs file*
> >* blocked_macs*
> >
> >* if (!ok) {*
> >* # No match was found, so reject*
> >* reject*
> >* }*
> >
> >* else {*
> >* # The MAC address was found, so update Auth-Type*
> >* # to accept this auth.*
> >* update control {*
> >* Auth-Type := Accept*
> >* }*
> >* }*
> >
> >
> >This is what I get while running radiusd -X. Hopefully that is the
> >proper
> >logging needed for troubleshooting.
> >
> >*(0) [preprocess] = ok*
> >*(0) policy rewrite_calling_station_id {*
> >*(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >{*
> >*(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >-> TRUE*
> >*(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >{*
> >*(0) update request {*
> >*(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
> >*(0) --> 60-D8-19-D4-F0-83*
> >*(0) &Calling-Station-Id := 60-D8-19-D4-F0-83*
> >*(0) } # update request = noop*
> >*(0) [updated] = updated*
> >*(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >= updated*
> >*(0) ... skipping else: Preceding "if" was taken*
> >*(0) } # policy rewrite_calling_station_id = updated*
> >*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
> >*(0) blocked_macs: --> 60-D8-19-D4-F0-83*
> >*(0) [blocked_macs] = noop*
> >*(0) if (!ok) {*
> >*(0) if (!ok) -> TRUE*
> >*(0) if (!ok) {*
> >*(0) [reject] = reject*
> >*(0) } # if (!ok) = reject*
> >*(0) } # authorize = reject*
> >*(0) Using Post-Auth-Type Reject*
> >
> >
> >
> >
> >
> >
> >--
> >
> >*Seth Turner*Gasconade County R-2 School District
> >Network Manager
> >OHS Hunting and Fishing Club Sponsor
> >Phone (573)-437-2172
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
*Seth Turner*Gasconade County R-2 School District
Network Manager
OHS Hunting and Fishing Club Sponsor
Phone (573)-437-2172
participants (2)
-
jm+freeradiususer@roth.lu -
Seth Turner