Freeradius w/ mikrotik - blank password issue
Hello everyone, I have a problem I have worked on for a couple of days now and just can't get it to work. Searched the forum really good and actually found a fix for one issue I was having. I have also searched the Mikrotik forum as well as the web from one end to the other. Nothing seems to be able to answer this one question, though. Here is the deal. I have a working FreeRadius server (latest version). It works with Mikrotik to authenticate with user name / password using PAP. Mikrotik can authenticate by MAC address, but it's docs says it sends a blank password. What they also don't tell you in their weak documentation, is that the colons in the MAC address will foobar freeradius authentication. I fixed that problem by adding this to radiusd.conf: attr_rewrite mac_colons { attribute = User-Name searchin = packet searchfor = ":" replacewith = "" ignore_case = yes new_attribute = no max_matches = 10 append = no } This appears to work fine. If someone would help me with this one last issue, I would be a happy camper. The Mikrotik documentation (weak) says that it sends a "blank password" when authenticating by MAC. I have looked up one side and down the other, but I can't get FreeRadius to accept no password. I tried this, but it fails: attr_rewrite blank_password { attribute = User-Password searchin = packet searchfor = "" replacewith = "password" ignore_case = yes new_attribute = no max_matches = 10 append = no } And then I added something like this to the "users" file: 00095B23389F User-Password := "password" If there is a password, the above works. For instance, I can change "password" to "password1" using the above script, and it will authenticate. But if there is no password, it gets this error: rlm_attr_rewrite: Could not find value pair for attribute User-Password Well guys, I'm an extreme newbie with freeradius, but there has to be something I'm missing somewhere in order to authenticate by mac address through mikrotik. Other people are doing it. I'm just missing some little something somewhere, I know. I have also seen other wireless equipment that sends a blank password when authenticating by MAC...and people use freeradius with it. Any help would be greatly appreciated. Thanks, Jay Banks
And then I added something like this to the "users" file: 00095B23389F User-Password := "password"
00095B23389F Auth-Type := Accept --- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
And then I added something like this to the "users" file: 00095B23389F User-Password := "password"
00095B23389F Auth-Type := Accept
Thank you very much. I actually think I tried that, but at the time the colons in the MAC address was probably doing me in. Then again...maybe not. I do remember trying some different auth-types, though. After getting that colon issue fixed, I was just to the point of asking someone more experienced than myself. Again, really appreciate the fast response. Jay
Jay Banks wrote:
And then I added something like this to the "users" file: 00095B23389F User-Password := "password" 00095B23389F Auth-Type := Accept
Thank you very much. I actually think I tried that, but at the time the colons in the MAC address was probably doing me in.
Oh does the users file parser choke on them ? But yeah, I find it annoying , all our equipment sticks '-' in as a separator. Breaks DB lookups and stuff... Then again...maybe not.
I do remember trying some different auth-types, though. After getting that colon issue fixed, I was just to the point of asking someone more experienced than myself.
Again, really appreciate the fast response.
NP , MikroTik stuff is evil :) -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Newbie Warning!!! I'm new to this community, however I am a quick study. I found some resources online about this very issue but wasn't able to get a resolution. Please clarify for me: The step below: Does this go in radiusd.conf as well? attr_rewrite blank_password { attribute = User-Password searchin = packet searchfor = "" replacewith = "password" ignore_case = yes new_attribute = no max_matches = 10 append = no } The solution given to this issue was as follows:
And then I added something like this to the "users" file: 00095B23389F User-Password := "password"
00095B23389F Auth-Type := Accept Ok I'm using sql for my user database, is there a sql equivalent to this string?? What would be a work around as I've hit the same wall, but haven't jumped it yet. Thanks in advance. P.S. Take it easy on the noob, please.
Randy Evans wrote:
Newbie Warning!!! I'm new to this community, however I am a quick study. I found some resources online about this very issue but wasn't able to get a resolution. Please clarify for me:
The step below: Does this go in radiusd.conf as well? no
The solution given to this issue was as follows:
And then I added something like this to the "users" file: 00095B23389F User-Password := "password"
00095B23389F Auth-Type := Accept Ok I'm using sql for my user database, is there a sql equivalent to this string?? What would be a work around as I've hit the same wall, but haven't jumped it yet. Thanks in advance.
P.S. Take it easy on the noob, please. Yes, add it to radcheck table, mac address UserName , Attribute Auth-Type , Operator := , Value Accept.
participants (3)
-
Arran Cudbard-Bell -
Jay Banks -
Randy Evans