Two different sources, one with a single value
Hi all, I'm just about getting the hang of FreeRadius now, thanks to the various emails and stuff that people have been asking, but I've not been able to find the answer to one particular question. I have a radius server that will process two types of request: 1. A user name and password login. Currently it's a flat file but I will change that the use the rlm_unix module in the near future. 2. A MAC address, which is passed in as two attributes, "User-Name=MAC Address" and "User-Password=MAC Address" For the MAC address I want a flat file with just the MAC addresses in it. I have tried using the passwd module and just ignoring the User-Password attribute like so: passwd mac_address { filename = /var/mac_addresses format = "*User-Name" } but this fails to authenticate even though it gets through the Authorize section OK: rad_recv: Access-Request packet from host 172.29.252.228:1026, id=98, length=160 NAS-IP-Address = 172.29.252.228 NAS-Port-Id = "10:2" Extreme-Attr-208 = 0x556e6b6e6f776e204c6f636174696f6e NAS-Port-Type = Wireless-802.11 User-Name = "000e359ec2ce" User-Password = "000e359ec2ce" Calling-Station-Id = "000e359ec2ce" Called-Station-Id = "0004960e2e00" NAS-Identifier = "Altitude 300" Proxy-State = 0x31303a32040436c236c236c236c236c236c236c236c2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 42 modcall[authorize]: module "preprocess" returns ok for request 42 radius_xlat: '/var/log/freeradius/radacct/172.29.252.228 /auth-detail-20050913' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.29.252.228/auth-detail-20050913 modcall[authorize]: module "auth_log" returns ok for request 42 modcall[authorize]: module "mac_address" returns ok for request 42 modcall: group authorize returns ok for request 42 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [000e359ec2ce/000e359ec2ce] (from client wlan-switch port 0 cli 000e359ec2ce) Am I simply doing the impossible, or am I missing something obvious (again)? |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356
Martin.Ward@uk.neceur.com wrote:
For the MAC address I want a flat file with just the MAC addresses in it. I have tried using the passwd module and just ignoring the User-Password attribute like so:
passwd mac_address { filename = /var/mac_addresses format = "*User-Name" }
You're also ignoring the authentication method. I suggest adding a User-Password to that table.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Add a "known good" User-Password to that table, and it will work. Alan DeKok.
Alan DeKok wrote:
Martin.Ward@uk.neceur.com wrote:
For the MAC address I want a flat file with just the MAC addresses in it. I have tried using the passwd module and just ignoring the User-Password attribute like so:
passwd mac_address { filename = /var/mac_addresses format = "*User-Name" }
You're also ignoring the authentication method. I suggest adding a User-Password to that table.
I think I'm missing something here between the use of the authenticate and authorize sections. Using the above example, the system that passes the MAC address in to find out if it's valid passes the MAC address in both the User-Name and User-Password fields. I was hoping to be able to get away with just authenticating against the User-Name and having just one field in the table, however if I can't then I can't. As for authorizing, surely for the MAC address checking I don't need to have an authorize section, the authenticate section verifies if the MAC address is in the table or not and if it is, it passes it in? Then again, if I am authenticating against the MAC address and then authorizing against the unix login ID and password, does this mean a given user has to be in BOTH tables to gain access? |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356
Martin.Ward@uk.neceur.com wrote:
Using the above example, the system that passes the MAC address in to find out if it's valid passes the MAC address in both the User-Name and User-Password fields.
Uh, no.
passwd mac_address { filename = /var/mac_addresses format = "*User-Name"
There's no "User-Password" field there, so it can't check that. And the passwd module doesn't do enforcement checking, it's just a lookup table.
I was hoping to be able to get away with just authenticating against the User-Name and having just one field in the table,
Sure, but then you've got to set Auth-Type := Accept.
As for authorizing, surely for the MAC address checking I don't need to have an authorize section, the authenticate section verifies if the MAC address is in the table or not and if it is, it passes it in?
No. The "passwd" module runs in the authorization section.
Then again, if I am authenticating against the MAC address and then authorizing against the unix login ID and password, does this mean a given user has to be in BOTH tables to gain access?
You have "authorization" and "authentiction" inverted in the above example. Alan DeKok.
participants (2)
-
Alan DeKok -
Martin.Ward@uk.neceur.com