Hello, I have configured freeradius for accept one host conection over host mac address This is the log, at the end appear the error: Called-Station-Id = "00-90-0B-23-2E-BF:EquiposPortatiles" Calling-Station-Id = "98-0C-82-B5-00-F2" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02010010016c756e612e20626f726a61 Message-Authenticator = 0xa4425334968358101505d6ea0a22f5d8 Fri Jun 21 12:25:22 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Fri Jun 21 12:25:22 2013 : Info: +- entering group authorize {...} Fri Jun 21 12:25:22 2013 : Info: ++[preprocess] returns ok Fri Jun 21 12:25:22 2013 : Info: ++- entering policy rewrite.calling_station_id {...} Fri Jun 21 12:25:22 2013 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) Fri Jun 21 12:25:22 2013 : Info: ?? Evaluating (Calling-Station-Id) -> TRUE Fri Jun 21 12:25:22 2013 : Info: expand: %{Calling-Station-Id} -> 98-0C-82-B5-00-F2 Fri Jun 21 12:25:22 2013 : Info: expand: policy.mac-addr -> policy.mac-addr Fri Jun 21 12:25:22 2013 : Info: expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ Fri Jun 21 12:25:22 2013 : Info: ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Fri Jun 21 12:25:22 2013 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Fri Jun 21 12:25:22 2013 : Info: +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} Fri Jun 21 12:25:22 2013 : Info: expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 98-0C-82-B5-00-F2 Fri Jun 21 12:25:22 2013 : Info: expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 98-0c-82-b5-00-f2 Fri Jun 21 12:25:22 2013 : Info: ++++[request] returns ok Fri Jun 21 12:25:22 2013 : Info: ++++[updated] returns updated Fri Jun 21 12:25:22 2013 : Info: +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated Fri Jun 21 12:25:22 2013 : Info: +++ ... skipping else for request 3: Preceding "if" was taken Fri Jun 21 12:25:22 2013 : Info: ++- policy rewrite.calling_station_id returns updated Fri Jun 21 12:25:22 2013 : Info: [authorized_macs] expand: %{Calling-Station-ID} -> 98-0c-82-b5-00-f2 Fri Jun 21 12:25:22 2013 : Info: ++[authorized_macs] returns noop I have this authorized_macs file: 98-0c-82-b5-00-f2 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" What's wrong? I have try with: 98-0c-82-b5-00-f2 Expiration := "10 Jul 2013" 98-0c-82-b5-00-f2 Auth-Type := Accept But nothing runs. Thank you. -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote:
Hello, I have configured freeradius for accept one host conection over host mac address
On the assumtion this is an instantation of 'files', then the format for the file would be 98-0c-82-b5-00-f2 Auth-Type := Accept
NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02010010016c756e612e20626f726a61
However, you can't do MAC address authentication with a plain 'Access-Accept' when you're doing EAP, so this isn't going to work anyway. The client won't see the Accept (this goes to the NAS) and will disconnect without an EAP Success. You probably want EAP-TLS if you want host (rather than user) based authentication on wireless. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 21 Jun 2013, at 12:55, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote:
Hello, I have configured freeradius for accept one host conection over host mac address
On the assumtion this is an instantation of 'files', then the format for the file would be
98-0c-82-b5-00-f2 Auth-Type := Accept
NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02010010016c756e612e20626f726a61
However, you can't do MAC address authentication with a plain 'Access-Accept' when you're doing EAP, so this isn't going to work anyway. The client won't see the Accept (this goes to the NAS) and will disconnect without an EAP Success.
You probably want EAP-TLS if you want host (rather than user) based authentication on wireless.
Yes.. but the files module still should be returning noop if there's valid entry for that key value. and you can do: authorize_macs if (!noop) { update control { Auth-type := Accept } } Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Hi again. Matthew, you are rigth, i have no Access-Accept. I have this response: Fri Jun 21 14:18:02 2013 : Info: [authorized_macs] expand: Device with MAC Address %{Calling-Station-Id} authorized for network access -> Device with MAC Address 98-0c-82-b5-00-f2 authorized for network access Fri Jun 21 14:18:02 2013 : Info: +++[authorized_macs] returns ok Fri Jun 21 14:18:02 2013 : Info: +++? if (!ok) Fri Jun 21 14:18:02 2013 : Info: ? Evaluating !(ok) -> FALSE Fri Jun 21 14:18:02 2013 : Info: +++? if (!ok) -> FALSE Fri Jun 21 14:18:02 2013 : Info: +++- entering else else {...} Fri Jun 21 14:18:02 2013 : Info: ++++[control] returns ok Fri Jun 21 14:18:02 2013 : Info: +++- else else returns ok Fri Jun 21 14:18:02 2013 : Info: ++- if (EAP-Message) returns ok Fri Jun 21 14:18:02 2013 : Info: ++ ... skipping else for request 1: Preceding "if" was taken Fri Jun 21 14:18:02 2013 : Info: Found Auth-Type = Accept Fri Jun 21 14:18:02 2013 : Info: Auth-Type = Accept, accepting the user Fri Jun 21 14:18:02 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default Fri Jun 21 14:18:02 2013 : Info: +- entering group post-auth {...} Fri Jun 21 14:18:02 2013 : Info: [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.202.252/reply-detail-20130621 Fri Jun 21 14:18:02 2013 : Info: [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.202.252/reply-detail-20130621 Fri Jun 21 14:18:02 2013 : Info: [reply_log] expand: %t -> Fri Jun 21 14:18:02 2013 Fri Jun 21 14:18:02 2013 : Info: ++[reply_log] returns ok Fri Jun 21 14:18:02 2013 : Info: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.202.252/auth-detail-20130621 Fri Jun 21 14:18:02 2013 : Info: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.202.252/auth-detail-20130621 Fri Jun 21 14:18:02 2013 : Info: [auth_log] expand: %t -> Fri Jun 21 14:18:02 2013 Fri Jun 21 14:18:02 2013 : Info: ++[auth_log] returns ok Fri Jun 21 14:18:02 2013 : Info: ++[exec] returns noop Sending Access-Accept of id 129 to 192.168.202.252 port 35856 Reply-Message = "Device with MAC Address 98-0c-82-b5-00-f2 authorized for network access" Fri Jun 21 14:18:02 2013 : Info: Finished request 1. I have follow this configuration: http://wiki.freeradius.org/guide/Mac%20Auth#raddb/sites-available/default authorized_macs if (!ok) { reject } else { # accept update control { Auth-Type := Accept } } } But i have no conection. Thank you. 2013/6/21 Matthew Newton <mcn4@leicester.ac.uk>
On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote:
Hello, I have configured freeradius for accept one host conection over host mac address
On the assumtion this is an instantation of 'files', then the format for the file would be
98-0c-82-b5-00-f2 Auth-Type := Accept
NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02010010016c756e612e20626f726a61
However, you can't do MAC address authentication with a plain 'Access-Accept' when you're doing EAP, so this isn't going to work anyway. The client won't see the Accept (this goes to the NAS) and will disconnect without an EAP Success.
You probably want EAP-TLS if you want host (rather than user) based authentication on wireless.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
On 21 Jun 2013, at 13:29, Roberto Ortega Ramiro <roberto.ortega@esj.es> wrote:
Hi again.
Matthew, you are rigth, i have no Access-Accept.
Your NAS is configured wrong for Mac-Auth. It's attempting to start 802.1X authentication, that EAP-Message is an Identity response for 'luna. borja'. Do you actually understand what you're trying to do? -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Hi, you are right, Arran, I didn't undestand what i was doing. I'm trying to conect using AEP-TLS one host, and i was using one wrong user and password for connect the host with his mac. I have undertand that this is no posible. Right? Thank you. 2013/6/21 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
On 21 Jun 2013, at 13:29, Roberto Ortega Ramiro <roberto.ortega@esj.es> wrote:
Hi again.
Matthew, you are rigth, i have no Access-Accept.
Your NAS is configured wrong for Mac-Auth. It's attempting to start 802.1X authentication, that EAP-Message is an Identity response for 'luna. borja'.
Do you actually understand what you're trying to do?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto Ortega Ramiro wrote:
I'm trying to conect using AEP-TLS one host, and i was using one wrong user and password for connect the host with his mac. I have undertand that this is no posible. Right?
You can do EAP-TLS *and* validate the MAC address. You just can't authenticate based on the MAC address only if you're doing EAP. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
¿Is it posible to do a "if sentense" for validate the MAC address in authorized_macs with one user in users file (or other site) and others users can conect with hers user and password? Thank you. 2013/6/21 Matthew Newton <mcn4@leicester.ac.uk>
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto Ortega Ramiro wrote:
I'm trying to conect using AEP-TLS one host, and i was using one wrong user and password for connect the host with his mac. I have undertand that this is no posible. Right?
You can do EAP-TLS *and* validate the MAC address. You just can't authenticate based on the MAC address only if you're doing EAP.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
I'm not at work now, but. This wil do that i want: authorize_macs if (ok) { update control { Auth-Type := files } } else { eap ldap } Thank you. 2013/6/21 Roberto Ortega Ramiro <roberto.ortega@esj.es>
¿Is it posible to do a "if sentense" for validate the MAC address in authorized_macs with one user in users file (or other site) and others users can conect with hers user and password?
Thank you.
2013/6/21 Matthew Newton <mcn4@leicester.ac.uk>
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto Ortega Ramiro wrote:
I'm trying to conect using AEP-TLS one host, and i was using one wrong user and password for connect the host with his mac. I have undertand that this is no posible. Right?
You can do EAP-TLS *and* validate the MAC address. You just can't authenticate based on the MAC address only if you're doing EAP.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________
Roberto Ortega Profesor de Informática. http://www.proyectoret.es
Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
Hi, I have resolv my problem, i have create one user in users file validate hosts whose mac address are in authorized_macs and i have the users and passwords in ldap and this is my site-avaible/default file configuration in the authorize section: authorized_macs if (ok) { update control { Auth-type := Accept } files } else { ldap if (notfound){ reject } } eap { ok = return } I suppose that is not the most elegance way of make the configuration but it runs. Thank you for your help. 2013/6/21 Roberto Ortega Ramiro <roberto.ortega@esj.es>
I'm not at work now, but.
This wil do that i want:
authorize_macs if (ok) {
update control { Auth-Type := files }
} else {
eap
ldap
}
Thank you.
2013/6/21 Roberto Ortega Ramiro <roberto.ortega@esj.es>
¿Is it posible to do a "if sentense" for validate the MAC address in authorized_macs with one user in users file (or other site) and others users can conect with hers user and password?
Thank you.
2013/6/21 Matthew Newton <mcn4@leicester.ac.uk>
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto Ortega Ramiro wrote:
I'm trying to conect using AEP-TLS one host, and i was using one wrong user and password for connect the host with his mac. I have undertand that this is no posible. Right?
You can do EAP-TLS *and* validate the MAC address. You just can't authenticate based on the MAC address only if you're doing EAP.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________
Roberto Ortega Profesor de Informática. http://www.proyectoret.es
Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-- -- Un saludo. ____________________
Roberto Ortega Profesor de Informática. http://www.proyectoret.es
Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
Thank you for your fast response. I have found the problem, i have insert a space before the mac address. Sorry and thank you for you time. 2013/6/21 Roberto Ortega Ramiro <roberto.ortega@escuelassj.com>
Hello, I have configured freeradius for accept one host conection over host mac address
This is the log, at the end appear the error:
Called-Station-Id = "00-90-0B-23-2E-BF:EquiposPortatiles" Calling-Station-Id = "98-0C-82-B5-00-F2" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11g" EAP-Message = 0x02010010016c756e612e20626f726a61 Message-Authenticator = 0xa4425334968358101505d6ea0a22f5d8 Fri Jun 21 12:25:22 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Fri Jun 21 12:25:22 2013 : Info: +- entering group authorize {...} Fri Jun 21 12:25:22 2013 : Info: ++[preprocess] returns ok Fri Jun 21 12:25:22 2013 : Info: ++- entering policy rewrite.calling_station_id {...} Fri Jun 21 12:25:22 2013 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) Fri Jun 21 12:25:22 2013 : Info: ?? Evaluating (Calling-Station-Id) -> TRUE Fri Jun 21 12:25:22 2013 : Info: expand: %{Calling-Station-Id} -> 98-0C-82-B5-00-F2 Fri Jun 21 12:25:22 2013 : Info: expand: policy.mac-addr -> policy.mac-addr Fri Jun 21 12:25:22 2013 : Info: expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ Fri Jun 21 12:25:22 2013 : Info: ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Fri Jun 21 12:25:22 2013 : Info: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Fri Jun 21 12:25:22 2013 : Info: +++- entering if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {...} Fri Jun 21 12:25:22 2013 : Info: expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 98-0C-82-B5-00-F2 Fri Jun 21 12:25:22 2013 : Info: expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 98-0c-82-b5-00-f2 Fri Jun 21 12:25:22 2013 : Info: ++++[request] returns ok Fri Jun 21 12:25:22 2013 : Info: ++++[updated] returns updated Fri Jun 21 12:25:22 2013 : Info: +++- if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) returns updated Fri Jun 21 12:25:22 2013 : Info: +++ ... skipping else for request 3: Preceding "if" was taken Fri Jun 21 12:25:22 2013 : Info: ++- policy rewrite.calling_station_id returns updated Fri Jun 21 12:25:22 2013 : Info: [authorized_macs] expand: %{Calling-Station-ID} -> 98-0c-82-b5-00-f2 Fri Jun 21 12:25:22 2013 : Info: ++[authorized_macs] returns noop
I have this authorized_macs file:
98-0c-82-b5-00-f2 Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
What's wrong?
I have try with:
98-0c-82-b5-00-f2 Expiration := "10 Jul 2013"
98-0c-82-b5-00-f2 Auth-Type := Accept
But nothing runs.
Thank you.
-- Un saludo. ____________________
Roberto Ortega Profesor de Informática. http://www.proyectoret.es
Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
participants (4)
-
Arran Cudbard-Bell -
Matthew Newton -
Roberto Ortega Ramiro -
Roberto Ortega Ramiro