WiFi & Mac address authentication

[Phil Mayers]

brainstorm wrote:
> I'm trying to implement a similar scenario: I am using PEAP, and I
> want to check if a given mac is in my database. In my case, the MACs
> file looks like this:
> 
> 0030.0996.CF52:192.168.12.1
> 
> I would like to match the first field (MAC) with the NAS
> "Calling-Station-Id" attribute, if this check fails, I would like to
> reject that user. Is it doable with rlm_password ? I've tried, but I
> cannot figure out which is the right "format" for my case:
> 
> I've tried the following in radiusd.conf:
> 
> modules {
> (...)
> passwd mac-ip {
>                 filename = /etc/raddb/MAC-IP
>                 format = "mac-address:Calling-Station-Id"
>                 delimiter = ":"
>         }
> }

Please read the docs. This comments right above the "passwd" module in 
the default config are VERY SPECIFIC. The format is:

format = "*Key-Value:~Request-Value:=Reply-Value:Configure-Value"

That is, the radius attribute "Key-Value" is the first field. 
Request-Value (prefix ~) will be added to the request, Reply-Value 
(prefix =) to the reply, and Configure-Value (no prefix) to the 
configure items.

So you're wrong several ways:

  1. "mac-address" is not a radius attribute
  2. None of your attributes have * for key
  3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP
  3. By itself you can't negate the sense and reject-if-no-match

Try something like this:

passwd mac-ip {
                 filename = /etc/raddb/MAC-IP
                 format = "*Calling-Station-Id:Class"
                 delimiter = ":"
                 authtype = Reject
         }
always fail {
   rcode = fail
}

authorize {
   mac-ip {
     notfound = reject
   }
   # others
}

...and note that many/most APs send the MAC as "00-11-22-33-44-55" so 
the file should look like this:

00-11-22-33-44-55:KnownUser

This is all in the docs.