WiFi & Mac address authentication

[Phil Mayers]

brainstorm wrote:
> I've tried your recommendations but it does not work as expected:
> using "Reject" as rlm_passwd's "authtype" (as you suggested), the user
> is always rejected, even when the MAC is in the file and is actually
> found:

Yes sorry, that was wrong. Clearly "authtype = Reject" will fail the 
request if the module matches. Don't know why I said that...

> 
> modcall[authorize]: module "MAC-IP" returns ok for request 0
> 
> Furthermore, if I change rlm_passwrd's authtype to "Accept", the
> supplicant auth fails and the following warning is shown:

That definitely won't work. Don't do it.

> 
> rad_check_password:  Found Auth-Type Accept
> rad_check_password:  Found Auth-Type EAP
> Warning:  Found 2 auth-types on request for user 'bob'
> 
> However, if I comment rlm_passwd sections (MAC-IP in modules and
> authorize), all works flawlessly.

Well, yes. But if it works flawlessly, why are you wanting help?

> 
> The users file has entries like these:
> 
> bob NT-Password == 0xa3d411301d637a38f4d22d484f256a04
> joe  NT-Password == 0xa3d411301d637a38f4d22d484f256a04
> (...)
> 
> Which are matched correctly in all scenarios I've tested:
> 
> modcall[authorize]: module "eap" returns updated for request 0
>     users: Matched entry bob at line 1
> 
> According to radius documentation (aaa.txt), it is not correct to
> place Auth-Type on check nor reply lists on the users file:
> 
> "A quite common mistake is to place the attributes in the wrong lists,
> for example placing Auth-Type, Password, NT-Password etc in the check
> list, or in the reply list.  When run in debugging mode, the server
> will normally issue 'WARNING' messages saying that the attributes are
> in the wrong list"
> 
> So I conclude that users file is correct as it is now. What I'm doing
> wrong and what should I  do to avoid those warning messages ? If you
> want the radiusd -X logs, I can attach them if you wish.


Hmm. I still say you need to read and understand the docs, but try this:

     passwd MAC-IP {
                filename = ${raddbdir}/MAC-IP
                format = "*Calling-Station-Id:"
                delimiter = ":"
         }

(...)

authorize {
     preprocess
     MAC-IP {
         # If the MAC isn't in the file, the modules returns notfound
         # in that case, exit "authorize" with reject immediately
         notfound = reject
     }
     files
     eap
}

That is, have no authtype on the "passwd" module. If that doesn't work, 
you may try something like:

     passwd MAC-IP {
                filename = ${raddbdir}/MAC-IP
                format = "*Calling-Station-Id:~Group"
                delimiter = ":"
         }

(...)

authorize {
     preprocess
     MAC-IP
     files
     eap
}

/etc/raddb/MAC-IP:

00-11-22-33-44-55:FAKEGROUP
aa-bb-cc-dd-ee-ff:FAKEGROUP

/etc/raddb/users:

DEFAULT Group !* ANY, Auth-Type := Reject

user1 NT-Password := abcdefg...

user2 NT-Password := abcdefg...