FreeRadius MAC address authorization (no authentication)

Alan DeKok aland at deployingradius.com
Fri Aug 8 07:44:03 CEST 2008


Ramot Lubis wrote:
> Hi, I'm trying  to implement FreeRadius to authenticate Wireless
> CLient based on MAC address only, unfortunately all my wireless client
> using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are
> not leading me to the right direction.

  Could you explain?

> Besides, I will not burden my
> Windows XP SP2 client to search hotfix for EAP/TLS compatibility with
> FreeRadius.

  Does that mean you won't be installing the hotfix?  If so, it's likely
that XP may not work.  And it's not "compatibility with FreeRADIUS",
it's "following the standards".  FreeRADIUS works with every other
supplicant that exists.  Microsoft keeps breaking their supplicants with
new releases of their OS, and *every* RADIUS server has to change in
order to "be compatible".

> After digging more, I realize that Authorization using checkval module
> is enough to verified valid MAC address from Wireless Client.

  I would not use the checkval module.  Try using another module.

> But my
> question is how can I use only Authorization where Authentication will
> always return Access-Accept.

  You can do MAC address checking in the "authorization" stage.

> Here is my radiusd -X output:
...
>         EAP-Message =
> 0x0201002201504944454c2d3343354233304539435c41646d696e6973747261746f72
>         Message-Authenticator = 0x891b437263cd48909255484bb081c823
...
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.

  You edited the default configuration and broke it.  Don't do that.

  Alan DeKok.



More information about the Freeradius-Users mailing list