FreeRadius MAC address authorization (no authentication)

Ramot Lubis ramot.lubis at gmail.com
Fri Aug 8 09:49:58 CEST 2008


Thanks for all advices. So, I decide to change my course.

Now, I am using default radiusd.conf. I have installed hotfix for
supplicant Windows XP SP2. I have also installed Certificate on
supplicant based. Btw, I am using Linksys WAP4400N as my NAS access
point


now I still got this clueless log messages. Please, help me.

rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-21-00-0B-68-E3
++[checkval] returns ok
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: NAK asked for unsupported type 25
 rlm_eap: No common EAP types found.
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
       expand: %{User-Name} -> PIDEL-3C5B30E9C\Administrator
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 3 to 10.0.0.2 port 1027
       EAP-Message = 0x04020004
       Message-Authenticator = 0x00000000000000000000000000000000



thanks in advance.









On Fri, Aug 8, 2008 at 2:09 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Ramot Lubis wrote:
>> Yes, I aim not to install hotfix in Windows XP client.
>
>  Good luck.
>
>> My main purpose is to check valid MAC address of every Wireless Device
>> (with Windows XP SP2).
>> Based on "radiusd -X" log in my previous email, I tried to conclude
>> that even in Authorization phase, calling-station-id has been
>> validated to be match with MAC address data in SQL db. In this case, I
>> don't need further Authentication phase.
>
>  That's not how EAP-TLS works.
>
>> However, I dont know how to configure radius server to ignore
>> authentication phase. Is there any idea for me to follow?
>
>  If you only need to do MAC authentication, see MAC authentication
> bypass, which is in Cisco switches.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



On Fri, Aug 8, 2008 at 2:13 PM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> Hi, I'm trying  to implement FreeRadius to authenticate Wireless
>> CLient based on MAC address only, unfortunately all my wireless client
>> using EAP/TLS (Windows XP SP2) . I found that tutorials and doc are
>> not leading me to the right direction. Besides, I will not burden my
>> Windows XP SP2 client to search hotfix for EAP/TLS compatibility with
>> FreeRadius.
>
> there is no hotfix for EAP/TLS compatability.  there ARE 2 important
> windows hotfixes for wireless supplicant bahaviour etc.
>
>> is enough to verified valid MAC address from Wireless Client. But my
>> question is how can I use only Authorization where Authentication will
>> always return Access-Accept.
>
> you cant. if you're trying to use PEAP than you must follow all
> the specifications and return the correct stuff when and as needed.
> you cant just throw back an accept. if you want a noddy poor wireless
> infrastructure then just go for WPa-PSK or even a MAC-based captive
> portal
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list