Radius MAC filtering with EAP-PEAP

Era alexey.eronko at gmail.com
Wed Feb 27 11:00:27 CET 2008


Hi!

Could you please assist me to find my fault. I have test user with laptop. I
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345
credentials.

:(

Here is my AP request : 

rad_recv: Access-Request packet from host 10.10.10.139:6001, id=65,
length=195
        User-Name = "testuser"
        NAS-IP-Address = 89.10.10.139
        Called-Station-Id = "00-20-a6-64-66-a3:A"
        Calling-Station-Id = "00-18-de-4e-8f-1d"
        NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
        State = 0x47e0330ad155ef064a62de62873e8690
        Framed-MTU = 1400
        NAS-Port = 2
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020900261900170301001b139845f4c8e9bcb46

Debug log:

rlm_checkval: Item Name: Calling-Station-Id, Value: 00-18-de-4e-8f-1d
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
  modcall[authorize]: module "checkval" returns notfound for request 8



Here is my users file: 

testuser User-Password == "12345"
         Calling-Station-Id = "00-18-de-4e-8f-11"

Here is my checkval config:

checkval {
                # The attribute to look for in the request
                item-name = Calling-Station-Id
                # The attribute to look for in check items. Can be multi
valued
                check-name = Calling-Station-Id
                # The data type. Can be
                # string,integer,ipaddr,date,abinary,octets
                data-type = string
                # If set to yes and we dont find the item-name attribute in
the
                # request then we send back a reject
                # DEFAULT is no
                notfound-reject = yes
        }

Era

-----Original Message-----
From: freeradius-users-bounces+alexey.eronko=gmail.com at lists.freeradius.org
[mailto:freeradius-users-bounces+alexey.eronko=gmail.com at lists.freeradius.or
g] On Behalf Of Ivan Kalik
Sent: Wednesday, February 27, 2008 12:33 PM
To: FreeRadius users mailing list
Subject: Re: Radius MAC filtering with EAP-PEAP

>Could you please suggest me how can I check MAC filter(via Radius) and
after
>that do EAP-PEAP authorization?
>

Read your NAS documentation.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list