MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??

Difan Zhao difan.zhao at guest-tek.com
Tue Dec 29 19:08:31 CET 2009 

Greetings,

 

I hope you all had a wonderful Christmas holidays!

 

So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.

 

Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I "rewrite" it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.

 

However it looks like my "if" conditions are all matched during the
process however they all returned "noop" instead of updating the
information I wanted it to.

 

Here are the configurations I made in the policy.conf and
/sites-avaliable/default files

 

Policy.conf:

 

policy {

        ...

        rewrite_calling_station_id {

                if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {

                        update request {

                                Calling-Station-Id :=
"00a008%{1}%{2}%{3}"

                        }

                }

                else {

                        noop

                }

        }

}       

 

 

Default:

 

authorize {

            ...

rewrite_calling_station_id

if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){

                  update control {

                        Auth-Type = 'Auth-NHSTB'

                  }

    }

}

 

authenticate {

                  ...

                  Auth-Type Auth-NHSTB {

                  if(Chap-Password){

                        update control {

                                Cleartext-Password := "%{User-Name}"

                        }

                        chap

                  }

                  else{

                              ok

                  }

             }

}

 

It seems to me that the last "ok" authenticated the device, instead of
using "chap" and the "Cleartext-Password" that I assigned. Any ideas?
Thank you!

 

Guest-tek, Difan Zhao

difan.zhao at guest-tek.com

www.guest-tek.com

Office: 403-509-1010 ext 3048

Cell: 403-689-7514

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091229/fbfded35/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Radiusd -X.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091229/fbfded35/attachment.txt>

More information about the Freeradius-Users mailing list