MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao
difan.zhao at guest-tek.com
Wed Dec 30 01:07:56 CET 2009
I apologize for the previous spam! I kind of figured out my problem.
Then I tried to fix it and now I have a new problem!!
So I want to authenticate devices when both User-Name and User-Password
are the same and are both the MAC of the device. My default files look
like:
authorize {
...
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
...
authenticate {
Auth-Type Auth-NHSTB {
if(%{request:User-Password} == %{request:User-Name}) {
ok
}
else{
noop
}
}
}
However when I try to run Radius I keep getting this error:
Expected regular expression at: request:User-Password)
/etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection.
Errors initializing modules
I also tried I lot other syntax and different operators as well but the
error is still there... What is the right syntax?? Thank you!
Guest-tek, Difan Zhao
difan.zhao at guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
________________________________
From:
freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Tuesday, December 29, 2009 11:09 AM
To: FreeRadius users mailing list
Subject: RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I "rewrite" it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.
However it looks like my "if" conditions are all matched during the
process however they all returned "noop" instead of updating the
information I wanted it to.
Here are the configurations I made in the policy.conf and
/sites-avaliable/default files
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
"00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := "%{User-Name}"
}
chap
}
else{
ok
}
}
}
It seems to me that the last "ok" authenticated the device, instead of
using "chap" and the "Cleartext-Password" that I assigned. Any ideas?
Thank you!
Guest-tek, Difan Zhao
difan.zhao at guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091229/f66fa8f4/attachment.html>
More information about the Freeradius-Users
mailing list