MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Arran Cudbard-Bell
a.cudbard-bell at sussex.ac.uk
Wed Dec 30 01:36:33 CET 2009
Should be:
if(request:User-Password == "%{request:User-Name}") {
>
> However when I try to run Radius I keep getting this error:
>
>
>
> Expected regular expression at: request:User-Password)
>
> /etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection.
>
> Errors initializing modules
>
>
>
> I also tried I lot other syntax and different operators as well but
> the error is still there… What is the right syntax?? Thank you!
>
>
>
> Guest-tek, Difan Zhao
>
> difan.zhao at guest-tek.com
>
> www.guest-tek.com
>
> Office: 403-509-1010 ext 3048
>
> Cell: 403-689-7514
>
> ------------------------------------------------------------------------
>
> *From:*
> freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradius.org]
> *On Behalf Of *Difan Zhao
> *Sent:* Tuesday, December 29, 2009 11:09 AM
> *To:* FreeRadius users mailing list
> *Subject:* RE: MAC authentication bypass --- How
> amIsupposedto?edit?theusersfile to include multiple MAC addresses??
>
>
>
> Greetings,
>
>
>
> I hope you all had a wonderful Christmas holidays!
>
>
>
> So I continued my work this morning. It looks like it can authenticate
> the devices (with the certain MAC address pattern) however from the
> Radius –X output (which I attached here) it doesn’t seem to
> authenticate it the way I want it.
>
>
>
> Let me repeat my logic here: if the MAC addresses match the pattern,
> use the *User-Name* (or *Calling-station-ID*, since I *“rewrite”* it
> to be the same as the User-name) and the password (which is made to be
> the same as the User-name as well) to authenticate the device.
>
>
>
> However it looks like my *“if”* conditions are all matched during the
> process however they all returned *“noop”* instead of *updating* the
> information I wanted it to.
>
>
>
> Here are the *configurations* I made in the *policy.conf* and
> */sites-avaliable/default* files
>
>
>
> *Policy.conf:*
>
> * *
>
> policy {
>
> …
>
> rewrite_calling_station_id {
>
> if(request:Calling-Station-Id =~
> /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
>
> update request {
>
> Calling-Station-Id := "00a008%{1}%{2}%{3}"
>
> }
>
> }
>
> else {
>
> noop
>
> }
>
> }
>
> }
>
>
>
>
>
> *Default:*
>
>
>
> authorize {
>
> …
>
> rewrite_calling_station_id
>
> if((Service-Type == 'Call-Check') && (User-Name =~
> /^%{Calling-Station-ID}$/i)){
>
> update control {
>
> Auth-Type = 'Auth-NHSTB'
>
> }
>
> }
>
> }
>
>
>
> authenticate {
>
> …
>
> Auth-Type Auth-NHSTB {
>
> if(Chap-Password){
>
> update control {
>
> Cleartext-Password := "%{User-Name}"
>
> }
>
> chap
>
> }
>
> else{
>
> *ok*
>
> }
>
> }
>
> }
>
>
>
> It seems to me that the last *“ok”* authenticated the device, instead
> of using *“chap”* and the *“Cleartext-Password”* that I assigned. Any
> ideas? Thank you!
>
>
>
> Guest-tek, Difan Zhao
>
> difan.zhao at guest-tek.com
>
> www.guest-tek.com
>
> Office: 403-509-1010 ext 3048
>
> Cell: 403-689-7514
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091229/35ed0313/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091229/35ed0313/attachment.pgp>
More information about the Freeradius-Users
mailing list