MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Difan Zhao
difan.zhao at guest-tek.com
Mon Jan 4 17:52:02 CET 2010
Hey guys,
I am still waiting for a possible solution for this problem that I
have... Please let me know even there is no easy fix.
To refresh your memory, I am doing MAC address authentication bypass. It
looks to me that the "users" file takes precedence than
"sites-available/default". Whenever there is a default entry in the
"users" file, freeradius server doesn't try to run the module/function
in the "authentication" section... I have attached the debug for the
both cases. Please take a look whenever you can. Thank you!
Difan
________________________________
From:
freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Wednesday, December 30, 2009 12:19 PM
To: FreeRadius users mailing list
Subject: RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Hey guys,
Since I have asked so many questions regarding to this topic I guess you
all know my situation very well so I won't go through the whole thing
again and save your time!
So I found that if I add a "Default" line at the bottom of the users
file, like:
...
DEFAULT Auth-Type = ntlm_auth
The server will always use ntlm for authentication... even I have
updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached
both debug files. What should I do if I want a "Default" line in the
user file while still use the special authentication that I defined for
MAC authentication bypass? Thanks!
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
"00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(request:User-Name == "%{request:User-Password}") {
ok
}
else{
reject
}
}
}
Guest-tek, Difan Zhao
difan.zhao at guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100104/d0d78410/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd -X with 'default' line in users.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100104/d0d78410/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd -X without 'default' line in users.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100104/d0d78410/attachment-0001.txt>
More information about the Freeradius-Users
mailing list