http://wiki.freeradius.org/Mac-Auth is wrong

Tóth István stoty at stoty.hu
Sat Nov 20 17:46:20 CET 2010


Hello!

I tried to set up MAC authorization for testing purposes according to 
the instructions at
http://wiki.freeradius.org/Mac-Auth.

The solution there almost worked, except for the

raddb/sites-available/default post-auth{} section.

The wiki contains the code:

if(control:Auth-Type == 'CSID'){
     # Authorization happens here
     authorized_macs.authorize
     if(notfound){
         reject
     }
}

However, when the rlm_files module can't find the user, it returns noop, 
not notfound.

As a result, EVERY mac authentication attempt is successful.

When I changed the section to

         if(control:Auth-Type == 'CSID'){
                 # Authorization happens here
                 authorized_macs.authorize
                 if(!ok){
                         reject
                 }
         }

I got correct rejects in reply to the MACs not listed in the file.

The funny thing is that I actually think that the snippet on wiki page 
should work,
and the rlm_files module is returning the wrong result code.

As far as I understand the result codes, noop should be returned when 
the module ignores the request, because it thinks it should not handle 
it, and notfound should be returned when the module accepted and tried 
to handle the requests, but cannot find the user in its "database".

Either way, the documentation and the code do not match, and one of them 
should be fixed.
Currently if  somene just blindly copies the sample config, and does not 
test for correct rejects, he'll have  wide-open network.

I have tested on fedora 13, with the latest 
freeradius-2.1.10-1.fc13.x86_64 rpm.

best regards

István Tóth




More information about the Freeradius-Users mailing list