[authorized_macs.authorize] returns noop

Alexander Clouter alex at digriz.org.uk
Thu Jan 6 16:58:38 CET 2011


Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>>
>> I setup mac_auth as in the freeradius wiki and its not working, am
>> unable to debug further.
> 
> Hmm. This:
> 
> http://wiki.freeradius.org/index.php?title=Mac-Auth
> 
> ...seems like it's a bit... over-engineered?
>
I think it's Arran who maintains that page, however the 
rewrite_calling_station_id looks like it was palmed off me at some 
stage.  That *is* needed unless you are quite-quite-mad and enjoy twenty 
different representations for your MAC addresses in your databases :)

I have cranked things up a notch further by putting into my policy file 
(it also fixes a regex bug that produced truncated MAC addresses):
----
mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})

rewrite.called_station_id {
        if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
                update request {
                        Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
                }

                # SSID componment?
                if ("%{7}") {
                        update request {
                                Called-Station-Id := "%{request:Called-Station-Id}%{7}"
                        }
                }

                updated
        }
        else {
                noop
        }
}

rewrite.calling_station_id {
        if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
                update request {
                        Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
                }

                updated
        }
        else {
                noop
        }
}
----

> if () unlang statements in the "authenticate" section and calling a 
> module .authorize method in post-auth don't seem necessary?
> 
> Anyone who wrote the page, and why it uses that method?
> 
The page looks fine to me, is it the enforcing and checking for RFCness 
that seems overkill to you? Cisco switches use PAP instead of CHAP, but 
other than that whats the problem?

Cheers

>> requesting for help! It correctly sets Auth-Type to CSID. but 
>> authorized_macs.authorize] returns noop I have pasted debug output 
>> and the relevant files below.
>>
'noop' means it did not match and is *not* a MAC auth request...

>> ## Debug output of radiusd:
>>
>> rad_recv: Access-Request packet from host 158.144.55.107 port 3072,
>> id=62, length=175
>>          User-Name = "TEST\\test"
>>          NAS-IP-Address = 158.144.55.107
>>          NAS-Port = 0
>>          Called-Station-Id = "001f1fd74ce9"
>>          Calling-Station-Id = "001a734337c9"
>>          NAS-Identifier = "Realtek Access Point. 8181"
>>          Framed-MTU = 1400
>>          NAS-Port-Type = Wireless-802.11
>>          Service-Type = Framed-User
>>          Connect-Info = "CONNECT 11Mbps 802.11b"
>>          EAP-Message = 0x0200000e01544553545c74657374
>>          Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
> 
> This is not a mac-auth request. It's an EAP request, likely from an 
> 802.11 wireless point using WPA-Enterprise.
> 
> You can't mac-auth EAP.
> 
...as Phil says, this is EAP over a wireless connection.  Mac-Auth 
*only* works on the wire and with switches that support it (Cisco and HP 
are two vendors I know of).

Cheers

-- 
Alexander Clouter
.sigmonster says: QUESTION AUTHORITY.
                  (Sez who?)




More information about the Freeradius-Users mailing list