[authorized_macs.authorize] returns noop

Phil Mayers p.mayers at imperial.ac.uk
Thu Jan 6 17:37:33 CET 2011 

On 06/01/11 15:58, Alexander Clouter wrote:
> Phil Mayers<p.mayers at imperial.ac.uk>  wrote:
>>>
>>> I setup mac_auth as in the freeradius wiki and its not working, am
>>> unable to debug further.
>>
>> Hmm. This:
>>
>> http://wiki.freeradius.org/index.php?title=Mac-Auth
>>
>> ...seems like it's a bit... over-engineered?
>>
> I think it's Arran who maintains that page, however the
> rewrite_calling_station_id looks like it was palmed off me at some
> stage.  That *is* needed unless you are quite-quite-mad and enjoy twenty
> different representations for your MAC addresses in your databases :)

Sure; we have something similar

We *actually* abuse Postgres' macaddr datatype by doing this:

update request {
   Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}"
}

...which handles all the various cases quite nicely, but returns 
Postgres' :-separated version, which is fine (and what we prefer).

It might be nice if FreeRadius had a "tomac" xlat.

>>
>> Anyone who wrote the page, and why it uses that method?
>>
> The page looks fine to me, is it the enforcing and checking for RFCness

*What* RFCness?

> that seems overkill to you? Cisco switches use PAP instead of CHAP, but
> other than that whats the problem?

I've never seen a mac-auth implementation sending CHAP requests, which 
seems like lunacy, so have never considered there might be a need to 
execute the "authenticate" section, or synthesise a Cleartext-Password.

But even so, I don't see the value in executing a modules .authorize 
handler in the post-auth section, or having a whole separate Auth-Type 
value.

Why not just do all that you need after the comparison to check it's a 
mac-auth request i.e.:

authorize {
   clean_mac

   if ((Service-Type == Call-Check) || ...) {

     authorized_macs
     if (!ok) {
       reject
     }

     if (CHAP-Password) {
       update control {
         Cleartext-Password := "%{User-Name}"
       }
     } else {
       update control {
         Auth-Type = Accept
       }
     }
   }

   chap
   mschap
   eap
   # etc.
}

What am I missing?

Shrug. Not a big deal really. To each his own.

More information about the Freeradius-Users mailing list