[authorized_macs.authorize] returns noop

Nagaraj Panyam pn at tifr.res.in
Fri Jan 7 07:49:00 CET 2011 

Hi,

In my previous mail while asking for help, I did not fully explain what 
I wanted to configure.
So here goes: I want to configure freeradius to setup MAC based 
authentication for laptops and hand held devices in my organization.
My first preference is to make it purely MAC based and paswordless.

I have installed freeradius2 (debug output and conf files pasted below).
For testing, I configured the NAS to use "WPA Radius", and gave it my 
radius servers IP and secret.
When I select the SSID, the laptop pops up a window asking for usename, 
password and logon domain. (is there a way to avoid this?)

I see that authorized_macs.authorize returns noop. But why, I don't 
understand.
Because I want just CSID auth, I commented out the eap in default 
authorize{}. Is that my mistake?

Here is the debug output.
------ Debug output:
rad_recv: Access-Request packet from host 192.168.55.107 port 3072, 
id=35, length=175
        User-Name = "TEST\\test"
        NAS-IP-Address = 192.168.55.107
        NAS-Port = 0
        Called-Station-Id = "001f1fd74ce9"
        Calling-Station-Id = "001a734337c9"
        NAS-Identifier = "Realtek Access Point. 8181"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0200000e01544553545c74657374
        Message-Authenticator = 0x0fc7203c788350352965da25a7a1049e
+- entering group authorize {...}
++[control] returns notfound
Found Auth-Type = CSID
+- entering group CSID {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) -> FALSE
++? if (Chap-Password) -> FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
+- entering group post-auth {...}
++? if (control:Auth-Type == 'CSID')
? Evaluating (control:Auth-Type == 'CSID') -> TRUE
++? if (control:Auth-Type == 'CSID') -> TRUE
++- entering if (control:Auth-Type == 'CSID') {...}
[authorized_macs]       expand: %{Calling-Station-ID} -> 001a734337c9
+++[authorized_macs.authorize] returns noop
+++? if (!ok)
? Evaluating !(ok) -> TRUE
+++? if (!ok) -> TRUE
+++- entering if (!ok) {...}
++++[reject] returns reject
+++- if (!ok) returns reject
++- if (control:Auth-Type == 'CSID') returns reject
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform 
requested action.
Ready to process requests.

---- cat raddb/sites-available/default
authorize {
#eap
        update control {
                Auth-Type = 'CSID'
        }
}

authenticate {
   Auth-Type CSID {
        if(Chap-Password){
                update control {
                        Cleartext-Password := "%{User-Name}"
                }
                chap
        }
        else{
                ok
        }
   }
}

post-auth {
   if(control:Auth-Type == 'CSID'){
        # Authorization happens here
        authorized_macs.authorize
        if(!ok){
                reject
        }
   }
}


----  cat raddb/modules/file ------
files authorized_macs {
        key = "%{Calling-Station-ID}"
        usersfile = ${confdir}/authorized_macs
        compat = no
}

---- cat raddb/authorized_macs ---
001a734337c9 Reply-Message = "OK.."

What is the mistake I am doing?
Thanks a lot!
Nagaraj

Phil Mayers wrote:
> On 06/01/11 12:48, Nagaraj Panyam wrote:
>> Dear experts,
>>
>> I setup mac_auth as in the freeradius wiki and its not working, am
>> unable to debug further.
>
> Hmm. This:
>
> http://wiki.freeradius.org/index.php?title=Mac-Auth
>
> ...seems like it's a bit... over-engineered? if () unlang statements 
> in the "authenticate" section and calling a module .authorize method 
> in post-auth don't seem necessary?
>
> Anyone who wrote the page, and why it uses that method?
>
>
>> requesting for help!
>> It correctly sets Auth-Type to CSID. but authorized_macs.authorize]
>> returns noop
>> I have pasted debug output and the relevant files below.
>>
>> ## Debug output of radiusd:
>>
>> rad_recv: Access-Request packet from host 158.144.55.107 port 3072,
>> id=62, length=175
>>          User-Name = "TEST\\test"
>>          NAS-IP-Address = 158.144.55.107
>>          NAS-Port = 0
>>          Called-Station-Id = "001f1fd74ce9"
>>          Calling-Station-Id = "001a734337c9"
>>          NAS-Identifier = "Realtek Access Point. 8181"
>>          Framed-MTU = 1400
>>          NAS-Port-Type = Wireless-802.11
>>          Service-Type = Framed-User
>>          Connect-Info = "CONNECT 11Mbps 802.11b"
>>          EAP-Message = 0x0200000e01544553545c74657374
>>          Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
>
> This is not a mac-auth request. It's an EAP request, likely from an 
> 802.11 wireless point using WPA-Enterprise.
>
> You can't mac-auth EAP.
>
> Start by describing what you want to do please.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


-- 

+----------------------------------+--------------------------------------+
Nagaraj Panyam                     | Office tel: +91-22-22782126
Dept of High Energy Physics        | Office fax: +91-22-22804610 
Tata Instt. of Fundamental Research| Home  tel : +91-22-22804936        
Mumbai - 400 005, INDIA            | **Email** : pn at tifr.res.in          
+----------------------------------+--------------------------------------+

More information about the Freeradius-Users mailing list