Checking MAC address with rlm_sql

Wed Apr 4 11:01:17 CEST 2012

Changed subject line to reflect new topic.

I've taken your advice and asked for the project requirements to be 
modified. We'll just have to deal with incompatible devices (and their 
users) on an ad-hoc basis - and maybe give some people an reason to 
upgrade. ;-)

I'm now using a bog standard freeradius install with SQL enabled and 
talking to a mysql database. It worked perfectly out of the box with the 
MSM460 set to use WPA2 and AES.

I still need to provide MAC address restriction on a per-user basis. 
Yes, I know it's fairly easy these days to spoof the MAC address, but 
that will be a deliberate act by a user.  It is not being used as a 
technical security measure but as an indication of intent that will have 
consequences.

mysql> select * from radcheck;
+----+----------+--------------------+----+-------------------+
| id | username | attribute          | op | value             |
+----+----------+--------------------+----+-------------------+
|  1 | user01   | Cleartext-Password | := | pass01            |
|  2 | user01   | Calling-Station-Id | == | 98-4B-4A-F5-BF-40 |
+----+----------+--------------------+----+-------------------+

With just a username and password in the table, I can authenticate from 
my device. I see the crypto handshaking, the sql module returns ok for 
the user and the password is verified.

When I add the second row in the table, the auth fails. Tracing 
backwards, peap reports "Peap state send tlv failure", caused by mschap 
reporting "No Cleartext-Password configured", caused by rlm_sql 
reporting "User user01 not found".

Replaying the SQL query from the debug manually:

mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE 
username = 'user01' ORDER BY id;
+----+----------+--------------------+-------------------+----+
| id | username | attribute          | value             | op |
+----+----------+--------------------+-------------------+----+
|  1 | user01   | Cleartext-Password | pass01            | := |
|  2 | user01   | Calling-Station-Id | 98-4B-4A-F5-BF-40 | == |
+----+----------+--------------------+-------------------+----+

So, there's something wrong with how I'm doing my check items - they're 
not matching and the Cleartext-Password attribute is not being set. I've 
read the SQL_HOWTO and Operators docs on the website and come up with 
this myself. I copied and pasted the attribute and value from the debug 
output directly:

Calling-Station-Id = "98-4B-4A-F5-BF-40"

I can simply change the username of row 2 to another string (eg "foo") 
and my device will authenticate again. Change it back and it won't.

Many thanks, glen.

On 26/03/12 19:10, Phil Mayers wrote:
> On 03/26/2012 10:01 AM, Glen Harris wrote:
>>
>> Server: Debian 6 (Squeeze) 2.6.32-5-amd64
>> FreeRadius: 2.1.10 (Debian package)
>> Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
>> Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
>> MD5 and PAP.
>>
>> I'm trying to set up a simple MAC-Auth based network using HP 2610
>> switches and MSM640 wireless APs as radius clients. I've added the AP to
>
> This is a matter of choice, but personally I would advise against 
> using MAC-auth on wireless. It provides illusory security, and 802.1x 
> is pretty easy on modern equipment. You call however.
>