Problems with 802.1x
Alan DeKok
aland at deployingradius.com
Fri Nov 30 00:05:05 CET 2012
Andres Gomez Ruiz wrote:
> I'm using Freeradius since 6 months ago, and It works great. I'm Using
> freeradus + MySQL to store my users data in a database and authenticate
> it with an user and a password.
>
> Now I Have to attach to each user, 3 MAC-Address, so I'm editting my
> database (radcheck table)
>
> id username attribute op value
> 1 user1 User-Password := password1
Use Cleartext-Password. Not User-Password. This has been the
recommended configuration for 6 years.
> 2 user1 Calling-Station-Id =
> 00:11:22:33:44:55
And see the rlm_sql documentation. The "=" operator is probably not
what you want.
> It works great. Only user1 with password1 can access from the device
> with MAC-Addr 00:11:22:33:44:55, but I need to attach 3 MAC to each
> user, so I edit my databe:
>
>
> id username attribute op value
> 1 user1 User-Password := password1
> 2 user1 Calling-Station-Id =
> 00:11:22:33:44:55
> 3 user1 Calling-Station-Id =
> 33:44:55:66:77:88
>
>
> And, in that moment user1 can't logging never. The user1 can't logging
> from a device with MAC-Addr 00:11:22:33:44:55 or MAC-Addr
> 33:44:55:66:77:88, or anyone.
Read the rlm_sql documentation. All of the check conditions are
logically ANDed together. The above configuration says
Calling-Station-Id X AND Y. Which is never true, so it always fails.
If you want to allow multiple values of an attribute, you're better of
putting them into a different SQL table. i.e. create a table of just
username && calling-station-Id value. Then, do something like:
if ("%{sql: SELECT from... username %{Calling-Station-ID}}" == "")
reject
}
i.e. search the table for User-Name AND Calling-Station-Id value. If
an entry isn't found, then reject the user.
Alan DeKok.
More information about the Freeradius-Users
mailing list