MAC authorization with rlm_sql not working
Stefano Zanmarchi
zanmarchi at gmail.com
Wed Oct 10 17:58:28 CEST 2012
Hi,
our Freeradius is working fine with PEAP (NT hash passwords stored in Openldap).
We'd like to add MAC authorization using Mysql: only people with MAC
contained in
radcheck should have access (provided they also type in the right password!).
Radcheck has only one entry:
+----+----------------------------+--------------------+----+-------------------+
| id | username | attribute | op | value
|
+----+----------------------------+--------------------+----+-------------------+
| 1 | uto.ughi at studenti.unipd.it | Calling-Station-Id | == |
98-4B-4A-F5-BF-40 |
+----+----------------------------+--------------------+----+-------------------+
The problem is that uto.ughi at studenti.unipd.it gets an AccessAccept packet,
regardless of his Calling-Station-Id.
Don't know if it's related but strangely (to me) when uto.ughi at studenti.unipd.it
has Calling-Station-Id 98-4B-4A-F5-BF-40 (the one in radcheck) radiusd performs
this sql query:
SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'uto.ughi at studenti.unipd.it' ORDER BY id
and the radiusd -X output shows "[sql] User found in radcheck table"
Same user, different Calling-Station-Id (73-1C-5C-B4-E0-55, not the
one in radcheck),
shows "[sql] User uto.ughi at studenti.unipd.it not found."
Still, in both cases the user gets an AccessAccept packet.
I can't see what I'm doing wrong, any help would be greaty appreciated!
I enclose these files:
- sites-enabled/eduroam-inner-tunnel
- sites-enabled/eduroam
- eap.conf
Attached is the output of radiusd -X when uto.ughi at studenti.unipd.it
is accessing
with Calling-Station-Id 73-1C-5C-B4-E0-55, not present in radcheck.
[eduroam-inner-tunnel file]:
server eduroam-inner-tunnel {
authorize {
auth_log
eap
sql
openldap
mschap
}
authenticate {
ntlm_auth
Auth-Type MS-CHAP {
mschap
}
eap
}
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
}
[sites-enabled/eduroam file]:
server eduroam {
authorize {
auth_log
suffix
eap {
ok = return
}
}
authenticate {
ntlm_auth
eap
}
preacct {
suffix
}
accounting {
}
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
pre-proxy {
pre_proxy_log
if (Packet-Type != Accounting-Request) {
attr_filter.pre-proxy
}
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
}
[/etc/raddb/eap.conf]:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = klabssrlviasalgari17
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd-X_MAC_not_in_radcheck
Type: application/octet-stream
Size: 67835 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121010/fcbcd925/attachment-0001.obj>
More information about the Freeradius-Users
mailing list