MAC Address Auth

Matthias Nagel matthias.h.nagel at gmail.com
Fri Apr 5 10:59:30 CEST 2013 

Hello Eric,

two remarks. The first one replies to your question, the second is a comment on your user entry.

1) At the moment I believe that you either have a very old FreeRADIUS installation or that you broke your configuration with regard to the dictonary files. "Atttr-2352-145" is a Redback attribute (Vendor ID 2352) and means "Mac-Addr" (Atrribute ID 145). In my installation (Debian Squeeze, Freeradius 2.1.10) this attribute is already contained in the dictionary files out of the box. Hence, Freeradius should replace all occurences of "Atttr-2352-145" by the more friendly name "Mac-Addr" and one should use that in the user file, too. But if your debug output and your accounting logs show "Atttr-2352-145" instead of "Mac-Addr", then Freeradius does not seem to know this attribute, which means something is broken.

2) For a moment ignore the problem about the unknown attribute "Attr-2352-145". Anyway you must use this attribute (or "Mac-Addr") as a check item not as a reply item and the correct operator is "==" not "=". (See my last mail and http://freeradius.org/radiusd/man/users.html). So it must be on the first line. I also doubt that you want Password = "006060", but Cleartext-Password := "006060" instead. Read http://freeradius.org/radiusd/man/users.html.

Matthias

PS @ Alan DeKoK: I believe I found the problem, why so many people use "=" instead of the correct operator. The doc (http://freeradius.org/radiusd/man/users.html) says:  "Each item in the check or reply item list is an attribute of the form name = value" (2nd paragraph). Perhaps it would be better to write: "Each item in the check or reply item list is an attribute of the form 'name op value'". This would make clear that "op" is not always "=".


Am Donnerstag 04 April 2013, 23:07:02 schrieb Mulindwa:
> Thanks Mattias,
> 
> I get an error saying; Unknown attribute "Attr-2352-145"
> 
> This is how i have it setup
> 
> 
> user20001 at ut3      Password = "006060", Simultaneous-Use = 1
>         Attr-2352-145 = "5c-7d-5e-3f-d0-f7",
>         Service-Type = Framed-User,
>         Qos_Policy_Policing = broadband_128_policing,
>         Qos_Policy_Metering = broadband_128_metering,
>         Framed-Protocol = PPP,
>         Ip_Address_Pool_Name = pool_128,
>         Framed-Address = 255.255.255.254,
>         Framed-Netmask = 255.255.255.255,
>         Fall-Through = 0
> 
> 
>  
> Eric M
> 
> 
> ________________________________
>  From: Matthias Nagel <matthias.h.nagel at gmail.com>
> To: freeradius-users at lists.freeradius.org 
> Sent: Thursday, April 4, 2013 5:41 PM
> Subject: Re: MAC Address Auth
>  
> Hello,
> add the correct check item to your user database. In the case below (User-Name = user2000 at ut3) you should have the check item
> Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
> for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want.
> Best regards, Matthias
> 
> Am Donnerstag 04 April 2013, 07:25:55 schrieb Mulindwa:
> > Great, i have run the debug and i did get the attribute required.
> > If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145
> > 
> > How would i need to twick my radiusd.conf file to achieve this?
> > 
> > 
> > 
> > 
> > User-Name = "user2000 at ut3"
> >    CHAP-Password = "cccddd'"
> >     CHAP-Challenge = "mmmm"
> >     Service-Type = Framed-User
> >     Framed-Protocol = PPP
> >     NAS-Identifier = "UT-BRAS-EDGE"
> >     NAS-IP-Address = x.x.x.x
> >     NAS-Port = 855649483
> >     NAS_Real_Port = 855638816
> >     NAS-Port-Type = Virtual
> >     Attr-87 = "3/3 vlan-id 800 pppoe 11467"
> >     Medium_Type = 11
> >     Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
> >     Attr-2352-98 = "3"
> >     Attr-2352-112 = "6.2.1.9"
> >     Acct-Session-Id = "0202FFFF68008FC9-515D8419"
> > 
> >  
> > Eric M
> > 
> > 
> > ________________________________
> >  From: Mulindwa <meric_l at yahoo.com>
> > To: Alan DeKok <aland at deployingradius.com>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
> > Sent: Thursday, April 4, 2013 4:58 PM
> > Subject: Re: MAC Address Auth
> >  
> > 
> > Thanks Alan,
> > 
> > Let me do so.
> > 
> >  
> > Eric M
> > 
> > 
> > ________________________________
> >  From: Alan DeKok <aland at deployingradius.com>
> > To: Mulindwa <meric_l at yahoo.com>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
> > Sent: Thursday, April 4, 2013 4:47 PM
> > Subject: Re: MAC Address Auth
> >  
> > Mulindwa wrote:
> > > Hi All,
> > > 
> > > Have been trying to authenticate my ADSL users using Mac Address Auth,
> > > however i have failed even after going through the documentation.
> > > 
> > > I want to authenticate with the highlighted, anyone done this and can help?
> > 
> >   It's been done.
> > 
> > > This is how the accounting file looks;
> > 
> >   If you're trying to debug authentication, it helps to look at
> > *authentication* traffic, and not *accounting* data.
> > 
> >   And run the server in debugging mode as suggested in the FAQ, "man"
> > page, web pages, and daily on this list.
> > 
> >   Honestly, there is NO excuse for refusing to do this.
> > 
> >   Alan DeKok.
> > 
> > 
> > 
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> ----------------------------------------------------------------------
> Matthias Nagel
> Willy-Andreas-Allee 1, Zimmer 506
> 76131 Karlsruhe
> 
> Telefon: +49-721-8695-1506
> Mobil: +49-151-15998774
> e-Mail: matthias.h.nagel at gmail.com
> ICQ: 499797758
> Skype: nagmat84
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.nagel at gmail.com
ICQ: 499797758
Skype: nagmat84

More information about the Freeradius-Users mailing list