Reject Mac Address

Khapare Joshi khapare77 at gmail.com
Fri Mar 14 16:37:02 CET 2014 

Hi Alan,

Thank you so much for this, this works, here is what I did in the
configuration - perhaps others will get benefit as well.

1) created rejectmac.conf
     addded content :
     passwd rejectmac {
        filename = /etc/raddb/rejectmacaddress.txt
        delimiter = ,
        format = "*Calling-Station-Id"
     }
2) created file rejectmacaddress.txt
     included macaddress as seen in Calling-Station-Id
3) added line in radiusd.conf
      $INCLUDE rejectmac.conf
4) in /etc/raddb/site-enabled/default authorize section I added :
          rejectmac
                if (ok) {
                        reject
                }

This seem to work.

Here is the output :

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[rejectmac] returns ok
++? if (ok)
? Evaluating (ok) -> TRUE
++? if (ok) -> TRUE
++- entering if (ok) {...}
+++[reject] returns reject
++- if (ok) returns reject
Invalid user: [test at test.com] (from client mytesthost port 487 cli
0021.5c5b.8ef3)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test at test.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 28 to 192.168.1.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 28 with timestamp +165
Ready to process requests



Maybe good idea would be log the reject message (the reason of reject i.e
Hacked mac address ) in the radius.log

Have a good weekend.

Regards,
K





On Wed, Mar 12, 2014 at 2:38 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Khapare Joshi wrote:
> > I have list of MAC address which I want to reject. So the question is
> > how do I tell freeradius server  to the file rejectmacaddres.txt file
> > which has banned mac addresses ?
>
>   See "man rlm_passwd".  It can be configured to read data from a text
> file.
>
>   You probably want something like:
>
> passwd rejectmac {
>         filename = ${confdir}/rejectmacaddress.txt
>         delimiter = ,
>         format = "*Calling-Station-Id"
> }
>
>   Which looks up the Calling-Station-Id in the file.  The contents of
> the file MUST be MAC addresses in the SAME format as you see in the
> Calling-Station-ID attribute when you read "radiusd -X".
>
>   Then in the "authorize" section, do:
>
> authorize {
>         ...
>
>         rejectmac
>         if (ok) {
>                 reject
>         }
>         ...
>
> }
>
>   That says "look up the Calling-Station-Id in the file.  If it's found,
> reject the user".
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140314/53b16c76/attachment.html>

More information about the Freeradius-Users mailing list