problem using eap-tls and calling-station-id with postgresql

Thu Sep 25 14:54:03 CEST 2014

Bode Benjamin wrote:
> we got freeradius working and are using only eap-tls. Now we are trying
> to check if the users MAC-Address is the right one.
> Each user gets one public IP-Address (via dhcp); to assure that they
> don't do mac-spoofing we need this feature.

  That's pretty standard.

> Right now our problem is, when using eap-tls, the sql module don't seem
> to check the calling-station-id in the radcheck-table against the
> calling-station-id in the request.

  Please read doc/rlm_sql, or the same file on the Wiki.  Simply
*checking* for a Calling-Station-Id does nothing.  You have to tell the
server what to *do*, also.

  The SQL module doesn't return reject if the entry doesn't match.
Another module may authenticate the user, and therefore accept them.

> When trying the same thing with the user blub (and using a incorrect
> MAC) sql returns user notfound (that is what we want) and the request
> gets rejected.
> So it don't seems to be a problem with our NAS.

  The server is the one sending Access-Accept or Access-Reject.  So to
change the return packet type, change the server.  The NAS has nothing
to do with it.

> Any idea why this is not working with eap-tls?
> What have we done wrong?

  You're not telling the server to *reject* the user when the
Calling-Station-Id fails to match.

> Our tables are:
> radcheck
>   id |   username   |     attribute      | op |       value
> ----+---------------+--------------------+----+-------------------
>   1 | laptop        | Auth-Type          | := | EAP
>   2 | RAT           | Auth-Type          | := | EAP

  There's no need to set Auth-Type.  And in 99% of situations, it's wrong

>   3 | laptop        | Calling-Station-Id | == | aa-bb-cc-dd-ee-ff

  Read the rlm_sql docs.  The "laptop" entries say:

	if Calling-Station-Id == aa-bb-cc-dd-ee-ff
		then set Auth-Type := EAP

  That doesn't match, but the user isn't rejected.  (For good reasons).
 The EAP module *also* sets Auth-Type := EAP, so EAP-TLS ends up working.

  You have to update the tables to do what you want.  The problem here
is you're thinking "check Calling-Station-Id in the table against the
one in the request".  Yes, it's doing that.  Exactly that.  But you want
it to do *more*.

  What you want is the following:

	if the calling station Id DOESN'T match, reject.

  Which should be simple enough to do:

  id |   username   |     attribute      | op |       value
----+---------------+--------------------+----+-------------------
  1 | laptop        | Auth-Type          | := | Reject
  3 | laptop        | Calling-Station-Id | != | aa-bb-cc-dd-ee-ff

  Forcing a Reject is about the only time you need to set Auth-Type.

  Alan DeKok.