MAC authentication with freeradius

Alan DeKok aland at deployingradius.com
Tue Nov 3 15:17:28 CET 2015 

On Nov 3, 2015, at 9:04 AM, Daniel Lopez <danilogo1991 at gmail.com> wrote:
> 
> Hi, I'm using free radius 2.1.12

  Ugh.  Upgrade.

> with mysql module (freeradius-mysql) I want
> to authenticate users by MAC address, so in radcheck table I set the
> attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user
> can't authenticate, when I delete this row, user can authenticate
> perfectly, so it seems this is not the way I should configure server to
> perform MAC authentication. Could somebody help me with this?

  Reading the debug output usually helps.

> [this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}:
> 
> rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158,
> length=158
>        User-Name = "dprueba"
>        NAS-IP-Address = 192.168.0.1
>        NAS-Port = 0
>        Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
>        Calling-Station-Id = "10-68-3F-82-42-16"
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-802.11
>        Connect-Info = "CONNECT 0Mbps 802.11"
>        EAP-Message = 0x0200000c0164707275656261
>        Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a

  That is the OUTER authentication session.

...
> [sql]   expand: SELECT id, username, attribute, value, op           FROM
> radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
> id -> SELECT id, username, attribute, value, op           FROM
> radcheck           WHERE username = 'dprueba'           ORDER BY id
> [sql] User found in radcheck table

  Which is clear.  The server prints out these SQL queries so you can check them for yourself.

  ... and lots of debug output later, we have the INNER session

> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
>        EAP-Message = 0x0206000c0164707275656261
> server  {
> [peap] Setting User-Name to dprueba
> Sending tunneled request
>        EAP-Message = 0x0206000c0164707275656261
>        FreeRADIUS-Proxied-To = 127.0.0.1
>        User-Name = "dprueba"

  Note: No Calling-Station-Id.

  Please *read* raddb/eap.conf.  Look for "copy_request_to_tunnel".

  This is documented.

> server inner-tunnel {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> ...
> [sql]   expand: SELECT id, username, attribute, value, op           FROM
> radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
> id -> SELECT id, username, attribute, value, op           FROM
> radcheck           WHERE username = 'dprueba'           ORDER BY id

  And note there's no "user found in radcheck" message.

  Because there's no Calling-Station-Id attribute in the inner tunnel.

  Alan DeKok.

More information about the Freeradius-Users mailing list