Getting Reject response from Server for MAC Auth
Victor Credidio
victorbreda1 at gmail.com
Wed Aug 15 13:59:05 CEST 2018
Hello masters!
I'm trying to use a freeradius server 3 (running on CentOS7) with my ruckus
AP (model R610).
I followed this wiki article, specifically this two topics below to
configure it properly:
https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
https://wiki.freeradius.org/guide/mac-auth#additional-modifications_mac-auth-authorisation-by-ssid
I'm trying to log to my WLAN with my phone. It's MAC is already in the
"authorized_macs" file (/etc/raddb/authorized_macs), and the server is
receiving it's requests. I can see my phone's MAC Address, my AP MAC
Address, the AP SSID, and some other stuff.
Problem is, I still get rejected.
For more than three days I've been trying to make it work like that, but
still no progress, so I thought it was better to consult the experts.
Here's the output of the radiusd -X command. I put the line numbers so it
would be easier to locate or reference something. The first "reject" I get
is on line 72:
1 (0) Received Access-Request Id 47 from 10.85.0.222:40680 to
10.85.2.46:1812 length 197
2 (0) User-Name = "70-4d-7b-53-cb-38"
3 (0) User-Password = "70-4d-7b-53-cb-38"
4 (0) Calling-Station-Id = "70-4D-7B-53-CB-38"
5 (0) NAS-IP-Address = 10.85.0.222
6 (0) Called-Station-Id = "90-3A-72-65-47-AC:PMJG-AD-ACC"
7 (0) Service-Type = Framed-User
8 (0) NAS-Port-Type = Wireless-802.11
9 (0) NAS-Identifier = "90-3A-72-65-47-AC"
10 (0) Ruckus-SSID = "PMJG-AD-ACC"
11 (0) Message-Authenticator = 0x5d564ee23f2090acd3bc2002e4b8a23b
12 (0) # Executing section authorize from file
/etc/raddb/sites-enabled/default
13 (0) authorize {
14 (0) policy filter_username {
15 (0) if (&User-Name) {
16 (0) if (&User-Name) -> TRUE
17 (0) if (&User-Name) {
18 (0) if (&User-Name =~ / /) {
19 (0) if (&User-Name =~ / /) -> FALSE
20 (0) if (&User-Name =~ /@[^@]*@/ ) {
21 (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
22 (0) if (&User-Name =~ /\.\./ ) {
23 (0) if (&User-Name =~ /\.\./ ) -> FALSE
24 (0) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) {
25 (0) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
26 (0) if (&User-Name =~ /\.$/) {
27 (0) if (&User-Name =~ /\.$/) -> FALSE
28 (0) if (&User-Name =~ /@\./) {
29 (0) if (&User-Name =~ /@\./) -> FALSE
30 (0) } # if (&User-Name) = notfound
31 (0) } # policy filter_username = notfound
32 (0) policy rewrite_called_station_id {
33 (0) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
34 (0) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
35 (0) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
36 (0) update request {
37 (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
38 (0) --> 90-3A-72-65-47-AC
39 (0) &Called-Station-Id := 90-3A-72-65-47-AC
40 (0) } # update request = noop
41 (0) if ("%{8}") {
42 (0) EXPAND %{8}
43 (0) --> PMJG-AD-ACC
44 (0) if ("%{8}") -> TRUE
45 (0) if ("%{8}") {
46 (0) update request {
47 (0) EXPAND %{8}
48 (0) --> PMJG-AD-ACC
49 (0) &Called-Station-SSID := PMJG-AD-ACC
50 (0) } # update request = noop
51 (0) } # if ("%{8}") = noop
52 (0) [updated] = updated
53 (0) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
54 (0) ... skipping else: Preceding "if" was taken
55 (0) } # policy rewrite_called_station_id = updated
56 (0) policy rewrite_calling_station_id {
57 (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
58 (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
59 (0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
60 (0) update request {
61 (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
62 (0) --> 70-4D-7B-53-CB-38
63 (0) &Calling-Station-Id := 70-4D-7B-53-CB-38
64 (0) } # update request = noop
65 (0) [updated] = updated
66 (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
67 (0) ... skipping else: Preceding "if" was taken
68 (0) } # policy rewrite_calling_station_id = updated
69 (0) if (!ok) {
70 (0) if (!ok) -> TRUE
71 (0) if (!ok) {
72 (0) [reject] = reject
73 (0) } # if (!ok) = reject
74 (0) } # authorize = reject
75 (0) Using Post-Auth-Type Reject
76 (0) # Executing group from file /etc/raddb/sites-enabled/default
77 (0) Post-Auth-Type REJECT {
78 (0) attr_filter.access_reject: EXPAND %{User-Name}
79 (0) attr_filter.access_reject: --> 70-4d-7b-53-cb-38
80 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
81 (0) [attr_filter.access_reject] = updated
82 (0) [eap] = noop
83 (0) policy remove_reply_message_if_eap {
84 (0) if (&reply:EAP-Message && &reply:Reply-Message) {
85 (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
86 (0) else {
87 (0) [noop] = noop
88 (0) } # else = noop
89 (0) } # policy remove_reply_message_if_eap = noop
90 (0) } # Post-Auth-Type REJECT = updated
91 (0) Delaying response for 1.000000 seconds
92 Waking up in 0.3 seconds.
93 Waking up in 0.6 seconds.
94 (0) Sending delayed response
95 (0) Sent Access-Reject Id 47 from 10.85.2.46:1812 to
10.85.0.222:40680 length 20
96 Waking up in 3.9 seconds.
97 (0) Cleaning up request packet ID 47 with timestamp +11
Greetings,
--
Victor B. C.
More information about the Freeradius-Users
mailing list