BYOD and base on MAC

Luc Paulin paulinster at gmail.com
Wed Jan 31 21:41:24 CET 2018 

Sorry if the file's format isn't correct but unless that I didn't
understand documentation correctly I follow what's on the following url
https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth_raddb-authorized_macs
.

Here's the authorized mac module section

[root at radius-corp-01_{{PROD}} raddb]# cat
mods-enabled/stingray-authorize-mac
files authorized_macs {
        # The default key attribute to use for matches.  The content
        # of this attribute is used to match the "name" of the
        # entry.
        key = "%{Calling-Station-ID}"

        usersfile = ${confdir}/authorized_macs

        #  If you want to use the old Cistron 'users' file
        #  with FreeRADIUS, you should change the next line
        #  to 'compat = cistron'.  You can the copy your 'users'
        #  file from Cistron.
        #compat = no
}

And this is the the content of "user/mac" address that should be authorized

[root at radius-corp-01_{{PROD}} raddb]# cat authorized_macs
18-65-90-CB-4C-69
Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized
for network access"


And here the debug output starting from rewrite_calling_station_id section
(9)     policy rewrite_calling_station_id {
(9)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(9)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(9)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(9)         update request {
(9)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9)              --> 18-65-90-CB-4C-69
(9)           &Calling-Station-Id := 18-65-90-CB-4C-69
(9)         } # update request = noop
(9)         [updated] = updated
(9)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(9)       ... skipping else: Preceding "if" was taken
(9)     } # policy rewrite_calling_station_id = updated
(9) authorized_macs: EXPAND %{Calling-Station-ID}
(9) authorized_macs:    --> 18-65-90-CB-4C-69
(9)     [authorized_macs] = noop
(9)     if (!ok) {
(9)     if (!ok)  -> TRUE
(9)     if (!ok)  {
(9)       update reply {
(9)         Tunnel-Type := VLAN
(9)         Tunnel-Medium-Type := IEEE-802
(9)         Tunnel-Private-Group-Id := 155
(9)       } # update reply = noop
(9)     } # if (!ok)  = noop
(9)     ... skipping else: Preceding "if" was taken
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = updated
(9) Login OK: [lpaulin] (from client clx3-fw-1 port 1 cli 18-65-90-CB-4C-69)
(9) Sent Access-Accept Id 113 from 10.250.33.157:1812 to 10.1.0.81:1507
length 0
(9)   MS-MPPE-Recv-Key =
0x6348f6c554161e58e38f723fb920ebdc99ddc48c18fcb74796f63d1eeb881f82
(9)   MS-MPPE-Send-Key =
0x2f4ad046e69da27b4afe756aedd922a65e0ec1095ed728e70f315a77f7c3c788
(9)   EAP-Message = 0x03790004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "lpaulin"
(9)   Tunnel-Type := VLAN
(9)   Tunnel-Private-Group-Id := "155"
(9)   Tunnel-Medium-Type := IEEE-802
(9)   Idle-Timeout := 60
(9)   Session-Timeout := 60
(9)   Termination-Action := RADIUS-Request
(9)   Juniper-Local-User-Name := "SU"
(9)   Juniper-Junosspace-Profile := "devops_users"
(9) Finished request


--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2018-01-31 15:22 GMT-05:00 Alan DeKok <aland at deployingradius.com>:

> On Jan 31, 2018, at 3:16 PM, Luc Paulin <paulinster at gmail.com> wrote:
> >
> > Great thanx Alan, I agree that mac can be easilly spoofed, but the goal
> > here is mainly to move the user's device to another vlan than corp and
> not
> > doing authentication. We may eventually move to EAP-TLS, but this is at
> > least a first step.
> >
> > Yes I check the format and it's exacly the same ... Here's the output of
> > the debug section for authorized_mac.
> >
> > =======
> > <------ LINES BEFORE REWRITE_CALLING_STATION_ID REMOVED --->
>
>   Including deleting the "authorized_mac" config...
> >
> > And here's the authorized_macs file content
> > [root at radius-corp-01_{{PROD}} raddb]# cat authorized_macs
> > 18-65-90-CB-4C-69
> > Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized
> > for network access"
>
>   What the heck is that?
>
>   You can't just invent a configuration file format and use it.  You MUST
> read the docs.
>
>   So.. what is the "authorized_macs" module?  How did you configure it?
> Why do you think that putting random things into it will make it do what
> you want?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list