Trouble Getting Mac-Auth to Work

[Seth Turner]

I'm new to FreeRadius, but have managed to get LDAP authentication working
properly. Now I am trying to add in mac-auth as well for certain devices,
but all devices are being rejected when they connect to the SSID regardless
if the MAC is in the file. Based on what I am seeing, the
calling-station-Id is being rewritten to the proper format, which matches
what I have in the mac file, but RADIUS still rejects the connection.  Can
somebody help direct me as to what the issue may be?

*NOTE: The end goal is actually to block certain MAC's from connecting to
an SSID, which is why the file is called blocked_macs instead of
authorized_mac like the documentation. I'm just trying to follow the guide
for mac_auth atm before I try using it to restrict by MAC.*

This is what I have under the Authorize section of default.conf.

* preprocess*

*        # If cleaning up the Calling-Station-Id...*
*        rewrite_calling_station_id*

*        # Now check against the blocked_macs file*
*        blocked_macs*

*        if (!ok) {*
*                # No match was found, so reject*
*                reject*
*        }*

* else {*
*                # The MAC address was found, so update Auth-Type*
*                # to accept this auth.*
*                update control {*
*                        Auth-Type := Accept*
*               }*
*        }*


This is what I get while running radiusd -X. Hopefully that is the proper
logging needed for troubleshooting.

*(0)     [preprocess] = ok*
*(0)     policy rewrite_calling_station_id {*
*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{*
*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE*
*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{*
*(0)         update request {*
*(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
*(0)              --> 60-D8-19-D4-F0-83*
*(0)           &Calling-Station-Id := 60-D8-19-D4-F0-83*
*(0)         } # update request = noop*
*(0)         [updated] = updated*
*(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated*
*(0)       ... skipping else: Preceding "if" was taken*
*(0)     } # policy rewrite_calling_station_id = updated*
*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
*(0) blocked_macs:    --> 60-D8-19-D4-F0-83*
*(0)     [blocked_macs] = noop*
*(0)     if (!ok) {*
*(0)     if (!ok)  -> TRUE*
*(0)     if (!ok)  {*
*(0)       [reject] = reject*
*(0)     } # if (!ok)  = reject*
*(0)   } # authorize = reject*
*(0) Using Post-Auth-Type Reject*






-- 

*Seth Turner*Gasconade County R-2 School District
Network Manager
OHS Hunting and Fishing Club Sponsor
Phone (573)-437-2172