Trouble Getting Mac-Auth to Work
jm+freeradiususer at roth.lu
jm+freeradiususer at roth.lu
Thu Feb 7 08:19:30 CET 2019
I'm wondering if setting the MAC address to all uppercase characters (toupper) will be fruitful when later you're matching against a regex only containing lowercase characters.
On February 6, 2019 10:58:40 PM GMT+01:00, Seth Turner <sturner at dutchmen.us> wrote:
>I'm new to FreeRadius, but have managed to get LDAP authentication
>working
>properly. Now I am trying to add in mac-auth as well for certain
>devices,
>but all devices are being rejected when they connect to the SSID
>regardless
>if the MAC is in the file. Based on what I am seeing, the
>calling-station-Id is being rewritten to the proper format, which
>matches
>what I have in the mac file, but RADIUS still rejects the connection.
>Can
>somebody help direct me as to what the issue may be?
>
>*NOTE: The end goal is actually to block certain MAC's from connecting
>to
>an SSID, which is why the file is called blocked_macs instead of
>authorized_mac like the documentation. I'm just trying to follow the
>guide
>for mac_auth atm before I try using it to restrict by MAC.*
>
>This is what I have under the Authorize section of default.conf.
>
>* preprocess*
>
>* # If cleaning up the Calling-Station-Id...*
>* rewrite_calling_station_id*
>
>* # Now check against the blocked_macs file*
>* blocked_macs*
>
>* if (!ok) {*
>* # No match was found, so reject*
>* reject*
>* }*
>
>* else {*
>* # The MAC address was found, so update Auth-Type*
>* # to accept this auth.*
>* update control {*
>* Auth-Type := Accept*
>* }*
>* }*
>
>
>This is what I get while running radiusd -X. Hopefully that is the
>proper
>logging needed for troubleshooting.
>
>*(0) [preprocess] = ok*
>*(0) policy rewrite_calling_station_id {*
>*(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>{*
>*(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>-> TRUE*
>*(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>{*
>*(0) update request {*
>*(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
>*(0) --> 60-D8-19-D4-F0-83*
>*(0) &Calling-Station-Id := 60-D8-19-D4-F0-83*
>*(0) } # update request = noop*
>*(0) [updated] = updated*
>*(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>= updated*
>*(0) ... skipping else: Preceding "if" was taken*
>*(0) } # policy rewrite_calling_station_id = updated*
>*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
>*(0) blocked_macs: --> 60-D8-19-D4-F0-83*
>*(0) [blocked_macs] = noop*
>*(0) if (!ok) {*
>*(0) if (!ok) -> TRUE*
>*(0) if (!ok) {*
>*(0) [reject] = reject*
>*(0) } # if (!ok) = reject*
>*(0) } # authorize = reject*
>*(0) Using Post-Auth-Type Reject*
>
>
>
>
>
>
>--
>
>*Seth Turner*Gasconade County R-2 School District
>Network Manager
>OHS Hunting and Fishing Club Sponsor
>Phone (573)-437-2172
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list