Trouble Getting Mac-Auth to Work

Seth Turner sturner at dutchmen.us
Thu Feb 7 20:41:19 CET 2019 

Well you pointed me in the right direction. The issue was I had the MAC
entries in the blocked_macs file listed with lower case letters instead of
upper case. I'm now able to reject by MAC address. Now I just need to dig
deeper and tie in an SSID check.

On Thu, Feb 7, 2019 at 1:20 AM <jm+freeradiususer at roth.lu> wrote:

> I'm wondering if setting the MAC address to all uppercase characters
> (toupper) will be fruitful when later you're matching against a regex only
> containing lowercase characters.
>
> On February 6, 2019 10:58:40 PM GMT+01:00, Seth Turner <
> sturner at dutchmen.us> wrote:
> >I'm new to FreeRadius, but have managed to get LDAP authentication
> >working
> >properly. Now I am trying to add in mac-auth as well for certain
> >devices,
> >but all devices are being rejected when they connect to the SSID
> >regardless
> >if the MAC is in the file. Based on what I am seeing, the
> >calling-station-Id is being rewritten to the proper format, which
> >matches
> >what I have in the mac file, but RADIUS still rejects the connection.
> >Can
> >somebody help direct me as to what the issue may be?
> >
> >*NOTE: The end goal is actually to block certain MAC's from connecting
> >to
> >an SSID, which is why the file is called blocked_macs instead of
> >authorized_mac like the documentation. I'm just trying to follow the
> >guide
> >for mac_auth atm before I try using it to restrict by MAC.*
> >
> >This is what I have under the Authorize section of default.conf.
> >
> >* preprocess*
> >
> >*        # If cleaning up the Calling-Station-Id...*
> >*        rewrite_calling_station_id*
> >
> >*        # Now check against the blocked_macs file*
> >*        blocked_macs*
> >
> >*        if (!ok) {*
> >*                # No match was found, so reject*
> >*                reject*
> >*        }*
> >
> >* else {*
> >*                # The MAC address was found, so update Auth-Type*
> >*                # to accept this auth.*
> >*                update control {*
> >*                        Auth-Type := Accept*
> >*               }*
> >*        }*
> >
> >
> >This is what I get while running radiusd -X. Hopefully that is the
> >proper
> >logging needed for troubleshooting.
> >
> >*(0)     [preprocess] = ok*
> >*(0)     policy rewrite_calling_station_id {*
> >*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >{*
> >*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >-> TRUE*
> >*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >{*
> >*(0)         update request {*
> >*(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
> >*(0)              --> 60-D8-19-D4-F0-83*
> >*(0)           &Calling-Station-Id := 60-D8-19-D4-F0-83*
> >*(0)         } # update request = noop*
> >*(0)         [updated] = updated*
> >*(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >= updated*
> >*(0)       ... skipping else: Preceding "if" was taken*
> >*(0)     } # policy rewrite_calling_station_id = updated*
> >*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
> >*(0) blocked_macs:    --> 60-D8-19-D4-F0-83*
> >*(0)     [blocked_macs] = noop*
> >*(0)     if (!ok) {*
> >*(0)     if (!ok)  -> TRUE*
> >*(0)     if (!ok)  {*
> >*(0)       [reject] = reject*
> >*(0)     } # if (!ok)  = reject*
> >*(0)   } # authorize = reject*
> >*(0) Using Post-Auth-Type Reject*
> >
> >
> >
> >
> >
> >
> >--
> >
> >*Seth Turner*Gasconade County R-2 School District
> >Network Manager
> >OHS Hunting and Fishing Club Sponsor
> >Phone (573)-437-2172
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 

*Seth Turner*Gasconade County R-2 School District
Network Manager
OHS Hunting and Fishing Club Sponsor
Phone (573)-437-2172

More information about the Freeradius-Users mailing list