Allow all MAC address

[Alan DeKok]

On Oct 19, 2022, at 9:48 AM, Pascal Legrand <pascal.legrand at univ-orleans.fr> wrote:
> I use freeradius to limit the access to our network by filtering MAC address:
> XXXXXXXXXXXX Cleartext-Password := "XXXXXXXXXXXX", Machine-Name := "COMPUTER_1"

  OK.

> When we receive new computers, we use the FOG software to deploy a clean image on all new computers.
> The problem is that we have not yet set up Freeradius to allow these news computers to access our network.
> My question is the following: is it possible to authorize punctually all MAC addresses to access the network while we recover them to configure Freeradius?

  Yes.

> The idea would be to add a line like :
> ALL_MAC_ADDRESS Cleartext-Password := "ALL_MAC_ADDRESS", Machine-Name := "NEW_MACHINE"
> Does Freeradius allow regular expressions in its configuration file?

  The documentation for the "files" module says how it works.  It doesn't support regular expressions here.

  But "unlang" does.

> If yes, what should be the form of this regular expression?

  We don't document how regular expressions work.  There is a lot of documentation elsewhere on the net for that.

  What you can do in FreeRADIUS is something like this:

authorize {
	...
	files
	if (notfound) {
		#
		#  All MAC auth has this
		#
		if (User-Name != User-Password) {
			reject
		}

		#
		#  Check the *format* of MAC auth
		#
		if (User-Name !~ /stuff/) {
			reject
		}

		... else it's an actual MAC auth, do something
	}

  The "stuff" in the regular expression line is what you'll have to write.  We can't really advise how to do that here, as (a) different vendors have randomly different formats for MAC auth, and (b) regular expressions are well documented in many places all over the net.

  Alan DEKok.