check user device mac address without doing mac-auth

Mon Apr 3 17:10:03 UTC 2023

 >> testing Password := "password", Calling-Station-Id := "0cf346e648f3
>I'm pretty sure that won't do what you want, I suggest reading the documentation to see how the operators work in the "users" file.

My bad, have used "==" operator with "users" file.

The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work.
+----+--------------+--------------------+----+--------------+
| id | username | attribute | op | value |
+----+--------------+--------------------+----+--------------+
| 1 | testing | Cleartext-Password | := | password |
| 2 | testing | Calling-Station-Id | == | 1002b52c096b |
+----+--------------+--------------------+----+--------------+

> What you want is s policy which says:
>
> if user is X and MAC is not Y
> reject

Where to add this query ?. 

In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?.

I have created new mac-address table for this, mapped against username.

mysql> select * from macaddrlist;
+----+--------------+--------------+----------+----------+
| id | username | macaddr1 | macaddr2 | macaddr3 |
+----+--------------+--------------+----------+----------+
| 1 | testing | 1002b52c096b | NULL | NULL |
+----+--------------+--------------+----------+----------+
1 row in set (0.00 sec)

thanks,

     On Saturday, 25 March, 2023, 10:12:32 pm IST, Alan DeKok <aland at deployingradius.com> wrote:  

 On Mar 25, 2023, at 8:03 AM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I have installed freeradius without sql integration for testing.
> 
> 1, changed # Instead of "use_tunneled_reply", value to "if (1) {.
> 2, users file have following entry on top.
> testing Password := "password", Calling-Station-Id := "0cf346e648f3

  I'm pretty sure that won't do what you want,  I suggest reading the documentation to see how the operators work in the "users" file.

> Unauthorised devices with same login are granted access once authorised device is authenticated and server receive accounting-request is from unauthorised device. But when unauthorised devices try to connect for the first time, we see access-reject. 

  The debug log will show whu.

> I'm not sure if this happen due to any stale sessions,

  Authentication has nothing to do with stale sessions.

  What you want is s policy which says:

    if user is X and MAC is not Y
        reject

  So... write that in "unlang".  What you wrote in the "users" file doesn't do that, and doesn't follow the documentation for the "users" file.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html