check user device mac address without doing mac-auth
Eby Mani
eby_km at yahoo.com
Wed Apr 5 09:25:45 UTC 2023
Thanks Alan,
> But I don't see that line in the debug output. So it's not being run, and therefore it's not working.
> I'd write that as:
It is there, but allowing mac-addr not in the table, it is not running when called under authorize { }.
Pasted your exact code to the bottom of /sites-enabled/default bottom section of "authorize { }, now it's not being run.
If required, will paste /sites-enabled/default configuration.
Previous Debug, when the my code pasted to preacct { } section.
#################################################################
(26) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(26) preacct {
(26) [preprocess] = ok
(26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
(26) EXPAND %{User-Name}
(26) --> testing
(26) SQL-User-Name set to 'testing'
rlm_sql (sql): Reserved connection (15)
(26) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53')
rlm_sql (sql): Released connection (15)
Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (16), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10
(26) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }
(26) --> 0
(26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE
(26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
(26) [ok] = ok
(26) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok
(26) ... skipping else: Preceding "if" was taken
(26) policy acct_unique {
(26) update request {
(26) &Tmp-String-9 := "ai:"
(26) } # update request = noop
(26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(26) EXPAND %{hex:&Class}
(26) --> 6c6f775f616363657373
(26) EXPAND ^%{hex:&Tmp-String-9}
(26) --> ^61693a
(26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(26) else {
(26) update request {
(26) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(26) --> cdbb232bc69b751f19684df63248fe05
(26) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05
(26) } # update request = noop
(26) } # else = noop
(26) } # policy acct_unique = noop
(26) suffix: Checking for suffix after "@"
(26) suffix: No '@' in User-Name = "testing", looking up realm NULL
(26) suffix: No such realm "NULL"
(26) [suffix] = noop
(26) [files] = noop
(26) } # preacct = ok
Thanks,
On Tuesday, 4 April, 2023, 08:03:16 pm IST, Alan DeKok <aland at deployingradius.com> wrote:
O
>
> Have tried adding the following in /sites-enabled/default bottom of "authoriztion { } section", inside "preacct { preprocess } section" and inside "post-auth { } section", any device can connect.
>
> if("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
> ok
> }
> else {
> reject
> }
I'd write that as:
if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" == "" ) {
reject
}
Just a little simpler.
But I don't see that line in the debug output. So it's not being run, and therefore it's not working.
Make sure that the server is using that configuration, and it should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list