EAP-PWD combined with MAC address

Alan DeKok aland at deployingradius.com
Wed Mar 20 21:49:25 UTC 2024


On Mar 20, 2024, at 8:50 PM, Dario Barbon <dbarbon at olicom.eu> wrote:
> Hi all, I need to configure my client's FreeRadius to allow connection to the WiFi network only to specific smartphones.
> I can establish EAP-PWD connection but the MAC address list of authorized devices isn't checked so connection works for every device.

  (a) test EAP-PWD all by itself.  You'll need to do this with the user device

  (b) test MAC address authorization with PAP.  You can use "radclient" to send packets

  (c) put the two together.

> Here the debug log; could someone point me to what is wrong?
> 
>   (2) Received Access-Request Id 124 from 172.31.190.2:32771 to
>   172.31.189.84:1812 length 300
>   (2)   User-Name = "sistemi"
>   (2)   Chargeable-User-Identity = 0x00
>   (2)   Location-Capable = Civic-Location
>   (2)   Calling-Station-Id = "7c-6c-f0-49-67-4b"

  That's the MAC, which is good.

>   (2) eap_pwd: Sending tunneled request
>   (2) eap_pwd:   User-Name = "sistemi"
>   (2) eap_pwd: server inner-tunnel {

  Note: No Calling-Station-ID.

  The "inner-tunnel" virtual server is used to get passwords for the user.  But by default, it doesn't get a copy of all of the attributes.
> 
>   (2) authorized_macs: EXPAND %{Calling-Station-ID}
>   (2) authorized_macs:    -->
>   (2)     [authorized_macs] = noop

  Because the inner-tunnel virtual server doesn't have a copy of the Calling-Station-Id.

  Move the "authorized_macs" checks to the sites-enabled/tlcamb-tag file, and the module will have access to the Calling-Station-Id.

  Alan DeKok.



More information about the Freeradius-Users mailing list