EAP-PWD combined with MAC address
Dario Barbon
dbarbon at olicom.eu
Thu Mar 21 09:11:22 UTC 2024
Thanks Alan, I moved the "authorized_macs" checks inside the site
configuration file (tlcamb-tag) and now it works as expected.
Dario Barbon
Il 20/03/2024 22:49, Alan DeKok ha scritto:
> On Mar 20, 2024, at 8:50 PM, Dario Barbon <dbarbon at olicom.eu> wrote:
>> Hi all, I need to configure my client's FreeRadius to allow connection to the WiFi network only to specific smartphones.
>> I can establish EAP-PWD connection but the MAC address list of authorized devices isn't checked so connection works for every device.
> (a) test EAP-PWD all by itself. You'll need to do this with the user device
>
> (b) test MAC address authorization with PAP. You can use "radclient" to send packets
>
> (c) put the two together.
>
>> Here the debug log; could someone point me to what is wrong?
>>
>> (2) Received Access-Request Id 124 from 172.31.190.2:32771 to
>> 172.31.189.84:1812 length 300
>> (2) User-Name = "sistemi"
>> (2) Chargeable-User-Identity = 0x00
>> (2) Location-Capable = Civic-Location
>> (2) Calling-Station-Id = "7c-6c-f0-49-67-4b"
> That's the MAC, which is good.
>
>> (2) eap_pwd: Sending tunneled request
>> (2) eap_pwd: User-Name = "sistemi"
>> (2) eap_pwd: server inner-tunnel {
> Note: No Calling-Station-ID.
>
> The "inner-tunnel" virtual server is used to get passwords for the user. But by default, it doesn't get a copy of all of the attributes.
>> (2) authorized_macs: EXPAND %{Calling-Station-ID}
>> (2) authorized_macs: -->
>> (2) [authorized_macs] = noop
> Because the inner-tunnel virtual server doesn't have a copy of the Calling-Station-Id.
>
> Move the "authorized_macs" checks to the sites-enabled/tlcamb-tag file, and the module will have access to the Calling-Station-Id.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list