MAC Authentication Queries

[FreeRAD]

Hi Alan,

I agree that the default config works fine but this part doesn't seem to
the way it is instructed in the FreeRADIUS guide. What is actually supposed
to go in the "else" statement? As based on the comments in the "if"
statement I would assume it's 'if the MAC is correct and it's not an EAP
message then ACCEPT. else, continue through the authorize section'. But
this is seemingly what happens if you have the "else" or not.

Another thing I have noticed when using the Authorized_Macs module is that
I receive an Access-Accept initially once the MAC has been validated, but
then I also get "Device with MAC Address %{Calling-Station-ID} authorized
for network access" in every subsequent Access-Challenge that is sent from
the Server to the NAS when the server is going through EAP-TTLS/PAP
authentication. This is sent along with the EAP-Message,
Message-Authenticator, and State attributes. Is this sort of behaviour
expected?

Many thanks!



On Thu, Sep 26, 2024 at 3:21 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 26, 2024, at 2:58 PM, FreeRAD <yetifreerad at gmail.com> wrote:
> > Thank you for the reply here. I have put the closing braces only around
> the
> > Authorize section but this issue is still occurring.
>
>  The default configuration works.  If your configuration doesn't work,
> it's because you edited it, and broke it.
>
> > Furthermore, there are plenty of other "if" statements in the various
> > virtual server files that don't also have "else"s, so what is the
> > requirement for it in this situation?
>
>  The comments explain what the unlang policies do, and why.  There isn't
> much more I can add.
>
> > I have tested without the else and it
> > seems to work ok but it would be useful to know the implications of this.
>
>  If it works, it works.
>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>