MAC Authentication Queries
Alan DeKok
aland at deployingradius.com
Thu Sep 26 14:44:54 UTC 2024
On Sep 26, 2024, at 4:42 PM, FreeRAD <yetifreerad at gmail.com> wrote:
> I agree that the default config works fine but this part doesn't seem to
> the way it is instructed in the FreeRADIUS guide. What is actually supposed
> to go in the "else" statement? As based on the comments in the "if"
> statement I would assume it's 'if the MAC is correct and it's not an EAP
> message then ACCEPT. else, continue through the authorize section'. But
> this is seemingly what happens if you have the "else" or not.
See the debug output for why this happens. The entire configuration is documented. How the server processes files is documented. It's not productive for me to cut & paste that documentation to the list.
> Another thing I have noticed when using the Authorized_Macs module is that
> I receive an Access-Accept initially once the MAC has been validated, but
> then I also get "Device with MAC Address %{Calling-Station-ID} authorized
> for network access" in every subsequent Access-Challenge that is sent from
> the Server to the NAS when the server is going through EAP-TTLS/PAP
> authentication. This is sent along with the EAP-Message,
> Message-Authenticator, and State attributes. Is this sort of behaviour
> expected?
It's fine.
Alan DeKok.
More information about the Freeradius-Users
mailing list