MAC Authentication Queries

FreeRAD yetifreerad at gmail.com
Fri Sep 27 10:10:13 UTC 2024 

I'm asking questions about the MAC auth documentation because this is what
I am trying to achieve. I have also looked at other documentation and
understand the different sections but I am trying to work out how the MAC
auth fits into it.

I have followed your advice on the Autz-Type and it works but I want to
know why specifically the Autz-Type is not to be in there but all my other
authorize modules should be. I'm not trying to be argumentative so
apologies, there are just some things that I clearly don't fully understand
from the documentation alone.

>From my understanding of the documentation and the debug logs, FreeRADIUS
checks the MAC address against the authorized MACs file, if it is correct
and it's not an EAP message it Accepts it. Further information is then sent
in the form of a username and password (with EAP information in the
Access-Request) from the supplicant and FreeRADIUS sees the EAP attributes
and sets the Auth-Type to EAP meaning that the authentication section can
take it from there performing EAP auth. I would also hope that my
understanding of why the Autz-Type is there is correct. If not then please
let me know.

Is there anything wrong with what I have said above.

On Fri, Sep 27, 2024 at 10:52 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 27, 2024, at 11:18 AM, FreeRAD <yetifreerad at gmail.com> wrote:
> > The problem is that the only documentation for this specific
> implementation
> > states "Normal virtual server configuration goes here" and that's it. If
> I
> > was taking it literally I would have assumed it meant the rest of the
> > virtual server configuration since that's what it says.
>
>   You're treating the MAC auth documentation as magic.  i.e. it's perfect,
> you have to follow it exactly, and you are forbidden from reading any other
> documentation, or learning from any other documentation.
>
>   This is the wrong approach.
>
> > The way I understand the authorize section to work is that it receives an
> > Access-Request first, validates the information within the
> Access-Request,
> > and ensures, based on the enabled modules, that the correct attributes
> are
> > in the Access-Request for the Authentication section to be able to
> process.
> > If they are, it then sets the Auth-Type for the Authentication section
> > accordingly. Autz-Type is only going to be used if no other module takes
> > responsibility for Authorization similar to how Auth-Type works in
> > Authentication.
>
>   I've told you that you can't put the Auto-Type into an "else"
> statement.  Did you read that?  Are you going to update your configuration
> to fix that?
>
>   It seems like your approach here is to argue about just about
> everything, and not follow any advice other than the MAC auth guide.  I
> have no idea why.  It's not productive.
>
>   Either follow instructions, or stop asking questions.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list