MAC Authentication Queries

[Alan DeKok]

On Sep 27, 2024, at 12:10 PM, FreeRAD <yetifreerad at gmail.com> wrote:
> I'm asking questions about the MAC auth documentation because this is what
> I am trying to achieve. I have also looked at other documentation and
> understand the different sections but I am trying to work out how the MAC
> auth fits into it.

  MAC auth isn't magic.  You keep treating it as if it's magic.  Stop.

  MAC works like _everything_ else in the server.  A packet comes in, the data in the packet is used to look up information in DBs.  The server replies.

  It's that easy.

> I have followed your advice on the Autz-Type and it works but I want to
> know why specifically the Autz-Type is not to be in there but all my other
> authorize modules should be. I'm not trying to be argumentative so
> apologies, there are just some things that I clearly don't fully understand
> from the documentation alone.

  Autz-Type is documented.  I'm not going to copy & paste that documentation here.

> From my understanding of the documentation and the debug logs, FreeRADIUS
> checks the MAC address against the authorized MACs file, if it is correct
> and it's not an EAP message it Accepts it. Further information is then sent
> in the form of a username and password (with EAP information in the
> Access-Request) from the supplicant and FreeRADIUS sees the EAP attributes
> and sets the Auth-Type to EAP meaning that the authentication section can
> take it from there performing EAP auth. I would also hope that my
> understanding of why the Autz-Type is there is correct. If not then please
> let me know.

 You configured FreeRADIUS to take specific actions based on specific rules.  Either you understand those rules, or you treat them a magic spells which are not understandable.

  Only one approach will get you to where you want.

  Alan DeKok.