MAC Authentication Queries

FreeRAD yetifreerad at gmail.com
Fri Sep 27 10:33:24 UTC 2024 

Are you able to just tell me whether my understanding is correct or not?
It's all based on the documentation so I would guess it is.

Any chance you can point me in the direction of the Autz-Type
documentation? Because when searched on the FreeRADIS wiki, the only
mention of Autz-Type is here
<https://wiki.freeradius.org/config/Acct%20Type> which doesn't give much
info. There's also nothing in the Network RADIUS Technical guide for it.
The most I found was this
<https://opensource.apple.com/source/freeradius/freeradius-11/freeradius/doc/Autz-Type.auto.html>
.

On Fri, Sep 27, 2024 at 11:20 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 27, 2024, at 12:10 PM, FreeRAD <yetifreerad at gmail.com> wrote:
> > I'm asking questions about the MAC auth documentation because this is
> what
> > I am trying to achieve. I have also looked at other documentation and
> > understand the different sections but I am trying to work out how the MAC
> > auth fits into it.
>
>   MAC auth isn't magic.  You keep treating it as if it's magic.  Stop.
>
>   MAC works like _everything_ else in the server.  A packet comes in, the
> data in the packet is used to look up information in DBs.  The server
> replies.
>
>   It's that easy.
>
> > I have followed your advice on the Autz-Type and it works but I want to
> > know why specifically the Autz-Type is not to be in there but all my
> other
> > authorize modules should be. I'm not trying to be argumentative so
> > apologies, there are just some things that I clearly don't fully
> understand
> > from the documentation alone.
>
>   Autz-Type is documented.  I'm not going to copy & paste that
> documentation here.
>
> > From my understanding of the documentation and the debug logs, FreeRADIUS
> > checks the MAC address against the authorized MACs file, if it is correct
> > and it's not an EAP message it Accepts it. Further information is then
> sent
> > in the form of a username and password (with EAP information in the
> > Access-Request) from the supplicant and FreeRADIUS sees the EAP
> attributes
> > and sets the Auth-Type to EAP meaning that the authentication section can
> > take it from there performing EAP auth. I would also hope that my
> > understanding of why the Autz-Type is there is correct. If not then
> please
> > let me know.
>
>  You configured FreeRADIUS to take specific actions based on specific
> rules.  Either you understand those rules, or you treat them a magic spells
> which are not understandable.
>
>   Only one approach will get you to where you want.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list