Re: MAC-Auth + Freeradius + MySQL Database
On Sunday, February 24, 2013, Alan DeKok wrote: Russell Mike wrote: i also came across where guys are discussing EAP and MAC authentication. i could not conclude, if it is a better way of doing MAC authentication using EAP. To be clear: you don't. EAP is authentication. MAC authentication is just checking if the MAC address is in a known list. Terminology matters. Using the right terminology means that the solution is usually simple. Using the wrong terminology means you're using the wrong design. How to store MACs in MySQL database. Perhaps, i need to create additional table to store MAC, Honestly, i am not sure how to go about it. Is there any documentation that i may do NOT know of. and i can follow to finish the setup. If all you want is a known MAC list, then just put them into a table in SQL. Then, select MAC addresses from the table at run time. If they're found, continue. If not, reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan D. Thanks for guidelines. exactly, as you stated I simple want to store MAC address somewhere compair against the request. Can they be in radcheck? Would you recommend that? or seperate table? Storing MAC in radcheck, would it be correct terminology? Secondly, i would have list of maximum 500 MACs, how about listing them in a file. Would it be considerably slow reading from file than DB? I have no idea because I never used radius with files. Thanks Alan De. for your support ever Regards --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC-Auth + Freeradius + MySQL Database
I know of one person doing something similar to what you are looking to do. If your NAS sends the MAC of the device with the EAP request, you can extract the MAC from the request using unlang and check that against a database of MACs. No clue how to do this, I just know it can be done. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of Russell Mike Sent: Saturday, February 23, 2013 11:07 AM To: FreeRadius users mailing list Subject: MAC-Auth + Freeradius + MySQL Database Greetings Dear Alan D. List Members, First of all, thank you very much for developing such application. I need help, i have functional Freeradius server with MySQL backend. i have been asked to add MAC address authentication support for the servers. i googled the topic and got many many mail archive results, i tried to read those for about a day before posting to the maling list. Most of them, administrators are discussing troubleshoot topics, but i was searching how to.. start implementation and the REQUIREMENTS. i also came across where guys are discussing EAP and MAC authentication. i could not conclude, if it is a better way of doing MAC authentication using EAP. Finally, i came across wiki documentation. almost everything is there and it is well explained as well, thanks. i have now understand how it works. But SQL part is not still a question. http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL How to store MACs in MySQL database. Perhaps, i need to create additional table to store MAC, Honestly, i am not sure how to go about it. Is there any documentation that i may do NOT know of. and i can follow to finish the setup. Grate thanks for attending to this request and thanks for your support ever since ! additional Information: FR_v2.2 With Coova 1.3.0 Regards -- RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
Russell Mike wrote:
Thanks for guidelines. exactly, as you stated I simple want to store MAC
address somewhere compair against the request. Can they be in
radcheck?
I wouldn't do that. Just create your own table of MAC addresses. If
all you want is to list known MACs, you can do that with a custom table.
Then, do:
if (%{sql: SELECT ...}) {
# known MAC
}
Use a SQL client to write the correct SELECT statement, and then put
it into the example above. Then apply any known MAC rule inside of
the if statement.
Secondly, i would have list of maximum 500 MACs, how about listing them
in a file. Would it be considerably slow reading from file than DB? I
have no idea because I never used radius with files.
See man rlm_passwd. It contains examples. You could put the MACs
into a group via that module, and then do group checking.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
On Sun, Feb 24, 2013 at 2:20 PM, Alan DeKok al...@deployingradius.comwrote:
Russell Mike wrote:
Thanks for guidelines. exactly, as you stated I simple want to store MAC
address somewhere compair against the request. Can they be in
radcheck?
I wouldn't do that. Just create your own table of MAC addresses. If
all you want is to list known MACs, you can do that with a custom table.
Then, do:
if (%{sql: SELECT ...}) {
# known MAC
}
Use a SQL client to write the correct SELECT statement, and then put
it into the example above. Then apply any known MAC rule inside of
the if statement.
Secondly, i would have list of maximum 500 MACs, how about listing them
in a file. Would it be considerably slow reading from file than DB? I
have no idea because I never used radius with files.
See man rlm_passwd. It contains examples. You could put the MACs
into a group via that module, and then do group checking.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Dear Alan De.
Thanks for your input, you are so helpful. And the information sent is also
very much useful, i will try to more forward base on your guidelines.
Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
On Sun, Feb 24, 2013 at 1:55 PM, David Peterson dav...@wirelessconnections.net wrote: I know of one person doing something similar to what you are looking to do. If your NAS sends the MAC of the device with the EAP request, you can extract the MAC from the request using unlang and check that against a database of MACs. ** ** No clue how to do this, I just know it can be done. David ** ** Dear David, thanks for attending to the request, what do you mean when you say one person doing something similar to what you are looking to do. Does other do the MAC-Auth in different way i am doing? I read the response from Mr. Alan De. about storing MAC in to Database. Following wiki also explain how to rewrite calling-station-id using unlang and further compair against file or DB. http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL Your information is appreciable. Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC-Auth + Freeradius + MySQL Database
He approached the problem differently than most people. He already had a database with the MAC addresses. Due to a deployment mistake in the past he did not have the passwords from each of 500 EAP clients. So rather than going out and changing those addresses he matches up the MAC address with a paying customer from the database. The person is in charge of a wireless ISP so scheduling 500 home visits was a worse option than writing some code to authorize the CPE. David From: Russell Mike [mailto:radius@gmail.com] Sent: Sunday, February 24, 2013 10:00 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: MAC-Auth + Freeradius + MySQL Database On Sun, Feb 24, 2013 at 1:55 PM, David Peterson dav...@wirelessconnections.net wrote: I know of one person doing something similar to what you are looking to do. If your NAS sends the MAC of the device with the EAP request, you can extract the MAC from the request using unlang and check that against a database of MACs. No clue how to do this, I just know it can be done. David Dear David, thanks for attending to the request, what do you mean when you say one person doing something similar to what you are looking to do. Does other do the MAC-Auth in different way i am doing? I read the response from Mr. Alan De. about storing MAC in to Database. Following wiki also explain how to rewrite calling-station-id using unlang and further compair against file or DB. http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQ L http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL Your information is appreciable. Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
Understood, Thanks dear David. P, for participating in my troubleshoot. i am grateful. Thanks / Regards RM -- On Sun, Feb 24, 2013 at 3:31 PM, David Peterson dav...@wirelessconnections.net wrote: He approached the problem differently than most people. He already had a database with the MAC addresses. Due to a deployment mistake in the past he did not have the passwords from each of 500 EAP clients. So rather than going out and changing those addresses he matches up the MAC address with a paying customer from the database. ** ** The person is in charge of a wireless ISP so scheduling 500 home visits was a worse option than writing some code to authorize the CPE. ** ** David ** ** *From:* Russell Mike [mailto:radius@gmail.com] *Sent:* Sunday, February 24, 2013 10:00 AM *To:* David Peterson-WirelessConnections; FreeRadius users mailing list *Subject:* Re: MAC-Auth + Freeradius + MySQL Database ** ** ** ** ** ** On Sun, Feb 24, 2013 at 1:55 PM, David Peterson dav...@wirelessconnections.net wrote: I know of one person doing something similar to what you are looking to do. If your NAS sends the MAC of the device with the EAP request, you can extract the MAC from the request using unlang and check that against a database of MACs. No clue how to do this, I just know it can be done. David Dear David, thanks for attending to the request, what do you mean when you say one person doing something similar to what you are looking to do. Does other do the MAC-Auth in different way i am doing? ** ** I read the response from Mr. Alan De. about storing MAC in to Database. Following wiki also explain how to rewrite calling-station-id using unlang and further compair against file or DB. ** ** http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL ** ** Your information is appreciable. ** ** Thanks / Regards RM -- ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC-Auth + Freeradius + MySQL Database
Greetings Dear Alan D. List Members, First of all, thank you very much for developing such application. I need help, i have functional Freeradius server with MySQL backend. i have been asked to add MAC address authentication support for the servers. i googled the topic and got many many mail archive results, i tried to read those for about a day before posting to the maling list. Most of them, administrators are discussing troubleshoot topics, but i was searching how to.. start implementation and the REQUIREMENTS. i also came across where guys are discussing EAP and MAC authentication. i could not conclude, if it is a better way of doing MAC authentication using EAP. Finally, i came across wiki documentation. almost everything is there and it is well explained as well, thanks. i have now understand how it works. But SQL part is not still a question. http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL How to store MACs in MySQL database. Perhaps, i need to create additional table to store MAC, Honestly, i am not sure how to go about it. Is there any documentation that i may do NOT know of. and i can follow to finish the setup. Grate thanks for attending to this request and thanks for your support ever since ! additional Information: FR_v2.2 With Coova 1.3.0 Regards -- RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
Russell Mike wrote: i also came across where guys are discussing EAP and MAC authentication. i could not conclude, if it is a better way of doing MAC authentication using EAP. To be clear: you don't. EAP is authentication. MAC authentication is just checking if the MAC address is in a known list. Terminology matters. Using the right terminology means that the solution is usually simple. Using the wrong terminology means you're using the wrong design. How to store MACs in MySQL database. Perhaps, i need to create additional table to store MAC, Honestly, i am not sure how to go about it. Is there any documentation that i may do NOT know of. and i can follow to finish the setup. If all you want is a known MAC list, then just put them into a table in SQL. Then, select MAC addresses from the table at run time. If they're found, continue. If not, reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
