brainstorm wrote:
I'm trying to implement a similar scenario: I am using PEAP, and I
want to check if a given mac is in my database. In my case, the MACs
file looks like this:
0030.0996.CF52:192.168.12.1
I would like to match the first field (MAC) with the NAS
"Calling-Station-Id" attribute, if this check fails, I would like to
reject that user. Is it doable with rlm_password ? I've tried, but I
cannot figure out which is the right "format" for my case:
I've tried the following in radiusd.conf:
modules {
(...)
passwd mac-ip {
filename = /etc/raddb/MAC-IP
format = "mac-address:Calling-Station-Id"
delimiter = ":"
}
}
Please read the docs. This comments right above the "passwd" module in
the default config are VERY SPECIFIC. The format is:
format = "*Key-Value:~Request-Value:=Reply-Value:Configure-Value"
That is, the radius attribute "Key-Value" is the first field.
Request-Value (prefix ~) will be added to the request, Reply-Value
(prefix =) to the reply, and Configure-Value (no prefix) to the
configure items.
So you're wrong several ways:
1. "mac-address" is not a radius attribute
2. None of your attributes have * for key
3. In any case, for WAPs, Calling-Station-Id is normally the MAC, not IP
3. By itself you can't negate the sense and reject-if-no-match
Try something like this:
passwd mac-ip {
filename = /etc/raddb/MAC-IP
format = "*Calling-Station-Id:Class"
delimiter = ":"
authtype = Reject
}
always fail {
rcode = fail
}
authorize {
mac-ip {
notfound = reject
}
# others
}
...and note that many/most APs send the MAC as "00-11-22-33-44-55" so
the file should look like this:
00-11-22-33-44-55:KnownUser
This is all in the docs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
