brainstorm wrote:
I've tried your recommendations but it does not work as expected:
using "Reject" as rlm_passwd's "authtype" (as you suggested), the user
is always rejected, even when the MAC is in the file and is actually
found:
Yes sorry, that was wrong. Clearly "authtype = Reject" will fail the
request if the module matches. Don't know why I said that...
modcall[authorize]: module "MAC-IP" returns ok for request 0
Furthermore, if I change rlm_passwrd's authtype to "Accept", the
supplicant auth fails and the following warning is shown:
That definitely won't work. Don't do it.
rad_check_password: Found Auth-Type Accept
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'bob'
However, if I comment rlm_passwd sections (MAC-IP in modules and
authorize), all works flawlessly.
Well, yes. But if it works flawlessly, why are you wanting help?
The users file has entries like these:
bob NT-Password == 0xa3d411301d637a38f4d22d484f256a04
joe NT-Password == 0xa3d411301d637a38f4d22d484f256a04
(...)
Which are matched correctly in all scenarios I've tested:
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry bob at line 1
According to radius documentation (aaa.txt), it is not correct to
place Auth-Type on check nor reply lists on the users file:
"A quite common mistake is to place the attributes in the wrong lists,
for example placing Auth-Type, Password, NT-Password etc in the check
list, or in the reply list. When run in debugging mode, the server
will normally issue 'WARNING' messages saying that the attributes are
in the wrong list"
So I conclude that users file is correct as it is now. What I'm doing
wrong and what should I do to avoid those warning messages ? If you
want the radiusd -X logs, I can attach them if you wish.
Hmm. I still say you need to read and understand the docs, but try this:
passwd MAC-IP {
filename = ${raddbdir}/MAC-IP
format = "*Calling-Station-Id:"
delimiter = ":"
}
(...)
authorize {
preprocess
MAC-IP {
# If the MAC isn't in the file, the modules returns notfound
# in that case, exit "authorize" with reject immediately
notfound = reject
}
files
eap
}
That is, have no authtype on the "passwd" module. If that doesn't work,
you may try something like:
passwd MAC-IP {
filename = ${raddbdir}/MAC-IP
format = "*Calling-Station-Id:~Group"
delimiter = ":"
}
(...)
authorize {
preprocess
MAC-IP
files
eap
}
/etc/raddb/MAC-IP:
00-11-22-33-44-55:FAKEGROUP
aa-bb-cc-dd-ee-ff:FAKEGROUP
/etc/raddb/users:
DEFAULT Group !* ANY, Auth-Type := Reject
user1 NT-Password := abcdefg...
user2 NT-Password := abcdefg...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
