Could you please correct me about mac authorization.
In my debug log I see mac authorization request :
rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7,
length=115
User-Name = "00-18-de-4e-8f-1d"
User-Password = "secret"
NAS-IP-Address = x.x.x.139
Called-Station-Id = "00-20-a6-64-66-a3:A"
Calling-Station-Id = "00-18-de-4e-8f-1d"
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
I have this entry in my users file :
00-18-de-4e-8f-1d Auth-Type:=Local, User-Password == "secret"
That's incorrect. On a recent (1.1.7 or 2.x) version of the server,
assuming you haven't fiddled with the default config too much, do this:
00-18-de-4e-8f-1d Cleartext-Password := "secret"
However, this system has some disadvantages; specifically if you use
another NAS (AP, switch) that doesn't send "secret" or formats the
username differently.
Is this correct(right) way to control MAC addresses thought radius?
There's no one "correct" way. It depends on your environment.
We (for example) lookup the Calling-Station-Id in SQL and allow or deny
based on that.
Another question is : what is correct way to separate two
types(MAC&PEAP) of requests to radius server?
Yes. You didn't say what version of the server you're using, but in
1.1.x you can do this:
modules {
files {
..
}
files macauth {
...
}
}
authorize {
preprocess
files
Autz-Type MACAUTH {
files_macauth
}
Autz-Type OTHER {
ldap
eap
mschap
}
}
...then in "users":
# match mac addresses, set autz-type
DEFAULT User-Name =~ "..-..-..-..-..-..", Autz-Type := MACAUTH
Fall-Through = no
# everything else is eap, ldap
DEFAULT Autz-Type := OTHER
...see doc/Autz-Type for more info.
In 2.x you can make use of the virtual server capabilities.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
