i'm sos sorry to ask again.. This problem 've already discussed in FreeRadius MAC address authorization (http://lists.cistron.nl/pipermail/freeradius-users/2008-August/msg00155.html).
I'm using Fedora core 6, freeRadius 2.1.3 (installed from source code tarball)And use linksys WAP4400 as Access Point. i got guide from http://wiki.freeradius.org/Mac-Auth.... this is my configuration raddb/policy.conf rewrite_calling_station_id { if("%{request:Calling-Station-Id}" =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" } } else { noop } } raddb/client.conf client 10.1.0.6 { secret = testing123 nastype = other shortname = tk03 } client 10.1.0.0/24 { # # secret and password are mapped through the "secrets" file. secret = testing123 nastype = other shortname = tk03 } client silimbat.win2k.del.ac.id{ secret = testing123 shortname = tk03 } raddb/modules/mschap Ganti nilai use_mppe = no menjadi use_mppe = yes. Uncomment require_encryption = yes dan require_strong = yes. mschap { use_mppe = yes require_encryption = yes require_strong = yes } raddb/modules/file # files authorized_macs files { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } raddb/sites-available/default authorize{} # # (Optional) May help if your NAS doesn't let you specify separators for the User-Name value # #rewrite_calling_station_id # # Machine (Calling-Station-ID based) authentication # # RFC 2865 says that a Service-Type value of Call Check is used # to specify this kind of authentication (though were now dealing with ethernet ports instead of lines). # if(Service-Type == 'Call-Check'){ update control { Auth-Type = 'CSID' } } raddb/sites-available/default authenticate{} # # Authentication based on Calling-Station-ID # # Calling-Station-ID authentication is usually done by comparing normalised # forms of the Calling-Station-ID and User-name fields. # Auth-Type CSID { if(User-Name =~ /^%{Calling-Station-ID}$/i){ # # Optionally a CHAP-Password attribute is included which is # md5(ChapID + Calling-Station-ID + Request Authenticator). # if(Chap-Password){ update control { Cleartext-Password := "%{User-Name}" } chap } else{ ok } } else{ reject } } raddb/sites-available/default post-auth{} if("%{control:Auth-Type}" == 'CSID'){ # Authorization happens here authorized_macs.authorize if(notfound){ reject } } raddb/authorized_macs # MAC_address Auth-Type 00-1C-BF-10-EA-34 Auth-Type := Accept 00-1E-E5-9D-64-32 Auth-Type := Accept 00-1D-E0-5E-E2-3B Auth-Type := Accept 00-1B-9E-32-E4-DE Auth-Type := Accept This the output of radiusd -X : rad_recv: Access-Request packet from host 10.1.0.6 port 1024, id=5, length=139 NAS-IP-Address = 10.1.0.6 NAS-Port = 0 Called-Station-Id = "00-1E-E5-9D-64-B1:TK_03" Calling-Station-Id = "00-1B-9E-32-E4-DE" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201000501 Message-Authenticator = 0x60827fcdaecda43af294e5ad9cc9fc5e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] returns ok [eap] EAP packet type response id 1 length 5 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns noop [files] expand: %{Calling-Station-ID} -> 00-1B-9E-32-E4-DE [files] users: Matched entry 00-1B-9E-32-E4-DE at line 4 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [<no User-Name attribute>/<via Auth-Type = Accept>] (from client tk03 port 0 cli 00-1B-9E-32-E4-DE) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 5 to 10.1.0.6 port 1024 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 5 with timestamp +23 But the client can't connect.Anybody can help me??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
