Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I "rewrite" it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.
However it looks like my "if" conditions are all matched during the
process however they all returned "noop" instead of updating the
information I wanted it to.
Here are the configurations I made in the policy.conf and
/sites-avaliable/default files
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
"00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := "%{User-Name}"
}
chap
}
else{
ok
}
}
}
It seems to me that the last "ok" authenticated the device, instead of
using "chap" and the "Cleartext-Password" that I assigned. Any ideas?
Thank you!
Guest-tek, Difan Zhao
[email protected]
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=45,
length=157
User-Name = "00a0080806bd"
User-Password = "00a0080806bd"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Message-Authenticator = 0x7e1fb3874de8f8f7c98b237aa1778647
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} -> 00a0080806BD
++++[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 1: Preceding "if" was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') -> TRUE
expand: ^%{Calling-Station-ID}$ -> ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) -> TRUE
++- entering if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
Found Auth-Type = Auth-NHSTB
+- entering group Auth-NHSTB {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) -> FALSE
++? if (Chap-Password) -> FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli
00a0080806BD)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 45 to 172.17.254.100 port 1645
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=38,
length=143
Acct-Session-Id = "000000F3"
User-Name = "00a0080806bd"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Service-Type = Framed-User
NAS-IP-Address = 172.17.254.100
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address =
172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id =
"000000F3",User-Name = "00a0080806bd"'
[acct_unique] Acct-Unique-Session-ID = "b1dbb7cf9bb1fa32".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/172.17.254.100/detail-20091229
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/172.17.254.100/detail-20091229
[detail] expand: %t -> Tue Dec 29 10:37:23 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 00a0080806bd
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 00a0080806bd
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 38 to 172.17.254.100 port 1646
Finished request 2.
Cleaning up request 2 ID 38 with timestamp +28
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 1 ID 45 with timestamp +27
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
