Hey guys,
Since I have asked so many questions regarding to this topic I guess you
all know my situation very well so I won't go through the whole thing
again and save your time!
So I found that if I add a "Default" line at the bottom of the users
file, like:
...
DEFAULT Auth-Type = ntlm_auth
The server will always use ntlm for authentication... even I have
updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached
both debug files. What should I do if I want a "Default" line in the
user file while still use the special authentication that I defined for
MAC authentication bypass? Thanks!
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
"00a008%{1}%{2}%{3}"
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(request:User-Name == "%{request:User-Password}") {
ok
}
else{
reject
}
}
}
Guest-tek, Difan Zhao
[email protected]
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9,
length=157
User-Name = "00a0080806bd"
User-Password = "00a0080806bd"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 38
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} -> 00a0080806BD
++++[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 1: Preceding "if" was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') -> TRUE
expand: ^%{Calling-Station-ID}$ -> ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) -> TRUE
++- entering if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=00a0080806bd
[ntlm_auth] expand: --password=%{User-Password} -> --password=00a0080806bd
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [00a0080806bd/00a0080806bd] (from client switches port 50102
cli 00a0080806BD)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 00a0080806bd
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=7,
length=157
User-Name = "00a0080806bd"
User-Password = "00a0080806bd"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-04"
Calling-Station-Id = "00-A0-08-08-06-BD"
Message-Authenticator = 0x924920ee1dcab0807208fc198544ede8
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = "FastEthernet1/0/2"
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "00a0080806bd", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} -> 00a0080806BD
++++[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 26: Preceding "if" was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') -> TRUE
expand: ^%{Calling-Station-ID}$ -> ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) -> TRUE
++- entering if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
Found Auth-Type = Auth-NHSTB
+- entering group Auth-NHSTB {...}
++? if (request:User-Name == "%{request:User-Password}")
expand: %{request:User-Password} -> 00a0080806bd
? Evaluating (request:User-Name == "%{request:User-Password}") -> TRUE
++? if (request:User-Name == "%{request:User-Password}") -> TRUE
++- entering if (request:User-Name == "%{request:User-Password}") {...}
+++[ok] returns ok
++- if (request:User-Name == "%{request:User-Password}") returns ok
++ ... skipping else for request 26: Preceding "if" was taken
Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli
00a0080806BD)
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Auth-Type == 'Auth-NHSTB')
? Evaluating (control:Auth-Type == 'Auth-NHSTB') -> TRUE
++? if (control:Auth-Type == 'Auth-NHSTB') -> TRUE
++- entering if (control:Auth-Type == 'Auth-NHSTB') {...}
+++[reply] returns noop
++- if (control:Auth-Type == 'Auth-NHSTB') returns noop
Sending Access-Accept of id 7 to 172.17.254.100 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Finished request 26.
Going to the next request
Waking up in 4.9 seconds.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
