Hi,
In my previous mail while asking for help, I did not fully explain what
I wanted to configure.
So here goes: I want to configure freeradius to setup MAC based
authentication for laptops and hand held devices in my organization.
My first preference is to make it purely MAC based and paswordless.
I have installed freeradius2 (debug output and conf files pasted below).
For testing, I configured the NAS to use "WPA Radius", and gave it my
radius servers IP and secret.
When I select the SSID, the laptop pops up a window asking for usename,
password and logon domain. (is there a way to avoid this?)
I see that authorized_macs.authorize returns noop. But why, I don't
understand.
Because I want just CSID auth, I commented out the eap in default
authorize{}. Is that my mistake?
Here is the debug output.
------ Debug output:
rad_recv: Access-Request packet from host 192.168.55.107 port 3072,
id=35, length=175
User-Name = "TEST\\test"
NAS-IP-Address = 192.168.55.107
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01544553545c74657374
Message-Authenticator = 0x0fc7203c788350352965da25a7a1049e
+- entering group authorize {...}
++[control] returns notfound
Found Auth-Type = CSID
+- entering group CSID {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) -> FALSE
++? if (Chap-Password) -> FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
+- entering group post-auth {...}
++? if (control:Auth-Type == 'CSID')
? Evaluating (control:Auth-Type == 'CSID') -> TRUE
++? if (control:Auth-Type == 'CSID') -> TRUE
++- entering if (control:Auth-Type == 'CSID') {...}
[authorized_macs] expand: %{Calling-Station-ID} -> 001a734337c9
+++[authorized_macs.authorize] returns noop
+++? if (!ok)
? Evaluating !(ok) -> TRUE
+++? if (!ok) -> TRUE
+++- entering if (!ok) {...}
++++[reject] returns reject
+++- if (!ok) returns reject
++- if (control:Auth-Type == 'CSID') returns reject
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Ready to process requests.
---- cat raddb/sites-available/default
authorize {
#eap
update control {
Auth-Type = 'CSID'
}
}
authenticate {
Auth-Type CSID {
if(Chap-Password){
update control {
Cleartext-Password := "%{User-Name}"
}
chap
}
else{
ok
}
}
}
post-auth {
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
}
}
}
---- cat raddb/modules/file ------
files authorized_macs {
key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
compat = no
}
---- cat raddb/authorized_macs ---
001a734337c9 Reply-Message = "OK.."
What is the mistake I am doing?
Thanks a lot!
Nagaraj
Phil Mayers wrote:
On 06/01/11 12:48, Nagaraj Panyam wrote:
Dear experts,
I setup mac_auth as in the freeradius wiki and its not working, am
unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered? if () unlang statements
in the "authenticate" section and calling a module .authorize method
in post-auth don't seem necessary?
Anyone who wrote the page, and why it uses that method?
requesting for help!
It correctly sets Auth-Type to CSID. but authorized_macs.authorize]
returns noop
I have pasted debug output and the relevant files below.
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072,
id=62, length=175
User-Name = "TEST\\test"
NAS-IP-Address = 158.144.55.107
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01544553545c74657374
Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
This is not a mac-auth request. It's an EAP request, likely from an
802.11 wireless point using WPA-Enterprise.
You can't mac-auth EAP.
Start by describing what you want to do please.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
+----------------------------------+--------------------------------------+
Nagaraj Panyam | Office tel: +91-22-22782126
Dept of High Energy Physics | Office fax: +91-22-22804610
Tata Instt. of Fundamental Research| Home tel : +91-22-22804936
Mumbai - 400 005, INDIA | **Email** : [email protected]
+----------------------------------+--------------------------------------+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
