Re: MAC Auth (new problem)
I can't possibly imagine that there can be any reason for not adding mac address as another user apart from being lazy. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Leigh Martell leigh.mart...@gmail.com piše: I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net To be fair, there probably is a way to create an unlang hack (are we going to advocate unlang auth now) that can tie up mac address from the user entry with the one in the mac auth request (regexp check if username is mac address; if it is see if there is such mac address in the database and force Auth-Type Accept; there was some mention of the password, but that can be sorted as well) without breaking everything else on the server. But why? If you can create user entry and add mac address as an attribute value it requires minimal effort on user admin side to create an entry with mac address as username value at the same time. A simple additional insert. Even if it is a closed code solution that you can't change, you can always make two entries - one for the user as username and one with mac address as username. Be honest, if your user admin application can't do what you want, should you: - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP Dana 15/12/2008, Leigh Martell leigh.mart...@gmail.com piše: Well thats not entirely true; you can create an association table(if thats the right term) which has id,username, mac and then edit your query with some joins and additional magic...I would not suggest this but it is possible just very messy. I would highly recommend doing this the traditional way...at least if you value your sanity ;-). -- Leigh On Mon, Dec 15, 2008 at 4:22 PM, t...@kalik.net wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. You don't seem to get the problem. You have set up your AP to do mac authentication. When you do that, mac address is sent in the username filed. If you don't want that, don't set your AP to do mac auth. Set it to do user authentication. When you are doung user auth, mac address should appear as Calling-Station-Id (should). There is *nothing* you can do in freeradius that will make your AP do this. You have to configure the AP to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Ok... Thank you Ivan. I can't change my system but I can make scripts in my Linux Box that could make this happens. t...@kalik.net escreveu: Or fill with a single sql statement: INSERT INTO radcheck (username, op attribute, value) SELECT value, ':=' AS op, Cleartext-Password (or Auth-Type) AS attribute, that fixed password (or Accept - if you don't want to check mac passwords and opt for auth type) AS value FROM radcheck WHERE attribute='Calling-Station-Id' probably should add ON DUPLICATE blah, blah in order to prevent duplication of mac-as-user entries. Nataniel, populating this is trivial stuff. You should really put your effort into creating a proper user database. If you AP is going to ask for user nicknames and mac addresses as usernames, your database should provide them - as usernames. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Alan DeKok al...@deployingradius.com piše: Nataniel Klug wrote: I would like to have this easy configuration but this is not possible at the moment. Lazy = spend a lot of money... Nonsense. A short Perl script could walk through your existing DB, and re-write entries into another table, or add new entries to an existing table. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Look, you can make a solution that will work for this specific case. And then you get a new AP that sends the mac address with different delimiters. Or even worse - no delimiters at all. What then? Don't go the route that will fail you in the future. Create a solution that will work. Every time and with every equipment. That means creating additionl user entry where username will be mac address; mac address in the database shouldn't have delimiters (both as usernames and ones stored as calling station ids in user profile); you should rewrite mac adress format(s) matching usernames and calling station ids and strip out delimiters from them in hints file. That's what you should do. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Nataniel Klug n...@cnett.com.br piše: Leigh and Ivan, I have a system that works on my WISP and this program is not hackable (economic reasons -- this would cost too much to alter). As I already have all my clients MAC address into radcheck table (as a value for Calling-Station-Id) why can't I use this MAC to authenticate it in my NAS/AP? This is my question. Why can't I look for the MAC in another colum besides Username colum? There should be some way cheaper to me... Leigh Martell escreveu: I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net mailto:t...@kalik.net - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
I would like to have this easy configuration but this is not possible at the moment. Lazy = spend a lot of money... yes I am lazy... ;) t...@kalik.net escreveu: I can't possibly imagine that there can be any reason for not adding mac address as another user apart from being lazy. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Leigh Martell leigh.mart...@gmail.com piše: I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net To be fair, there probably is a way to create an unlang hack (are we going to advocate unlang auth now) that can tie up mac address from the user entry with the one in the mac auth request (regexp check if username is mac address; if it is see if there is such mac address in the database and force Auth-Type Accept; there was some mention of the password, but that can be sorted as well) without breaking everything else on the server. But why? If you can create user entry and add mac address as an attribute value it requires minimal effort on user admin side to create an entry with mac address as username value at the same time. A simple additional insert. Even if it is a closed code solution that you can't change, you can always make two entries - one for the user as username and one with mac address as username. Be honest, if your user admin application can't do what you want, should you: - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP Dana 15/12/2008, Leigh Martell leigh.mart...@gmail.com piše: Well thats not entirely true; you can create an association table(if thats the right term) which has id,username, mac and then edit your query with some joins and additional magic...I would not suggest this but it is possible just very messy. I would highly recommend doing this the traditional way...at least if you value your sanity ;-). -- Leigh On Mon, Dec 15, 2008 at 4:22 PM, t...@kalik.net wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. You don't seem to get the problem. You have set up your AP to do mac authentication. When you do that, mac address is sent in the username filed. If you don't want that, don't set your AP to do mac auth. Set it to do user authentication. When you are doung user auth, mac address should appear as Calling-Station-Id (should). There is *nothing* you can do in freeradius that will make your AP do this. You have to configure the AP to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
That SQL statement looks scary but it's not that bad. You can play with the SELECT part until you get the data you want and then just add INSERT bit in front and populate the database. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Nataniel Klug n...@cnett.com.br piše: Ok... Thank you Ivan. I can't change my system but I can make scripts in my Linux Box that could make this happens. t...@kalik.net escreveu: Or fill with a single sql statement: INSERT INTO radcheck (username, op attribute, value) SELECT value, ':=' AS op, Cleartext-Password (or Auth-Type) AS attribute, that fixed password (or Accept - if you don't want to check mac passwords and opt for auth type) AS value FROM radcheck WHERE attribute='Calling-Station-Id' probably should add ON DUPLICATE blah, blah in order to prevent duplication of mac-as-user entries. Nataniel, populating this is trivial stuff. You should really put your effort into creating a proper user database. If you AP is going to ask for user nicknames and mac addresses as usernames, your database should provide them - as usernames. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Alan DeKok al...@deployingradius.com piše: Nataniel Klug wrote: I would like to have this easy configuration but this is not possible at the moment. Lazy = spend a lot of money... Nonsense. A short Perl script could walk through your existing DB, and re-write entries into another table, or add new entries to an existing table. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Or fill with a single sql statement: INSERT INTO radcheck (username, op attribute, value) SELECT value, ':=' AS op, Cleartext-Password (or Auth-Type) AS attribute, that fixed password (or Accept - if you don't want to check mac passwords and opt for auth type) AS value FROM radcheck WHERE attribute='Calling-Station-Id' probably should add ON DUPLICATE blah, blah in order to prevent duplication of mac-as-user entries. Nataniel, populating this is trivial stuff. You should really put your effort into creating a proper user database. If you AP is going to ask for user nicknames and mac addresses as usernames, your database should provide them - as usernames. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Alan DeKok al...@deployingradius.com piše: Nataniel Klug wrote: I would like to have this easy configuration but this is not possible at the moment. Lazy = spend a lot of money... Nonsense. A short Perl script could walk through your existing DB, and re-write entries into another table, or add new entries to an existing table. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Nataniel Klug wrote: I would like to have this easy configuration but this is not possible at the moment. Lazy = spend a lot of money... Nonsense. A short Perl script could walk through your existing DB, and re-write entries into another table, or add new entries to an existing table. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Now someone who could help... hehehehehe... Perl script is that I don't know how to make but I will learn it. Alan DeKok escreveu: Nataniel Klug wrote: I would like to have this easy configuration but this is not possible at the moment. Lazy = spend a lot of money... Nonsense. A short Perl script could walk through your existing DB, and re-write entries into another table, or add new entries to an existing table. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Ivan, Thank you. I will try to think about how can I do this. t...@kalik.net escreveu: Look, you can make a solution that will work for this specific case. And then you get a new AP that sends the mac address with different delimiters. Or even worse - no delimiters at all. What then? Don't go the route that will fail you in the future. Create a solution that will work. Every time and with every equipment. That means creating additionl user entry where username will be mac address; mac address in the database shouldn't have delimiters (both as usernames and ones stored as calling station ids in user profile); you should rewrite mac adress format(s) matching usernames and calling station ids and strip out delimiters from them in hints file. That's what you should do. Ivan Kalik Kalik Informatika ISP Dana 16/12/2008, Nataniel Klug n...@cnett.com.br piše: Leigh and Ivan, I have a system that works on my WISP and this program is not hackable (economic reasons -- this would cost too much to alter). As I already have all my clients MAC address into radcheck table (as a value for Calling-Station-Id) why can't I use this MAC to authenticate it in my NAS/AP? This is my question. Why can't I look for the MAC in another colum besides Username colum? There should be some way cheaper to me... Leigh Martell escreveu: I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net mailto:t...@kalik.net - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Ready to process requests. rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3, length=69 User-Name = 00:19:79:0F:98:3D User-Password = cnett1298 NAS-IP-Address = 172.30.0.165 NAS-Port = 0 server proxim { +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = 00:19:79:0F:98:3D, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [sql_ap2000]expand: %{User-Name} - 00:19:79:0F:98:3D [sql_ap2000] sql_set_user escaped user -- '00:19:79:0F:98:3D' rlm_sql (sql_ap2000): Reserving sql socket id: 4 [sql_ap2000]expand: SELECT id, username, attribute, value, op FROM radcheck WHERE value = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE value = '00:19:79:0F:98:3D' ORDER BY id [sql_ap2000]expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = '00:19:79:0F:98:3D' ORDER BY priority rlm_sql (sql_ap2000): Released sql socket id: 4 [sql_ap2000] User 00:19:79:0F:98:3D not found ++[sql_ap2000] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [00:19:79:0F:98:3D/cnett1298] (from client ap2000 port 0) } # server proxim Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 3 to 172.30.0.165 port 6001 Waking up in 4.9 seconds. Cleaning up request 0 ID 3 with timestamp +29 Ready to process requests. This user (MAC) exists and its in radcheck like this: mysql SELECT * FROM radcheck WHERE Username=marmatec; +--+--+++---++--+ | id | UserName | Attribute | op | Value | numero | obs | +--+--+++---++--+ | 796 | marmatec | Cleartext-Password | := | 654321| 00923 | | | 1886 | marmatec | Calling-Station-Id | == | 00:19:79:0F:98:3D | 00923 | NULL | +--+--+++---++--+ On mysql/sql/ap2000.conf (copy of dialup.conf file) I just changed this on authorize section: WHERE value = '%{SQL-User-Name}' \ I really don't know how to make this work. Can someone help me? Lets try again: put the mac address in to the radcheck table as UserName field. Without that mac authentication is not going to work. If your adminstartion system has something against it, throw it away and write another one youself. Or use dialup admin (comes with the server) or something like daloRadius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Ivan, I can just throw it away... and I still need this to work. There should be someway to make this happens... t...@kalik.net escreveu: Lets try again: put the mac address in to the radcheck table as UserName field. Without that mac authentication is not going to work. If your adminstartion system has something against it, throw it away and write another one youself. Or use dialup admin (comes with the server) or something like daloRadius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
I can just throw it away... and I still need this to work. There should be someway to make this happens... How many times does someone need to tell you: PUT MAC ADDRESS AS USERNAME IN RADCHECK TABLE! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
I am not wanting to do MAC filtering from the ap.. That is why it is not in the username FIELD You dont have to be an ass about it On Mon, Dec 15, 2008 at 2:14 PM, t...@kalik.net wrote: I can just throw it away... and I still need this to work. There should be someway to make this happens... How many times does someone need to tell you: PUT MAC ADDRESS AS USERNAME IN RADCHECK TABLE! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Justin A Williams - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
I am not wanting to do MAC filtering from the ap.. That is why it is not in the username FIELD Ahem: rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3, length=69 User-Name = 00:19:79:0F:98:3D User-Password = cnett1298 NAS-IP-Address = 172.30.0.165 NAS-Port = 0 So what is in the username field then? You might not want to - but your NAS does. You are doing MAC authentication (or filtering if you like that term better). When you do that, mac address is sent as username. Perhaps you should read your NAS manual and learn how to use the equipment. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
And how many time I have to say: I CAN'T PUT MAC IN USERNAME FIELD! You are always helping people here but, if you can't, don't answer being rude! t...@kalik.net escreveu: I can just throw it away... and I still need this to work. There should be someway to make this happens... How many times does someone need to tell you: PUT MAC ADDRESS AS USERNAME IN RADCHECK TABLE! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Ivan, In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. t...@kalik.net escreveu: I am not wanting to do MAC filtering from the ap.. That is why it is not in the username FIELD Ahem: rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3, length=69 User-Name = 00:19:79:0F:98:3D User-Password = cnett1298 NAS-IP-Address = 172.30.0.165 NAS-Port = 0 So what is in the username field then? You might not want to - but your NAS does. You are doing MAC authentication (or filtering if you like that term better). When you do that, mac address is sent as username. Perhaps you should read your NAS manual and learn how to use the equipment. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Well thats not entirely true; you can create an association table(if thats the right term) which has id,username, mac and then edit your query with some joins and additional magic...I would not suggest this but it is possible just very messy. I would highly recommend doing this the traditional way...at least if you value your sanity ;-). -- Leigh On Mon, Dec 15, 2008 at 4:22 PM, t...@kalik.net wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. You don't seem to get the problem. You have set up your AP to do mac authentication. When you do that, mac address is sent in the username filed. If you don't want that, don't set your AP to do mac auth. Set it to do user authentication. When you are doung user auth, mac address should appear as Calling-Station-Id (should). There is *nothing* you can do in freeradius that will make your AP do this. You have to configure the AP to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Nataniel Klug wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. t...@kalik.net escreveu: I am not wanting to do MAC filtering from the ap.. That is why it is not in the username FIELD Ahem: rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3, length=69 User-Name = 00:19:79:0F:98:3D User-Password = cnett1298 NAS-IP-Address = 172.30.0.165 NAS-Port = 0 So what is in the username field then? You might not want to - but your NAS does. You are doing MAC authentication (or filtering if you like that term better). When you do that, mac address is sent as username. Perhaps you should read your NAS manual and learn how to use the equipment. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Maybe I don't completely understand the issue, can you give us some background to why you can't? or a little more detail on your setup. I originally assumed you had to look in the value you field because of other authentications you do with that user name...but as I think about it more I just get confused. On Mon, Dec 15, 2008 at 4:36 PM, Alan DeKok al...@deployingradius.comwrote: Nataniel Klug wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. t...@kalik.net escreveu: I am not wanting to do MAC filtering from the ap.. That is why it is not in the username FIELD Ahem: rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3, length=69 User-Name = 00:19:79:0F:98:3D User-Password = cnett1298 NAS-IP-Address = 172.30.0.165 NAS-Port = 0 So what is in the username field then? You might not want to - but your NAS does. You are doing MAC authentication (or filtering if you like that term better). When you do that, mac address is sent as username. Perhaps you should read your NAS manual and learn how to use the equipment. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
To be fair, there probably is a way to create an unlang hack (are we going to advocate unlang auth now) that can tie up mac address from the user entry with the one in the mac auth request (regexp check if username is mac address; if it is see if there is such mac address in the database and force Auth-Type Accept; there was some mention of the password, but that can be sorted as well) without breaking everything else on the server. But why? If you can create user entry and add mac address as an attribute value it requires minimal effort on user admin side to create an entry with mac address as username value at the same time. A simple additional insert. Even if it is a closed code solution that you can't change, you can always make two entries - one for the user as username and one with mac address as username. Be honest, if your user admin application can't do what you want, should you: - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP Dana 15/12/2008, Leigh Martell leigh.mart...@gmail.com piše: Well thats not entirely true; you can create an association table(if thats the right term) which has id,username, mac and then edit your query with some joins and additional magic...I would not suggest this but it is possible just very messy. I would highly recommend doing this the traditional way...at least if you value your sanity ;-). -- Leigh On Mon, Dec 15, 2008 at 4:22 PM, t...@kalik.net wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. You don't seem to get the problem. You have set up your AP to do mac authentication. When you do that, mac address is sent in the username filed. If you don't want that, don't set your AP to do mac auth. Set it to do user authentication. When you are doung user auth, mac address should appear as Calling-Station-Id (should). There is *nothing* you can do in freeradius that will make your AP do this. You have to configure the AP to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net To be fair, there probably is a way to create an unlang hack (are we going to advocate unlang auth now) that can tie up mac address from the user entry with the one in the mac auth request (regexp check if username is mac address; if it is see if there is such mac address in the database and force Auth-Type Accept; there was some mention of the password, but that can be sorted as well) without breaking everything else on the server. But why? If you can create user entry and add mac address as an attribute value it requires minimal effort on user admin side to create an entry with mac address as username value at the same time. A simple additional insert. Even if it is a closed code solution that you can't change, you can always make two entries - one for the user as username and one with mac address as username. Be honest, if your user admin application can't do what you want, should you: - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP Dana 15/12/2008, Leigh Martell leigh.mart...@gmail.com piše: Well thats not entirely true; you can create an association table(if thats the right term) which has id,username, mac and then edit your query with some joins and additional magic...I would not suggest this but it is possible just very messy. I would highly recommend doing this the traditional way...at least if you value your sanity ;-). -- Leigh On Mon, Dec 15, 2008 at 4:22 PM, t...@kalik.net wrote: In my case I can't look for MAC in Username field and I have to look for that mac in Value field. Hope that have a way to make this happens. You don't seem to get the problem. You have set up your AP to do mac authentication. When you do that, mac address is sent in the username filed. If you don't want that, don't set your AP to do mac auth. Set it to do user authentication. When you are doung user auth, mac address should appear as Calling-Station-Id (should). There is *nothing* you can do in freeradius that will make your AP do this. You have to configure the AP to do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Leigh and Ivan, I have a system that works on my WISP and this program is not hackable (economic reasons -- this would cost too much to alter). As I already have all my clients MAC address into radcheck table (as a value for Calling-Station-Id) why can't I use this MAC to authenticate it in my NAS/AP? This is my question. Why can't I look for the MAC in another colum besides Username colum? There should be some way cheaper to me... Leigh Martell escreveu: I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net mailto:t...@kalik.net - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP -- Att, NATANIEL KLUG n...@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Auth (new problem)
Does your WISP run off this same instance of FreeRadius or just using a common database? To elaborate on the dilemma; if you configure your freeradius to check the attribute column for the MAC address how would you find the users password since that is associated with the real username not the users attribute...see the issue? By no means am I saying this is impossible but I am saying it would be messy/complex to do such a thing, as you would have to set the authenticate query to grab the mac address to return a real user name to retrieve the remainder of the user attributes. My suggestion is to not hack a way for it to work but figure out a clean way to associate MAC addresses with a useraccount. You may be able to do this by modifying the DB schema and using ID's as pointers(not fun or efficient) but this is obviously not an option for you, so that would than bring you back to using unlang(can't really help you here) or a rlm_perl script(both of these methods should work but with more overhead than I would feel comfortable with) Listen to Ivan...he is alot smarter than me just not always as polite :-p but always makes very good points. The last thing I have to say is that the immediately cheapier way is not always the best way; invest in doing things right and find an appropriate middle ground. Anyways I hope we have helped point you in somewhat of the right direction...you have alot of late nights ahead of you so take care. -- Leigh 2008/12/15 Nataniel Klug n...@cnett.com.br Leigh and Ivan, I have a system that works on my WISP and this program is not hackable (economic reasons -- this would cost too much to alter). As I already have all my clients MAC address into radcheck table (as a value for Calling-Station-Id) why can't I use this MAC to authenticate it in my NAS/AP? This is my question. Why can't I look for the MAC in another colum besides Username colum? There should be some way cheaper to me... Leigh Martell escreveu: I completely agree with you! I am still curious to why adding a user is not an option though. Hopefully we will be enlightened as to why it is not an option. 2008/12/15 t...@kalik.net - hack your radius server? - hack your user admin application? It is credit to the quality and flexibility of Freeradius that messing with the radius server comes up as an option at all. Ivan Kalik Kalik Informatika ISP -- Att, NATANIEL klugn...@cnett.com.br LEIA O DIA-A-DIA DO NATAhttp://nataklug.blogspot.com/ Cyber Nett - Internet Banda Largawww.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html