(RADIATOR) MAC address filtering?

Jim Michael JMichael at chesterfield.mo.us
Tue Jan 25 10:21:38 CST 2005 

Hi Hugh-

I think we're getting closer! (but still not working). Now it appears
that the mac address as listed in my addresses.mac file is not accepted.
Could the format of the address be wrong? I see that my AP has various
options for the format (eg xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx,
xx:xx:xx:xx:xx:xx, etc. I have it configured currently for no
separators, just the raw mac address. Below is the exact contents of my
addresses.mac file again, as well as the log and my exact current config
(in case you see a typo). You can see that the mac address in the file
is identical to the one in the log for calling-station-id, so I know it
is correct. Just not sure what else is wrong!

Jim

# CONTENTS OF addresses.mac

000bcd5a0861 Auth-Type = Accept

START OF LOG
Tue Jan 25 10:07:25 2005: DEBUG: Finished reading configuration file
'/etc/radiator/coc.cfg'
Tue Jan 25 10:07:25 2005: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Tue Jan 25 10:07:25 2005: DEBUG: Creating authentication port
0.0.0.0:1812
Tue Jan 25 10:07:25 2005: DEBUG: Creating accounting port 0.0.0.0:1813
Tue Jan 25 10:07:25 2005: NOTICE: Server started: Radiator 3.11 on
suser (LOCKED)
Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
*** Received from 192.168.10.41 port 1048 ....
Code:       Access-Request
Identifier: 11
Authentic:  lKlKlKlKlKlKlKlK
Attributes:
	NAS-IP-Address = 192.168.10.41
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-Port = 1
	Framed-MTU = 1400
	User-Name = "anonymous"
	Calling-Station-Id = "000bcd5a0861"
	Called-Station-Id = "000d9df60559"
	NAS-Identifier = "Enterprise AP"
	EAP-Message = <2><1><0><14><1>anonymous
	Message-Authenticator = <14>#<211>Z<138>+1<151>}~*M<138>[5<161>

Tue Jan 25 10:07:35 2005: DEBUG: Handling request with Handler ''
Tue Jan 25 10:07:35 2005: DEBUG:  Deleting session for anonymous,
192.168.10.41, 1
Tue Jan 25 10:07:35 2005: DEBUG: Handling with Radius::AuthFILE:
CheckMACAddress
Tue Jan 25 10:07:35 2005: DEBUG: Handling with EAP: code 2, 1, 14
Tue Jan 25 10:07:35 2005: DEBUG: Response type 1
Tue Jan 25 10:07:35 2005: DEBUG: EAP result: 1, EAP authentication is
not permitted.
Tue Jan 25 10:07:35 2005: INFO: Access rejected for anonymous: EAP
authentication is not permitted.
Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
*** Sending to 192.168.10.41 port 1048 ....
Code:       Access-Reject
Identifier: 11
Authentic:  lKlKlKlKlKlKlKlK
Attributes:
	Reply-Message = "Request Denied"

END OF LOG

START OF CONFIG
AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir	/var/log/radius
DbDir		/etc/radiator
Trace 		4

<Client DEFAULT>
	Secret	xxxxxxxxxx
	DupInterval 0
</Client>

<AuthBy FILE>
	Identifier CheckMACAddress
	Filename /etc/radiator/addresses.mac
	AuthenticateAttribute Calling-Station-Id
</AuthBy>

	<AuthBy LDAP2>
		Identifier CheckLDAP
		Host 		ren.chesterfield.mo.us
		AuthDN		cn=admin,o=coc
		AuthPassword	xxxxxxxxxx
		BaseDN		ou=Users,o=Private
		UsernameAttr 	cn
		ServerChecksPassword
		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
	</AuthBy>

<Handler TunnelledByTTLS=1>
	
	AuthBy CheckLDAP

</Handler>

<Handler>

	AuthByPolicy ContinueWhileAccept
	
	AuthBy CheckMACAddress

	<AuthBy FILE>
		Filename /etc/radiator/users
		EAPType TTLS

		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
		EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
		EAPTLS_PrivateKeyPassword locutusofborg
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
	</AuthBy>

</Handler>

END OF CONFIG

>>> Hugh Irvine <hugh at open.com.au> 1/24/2005 6:40:34 PM >>>

Hello Jim -

Thanks for sending the configuration and debug - it helps enormously.

The problem is that the Called-Station-Id / Calling-Station-Id are not 

included in the inner request.

Therefore here is an alternative configuration - note the changed  
addresses.mac file and the changed configuration file.

Please let me know how you get on.

regards

Hugh






--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list