(RADIATOR) MAC address filtering?

Hugh Irvine hugh at open.com.au
Tue Jan 25 16:35:55 CST 2005 

Hello Jim -

Sorry about all this - we'll get there soon I hope.

I think we should forget about multiple AuthBy clauses and just do 
something simpler.

We can use the original configuration with a slightly more complex 
/etc/radiator/users file.

Here is yet another version of the configuration file to try.



AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir	/var/log/radius
DbDir		/etc/radiator
Trace 		4

<Client DEFAULT>
	Secret	xxxxxxxxxx
	DupInterval 0
</Client>

<Handler TunnelledByTTLS=1>
	
	<AuthBy LDAP2>
		Host 		ren.chesterfield.mo.us
		AuthDN		cn=admin,o=coc
		AuthPassword	xxxxxxxxxx
		BaseDN		ou=Users,o=Private
		UsernameAttr 	cn
		ServerChecksPassword
		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
	</AuthBy>

</Handler>

<Handler>

	<AuthBy FILE>
		Filename /etc/radiator/users
		EAPType TTLS

		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
		EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
		EAPTLS_PrivateKeyPassword locutusofborg
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
	</AuthBy>

</Handler>


The file /etc/radiator/users should contain multiple lines like this 
(one for each MAC address):

# /etc/radiator/users

DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861

DEFAULT User-Name = anonymous, Calling-Station-Id = .....

......

Please let me know if this one works any better.

thanks for your patience

regards

Hugh





On 26 Jan 2005, at 03:21, Jim Michael wrote:

> Hi Hugh-
>
> I think we're getting closer! (but still not working). Now it appears
> that the mac address as listed in my addresses.mac file is not 
> accepted.
> Could the format of the address be wrong? I see that my AP has various
> options for the format (eg xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx,
> xx:xx:xx:xx:xx:xx, etc. I have it configured currently for no
> separators, just the raw mac address. Below is the exact contents of my
> addresses.mac file again, as well as the log and my exact current 
> config
> (in case you see a typo). You can see that the mac address in the file
> is identical to the one in the log for calling-station-id, so I know it
> is correct. Just not sure what else is wrong!
>
> Jim
>
> # CONTENTS OF addresses.mac
>
> 000bcd5a0861 Auth-Type = Accept
>
> START OF LOG
> Tue Jan 25 10:07:25 2005: DEBUG: Finished reading configuration file
> '/etc/radiator/coc.cfg'
> Tue Jan 25 10:07:25 2005: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Tue Jan 25 10:07:25 2005: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Tue Jan 25 10:07:25 2005: DEBUG: Creating accounting port 0.0.0.0:1813
> Tue Jan 25 10:07:25 2005: NOTICE: Server started: Radiator 3.11 on
> suser (LOCKED)
> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
> *** Received from 192.168.10.41 port 1048 ....
> Code:       Access-Request
> Identifier: 11
> Authentic:  lKlKlKlKlKlKlKlK
> Attributes:
> 	NAS-IP-Address = 192.168.10.41
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 1
> 	Framed-MTU = 1400
> 	User-Name = "anonymous"
> 	Calling-Station-Id = "000bcd5a0861"
> 	Called-Station-Id = "000d9df60559"
> 	NAS-Identifier = "Enterprise AP"
> 	EAP-Message = <2><1><0><14><1>anonymous
> 	Message-Authenticator = <14>#<211>Z<138>+1<151>}~*M<138>[5<161>
>
> Tue Jan 25 10:07:35 2005: DEBUG: Handling request with Handler ''
> Tue Jan 25 10:07:35 2005: DEBUG:  Deleting session for anonymous,
> 192.168.10.41, 1
> Tue Jan 25 10:07:35 2005: DEBUG: Handling with Radius::AuthFILE:
> CheckMACAddress
> Tue Jan 25 10:07:35 2005: DEBUG: Handling with EAP: code 2, 1, 14
> Tue Jan 25 10:07:35 2005: DEBUG: Response type 1
> Tue Jan 25 10:07:35 2005: DEBUG: EAP result: 1, EAP authentication is
> not permitted.
> Tue Jan 25 10:07:35 2005: INFO: Access rejected for anonymous: EAP
> authentication is not permitted.
> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
> *** Sending to 192.168.10.41 port 1048 ....
> Code:       Access-Reject
> Identifier: 11
> Authentic:  lKlKlKlKlKlKlKlK
> Attributes:
> 	Reply-Message = "Request Denied"
>
> END OF LOG
>
> START OF CONFIG
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir	/var/log/radius
> DbDir		/etc/radiator
> Trace 		4
>
> <Client DEFAULT>
> 	Secret	xxxxxxxxxx
> 	DupInterval 0
> </Client>
>
> <AuthBy FILE>
> 	Identifier CheckMACAddress
> 	Filename /etc/radiator/addresses.mac
> 	AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> 	<AuthBy LDAP2>
> 		Identifier CheckLDAP
> 		Host 		ren.chesterfield.mo.us
> 		AuthDN		cn=admin,o=coc
> 		AuthPassword	xxxxxxxxxx
> 		BaseDN		ou=Users,o=Private
> 		UsernameAttr 	cn
> 		ServerChecksPassword
> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> 	</AuthBy>
>
> <Handler TunnelledByTTLS=1>
> 	
> 	AuthBy CheckLDAP
>
> </Handler>
>
> <Handler>
>
> 	AuthByPolicy ContinueWhileAccept
> 	
> 	AuthBy CheckMACAddress
>
> 	<AuthBy FILE>
> 		Filename /etc/radiator/users
> 		EAPType TTLS
>
> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> 		EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> 		EAPTLS_PrivateKeyPassword locutusofborg
> 		EAPTLS_MaxFragmentSize 1000
> 		AutoMPPEKeys
> 	</AuthBy>
>
> </Handler>
>
> END OF CONFIG
>
>>>> Hugh Irvine <hugh at open.com.au> 1/24/2005 6:40:34 PM >>>
>
> Hello Jim -
>
> Thanks for sending the configuration and debug - it helps enormously.
>
> The problem is that the Called-Station-Id / Calling-Station-Id are not
>
> included in the inner request.
>
> Therefore here is an alternative configuration - note the changed
> addresses.mac file and the changed configuration file.
>
> Please let me know how you get on.
>
> regards
>
> Hugh
>
>
>
>
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list