(RADIATOR) MAC address filtering?

Jim Michael JMichael at chesterfield.mo.us
Tue Jan 25 17:32:45 CST 2005 

Hi Hugh-

Thanks for YOUR patience with all this! I'm the newbie asking all the
questions ;-) I tried the new config with the modified users file, but
unfortunately it too does not work. Now users are authenticated
properly, no matter WHAT I put as the mac address in the users file. The
intention was to NOT allow a user to authenticate unless their mac is in
the list, but its letting everyone in, even if the mac address is
invalid.

Perhaps this is just not something Radiator can do? I just don't see
how adding

DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861

changes anything? Nothing at all changed in the config file to make it
"aware" of the Calling-Station-ID or to look for its existence... its
just looking for ANY user named 'anonymous' and if found, then goes
ahead to do the inner authentication. Correct me if I'm wrong?

Thanks again for all the help. I guess if we have to live without mac
address filtering, we will... but the boss won't be happy!

Jim

>>> Hugh Irvine <hugh at open.com.au> 1/25/2005 4:35:55 PM >>>

Hello Jim -

Sorry about all this - we'll get there soon I hope.

I think we should forget about multiple AuthBy clauses and just do 
something simpler.

We can use the original configuration with a slightly more complex 
/etc/radiator/users file.

Here is yet another version of the configuration file to try.



AuthPort 1812
AcctPort 1813
Foreground
LogStdout
LogDir	/var/log/radius
DbDir		/etc/radiator
Trace 		4

<Client DEFAULT>
	Secret	xxxxxxxxxx
	DupInterval 0
</Client>

<Handler TunnelledByTTLS=1>
	
	<AuthBy LDAP2>
		Host 		ren.chesterfield.mo.us
		AuthDN		cn=admin,o=coc
		AuthPassword	xxxxxxxxxx
		BaseDN		ou=Users,o=Private
		UsernameAttr 	cn
		ServerChecksPassword
		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
	</AuthBy>

</Handler>

<Handler>

	<AuthBy FILE>
		Filename /etc/radiator/users
		EAPType TTLS

		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
		EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
		EAPTLS_PrivateKeyPassword locutusofborg
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
	</AuthBy>

</Handler>


The file /etc/radiator/users should contain multiple lines like this 
(one for each MAC address):

# /etc/radiator/users

DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861

DEFAULT User-Name = anonymous, Calling-Station-Id = .....

......

Please let me know if this one works any better.

thanks for your patience

regards

Hugh





On 26 Jan 2005, at 03:21, Jim Michael wrote:

> Hi Hugh-
>
> I think we're getting closer! (but still not working). Now it
appears
> that the mac address as listed in my addresses.mac file is not 
> accepted.
> Could the format of the address be wrong? I see that my AP has
various
> options for the format (eg xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx,
> xx:xx:xx:xx:xx:xx, etc. I have it configured currently for no
> separators, just the raw mac address. Below is the exact contents of
my
> addresses.mac file again, as well as the log and my exact current 
> config
> (in case you see a typo). You can see that the mac address in the
file
> is identical to the one in the log for calling-station-id, so I know
it
> is correct. Just not sure what else is wrong!
>
> Jim
>
> # CONTENTS OF addresses.mac
>
> 000bcd5a0861 Auth-Type = Accept
>
> START OF LOG
> Tue Jan 25 10:07:25 2005: DEBUG: Finished reading configuration file
> '/etc/radiator/coc.cfg'
> Tue Jan 25 10:07:25 2005: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Tue Jan 25 10:07:25 2005: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Tue Jan 25 10:07:25 2005: DEBUG: Creating accounting port
0.0.0.0:1813
> Tue Jan 25 10:07:25 2005: NOTICE: Server started: Radiator 3.11 on
> suser (LOCKED)
> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
> *** Received from 192.168.10.41 port 1048 ....
> Code:       Access-Request
> Identifier: 11
> Authentic:  lKlKlKlKlKlKlKlK
> Attributes:
> 	NAS-IP-Address = 192.168.10.41
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 1
> 	Framed-MTU = 1400
> 	User-Name = "anonymous"
> 	Calling-Station-Id = "000bcd5a0861"
> 	Called-Station-Id = "000d9df60559"
> 	NAS-Identifier = "Enterprise AP"
> 	EAP-Message = <2><1><0><14><1>anonymous
> 	Message-Authenticator = <14>#<211>Z<138>+1<151>}~*M<138>[5<161>
>
> Tue Jan 25 10:07:35 2005: DEBUG: Handling request with Handler ''
> Tue Jan 25 10:07:35 2005: DEBUG:  Deleting session for anonymous,
> 192.168.10.41, 1
> Tue Jan 25 10:07:35 2005: DEBUG: Handling with Radius::AuthFILE:
> CheckMACAddress
> Tue Jan 25 10:07:35 2005: DEBUG: Handling with EAP: code 2, 1, 14
> Tue Jan 25 10:07:35 2005: DEBUG: Response type 1
> Tue Jan 25 10:07:35 2005: DEBUG: EAP result: 1, EAP authentication
is
> not permitted.
> Tue Jan 25 10:07:35 2005: INFO: Access rejected for anonymous: EAP
> authentication is not permitted.
> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
> *** Sending to 192.168.10.41 port 1048 ....
> Code:       Access-Reject
> Identifier: 11
> Authentic:  lKlKlKlKlKlKlKlK
> Attributes:
> 	Reply-Message = "Request Denied"
>
> END OF LOG
>
> START OF CONFIG
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir	/var/log/radius
> DbDir		/etc/radiator
> Trace 		4
>
> <Client DEFAULT>
> 	Secret	xxxxxxxxxx
> 	DupInterval 0
> </Client>
>
> <AuthBy FILE>
> 	Identifier CheckMACAddress
> 	Filename /etc/radiator/addresses.mac
> 	AuthenticateAttribute Calling-Station-Id
> </AuthBy>
>
> 	<AuthBy LDAP2>
> 		Identifier CheckLDAP
> 		Host 		ren.chesterfield.mo.us
> 		AuthDN		cn=admin,o=coc
> 		AuthPassword	xxxxxxxxxx
> 		BaseDN		ou=Users,o=Private
> 		UsernameAttr 	cn
> 		ServerChecksPassword
> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> 	</AuthBy>
>
> <Handler TunnelledByTTLS=1>
> 	
> 	AuthBy CheckLDAP
>
> </Handler>
>
> <Handler>
>
> 	AuthByPolicy ContinueWhileAccept
> 	
> 	AuthBy CheckMACAddress
>
> 	<AuthBy FILE>
> 		Filename /etc/radiator/users
> 		EAPType TTLS
>
> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> 		EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> 		EAPTLS_PrivateKeyPassword locutusofborg
> 		EAPTLS_MaxFragmentSize 1000
> 		AutoMPPEKeys
> 	</AuthBy>
>
> </Handler>
>
> END OF CONFIG
>
>>>> Hugh Irvine <hugh at open.com.au> 1/24/2005 6:40:34 PM >>>
>
> Hello Jim -
>
> Thanks for sending the configuration and debug - it helps
enormously.
>
> The problem is that the Called-Station-Id / Calling-Station-Id are
not
>
> included in the inner request.
>
> Therefore here is an alternative configuration - note the changed
> addresses.mac file and the changed configuration file.
>
> Please let me know how you get on.
>
> regards
>
> Hugh
>
>
>
>
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list