(RADIATOR) MAC address filtering?
Hugh Irvine
hugh at open.com.au
Wed Jan 26 00:10:38 CST 2005
Hello Jim -
OK - once more to see if we can get it to work.....
Here is yet another variation:
<Handler TunnelledByTTLS=1>
AuthByPolicy ContinueWhileAccept
<AuthBy FILE>
AuthenticateAttribute Calling-Station-Id
Filename %D/addresses.mac
</AuthBy>
<AuthBy LDAP2>
Host ren.chesterfield.mo.us
AuthDN cn=admin,o=coc
AuthPassword xxxxxxxxxx
BaseDN ou=Users,o=Private
UsernameAttr cn
ServerChecksPassword
SearchFilter (&(cn=%1)(cocWLANAllowed=true))
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename /etc/radiator/users
EAPType TTLS
EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
EAPTLS_CertificateFile
/etc/radiator/certificates/star_chesterfield_mo_us.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/etc/radiator/certificates/digicert.pem
EAPTLS_PrivateKeyPassword locutusofborg
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
PreHandlerHook sub {${$_[0]}->add_attr('Calling-Station-Id', \
${$_[0]}->{outerRequest}->get_attr('Calling-Station-Id'))}
</AuthBy>
</Handler>
# CONTENTS OF addresses.mac
000bcd5a0861 Auth-Type = Accept
......
Note that this requires Radiator 3.11 plus all the latest patches.
Here's hoping .....
:-)
regards
Hugh
On 26 Jan 2005, at 10:32, Jim Michael wrote:
> Hi Hugh-
>
> Thanks for YOUR patience with all this! I'm the newbie asking all the
> questions ;-) I tried the new config with the modified users file, but
> unfortunately it too does not work. Now users are authenticated
> properly, no matter WHAT I put as the mac address in the users file.
> The
> intention was to NOT allow a user to authenticate unless their mac is
> in
> the list, but its letting everyone in, even if the mac address is
> invalid.
>
> Perhaps this is just not something Radiator can do? I just don't see
> how adding
>
> DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861
>
> changes anything? Nothing at all changed in the config file to make it
> "aware" of the Calling-Station-ID or to look for its existence... its
> just looking for ANY user named 'anonymous' and if found, then goes
> ahead to do the inner authentication. Correct me if I'm wrong?
>
> Thanks again for all the help. I guess if we have to live without mac
> address filtering, we will... but the boss won't be happy!
>
> Jim
>
>>>> Hugh Irvine <hugh at open.com.au> 1/25/2005 4:35:55 PM >>>
>
> Hello Jim -
>
> Sorry about all this - we'll get there soon I hope.
>
> I think we should forget about multiple AuthBy clauses and just do
> something simpler.
>
> We can use the original configuration with a slightly more complex
> /etc/radiator/users file.
>
> Here is yet another version of the configuration file to try.
>
>
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
> Trace 4
>
> <Client DEFAULT>
> Secret xxxxxxxxxx
> DupInterval 0
> </Client>
>
> <Handler TunnelledByTTLS=1>
>
> <AuthBy LDAP2>
> Host ren.chesterfield.mo.us
> AuthDN cn=admin,o=coc
> AuthPassword xxxxxxxxxx
> BaseDN ou=Users,o=Private
> UsernameAttr cn
> ServerChecksPassword
> SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> </AuthBy>
>
> </Handler>
>
> <Handler>
>
> <AuthBy FILE>
> Filename /etc/radiator/users
> EAPType TTLS
>
> EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> EAPTLS_PrivateKeyPassword locutusofborg
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> </AuthBy>
>
> </Handler>
>
>
> The file /etc/radiator/users should contain multiple lines like this
> (one for each MAC address):
>
> # /etc/radiator/users
>
> DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861
>
> DEFAULT User-Name = anonymous, Calling-Station-Id = .....
>
> ......
>
> Please let me know if this one works any better.
>
> thanks for your patience
>
> regards
>
> Hugh
>
>
>
>
>
> On 26 Jan 2005, at 03:21, Jim Michael wrote:
>
>> Hi Hugh-
>>
>> I think we're getting closer! (but still not working). Now it
> appears
>> that the mac address as listed in my addresses.mac file is not
>> accepted.
>> Could the format of the address be wrong? I see that my AP has
> various
>> options for the format (eg xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx,
>> xx:xx:xx:xx:xx:xx, etc. I have it configured currently for no
>> separators, just the raw mac address. Below is the exact contents of
> my
>> addresses.mac file again, as well as the log and my exact current
>> config
>> (in case you see a typo). You can see that the mac address in the
> file
>> is identical to the one in the log for calling-station-id, so I know
> it
>> is correct. Just not sure what else is wrong!
>>
>> Jim
>>
>> # CONTENTS OF addresses.mac
>>
>> 000bcd5a0861 Auth-Type = Accept
>>
>> START OF LOG
>> Tue Jan 25 10:07:25 2005: DEBUG: Finished reading configuration file
>> '/etc/radiator/coc.cfg'
>> Tue Jan 25 10:07:25 2005: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary'
>> Tue Jan 25 10:07:25 2005: DEBUG: Creating authentication port
>> 0.0.0.0:1812
>> Tue Jan 25 10:07:25 2005: DEBUG: Creating accounting port
> 0.0.0.0:1813
>> Tue Jan 25 10:07:25 2005: NOTICE: Server started: Radiator 3.11 on
>> suser (LOCKED)
>> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
>> *** Received from 192.168.10.41 port 1048 ....
>> Code: Access-Request
>> Identifier: 11
>> Authentic: lKlKlKlKlKlKlKlK
>> Attributes:
>> NAS-IP-Address = 192.168.10.41
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 1
>> Framed-MTU = 1400
>> User-Name = "anonymous"
>> Calling-Station-Id = "000bcd5a0861"
>> Called-Station-Id = "000d9df60559"
>> NAS-Identifier = "Enterprise AP"
>> EAP-Message = <2><1><0><14><1>anonymous
>> Message-Authenticator = <14>#<211>Z<138>+1<151>}~*M<138>[5<161>
>>
>> Tue Jan 25 10:07:35 2005: DEBUG: Handling request with Handler ''
>> Tue Jan 25 10:07:35 2005: DEBUG: Deleting session for anonymous,
>> 192.168.10.41, 1
>> Tue Jan 25 10:07:35 2005: DEBUG: Handling with Radius::AuthFILE:
>> CheckMACAddress
>> Tue Jan 25 10:07:35 2005: DEBUG: Handling with EAP: code 2, 1, 14
>> Tue Jan 25 10:07:35 2005: DEBUG: Response type 1
>> Tue Jan 25 10:07:35 2005: DEBUG: EAP result: 1, EAP authentication
> is
>> not permitted.
>> Tue Jan 25 10:07:35 2005: INFO: Access rejected for anonymous: EAP
>> authentication is not permitted.
>> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
>> *** Sending to 192.168.10.41 port 1048 ....
>> Code: Access-Reject
>> Identifier: 11
>> Authentic: lKlKlKlKlKlKlKlK
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>> END OF LOG
>>
>> START OF CONFIG
>> AuthPort 1812
>> AcctPort 1813
>> Foreground
>> LogStdout
>> LogDir /var/log/radius
>> DbDir /etc/radiator
>> Trace 4
>>
>> <Client DEFAULT>
>> Secret xxxxxxxxxx
>> DupInterval 0
>> </Client>
>>
>> <AuthBy FILE>
>> Identifier CheckMACAddress
>> Filename /etc/radiator/addresses.mac
>> AuthenticateAttribute Calling-Station-Id
>> </AuthBy>
>>
>> <AuthBy LDAP2>
>> Identifier CheckLDAP
>> Host ren.chesterfield.mo.us
>> AuthDN cn=admin,o=coc
>> AuthPassword xxxxxxxxxx
>> BaseDN ou=Users,o=Private
>> UsernameAttr cn
>> ServerChecksPassword
>> SearchFilter (&(cn=%1)(cocWLANAllowed=true))
>> </AuthBy>
>>
>> <Handler TunnelledByTTLS=1>
>>
>> AuthBy CheckLDAP
>>
>> </Handler>
>>
>> <Handler>
>>
>> AuthByPolicy ContinueWhileAccept
>>
>> AuthBy CheckMACAddress
>>
>> <AuthBy FILE>
>> Filename /etc/radiator/users
>> EAPType TTLS
>>
>> EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
>> EAPTLS_CertificateFile
>> /etc/radiator/certificates/star_chesterfield_mo_us.crt
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile
>> /etc/radiator/certificates/digicert.pem
>> EAPTLS_PrivateKeyPassword locutusofborg
>> EAPTLS_MaxFragmentSize 1000
>> AutoMPPEKeys
>> </AuthBy>
>>
>> </Handler>
>>
>> END OF CONFIG
>>
>>>>> Hugh Irvine <hugh at open.com.au> 1/24/2005 6:40:34 PM >>>
>>
>> Hello Jim -
>>
>> Thanks for sending the configuration and debug - it helps
> enormously.
>>
>> The problem is that the Called-Station-Id / Calling-Station-Id are
> not
>>
>> included in the inner request.
>>
>> Therefore here is an alternative configuration - note the changed
>> addresses.mac file and the changed configuration file.
>>
>> Please let me know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>>
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list