(RADIATOR) MAC address filtering?

Mike McCauley mikem at open.com.au
Wed Jan 26 01:05:16 CST 2005 

Hi Hugh,

actually, the mac address file just needs to have the addresses one per line:

00409638d4cb
00409638d4cc

no Auth-Type check items should be required.

Cheers.

On Wednesday 26 January 2005 16:10, Hugh Irvine wrote:
> Hello Jim -
>
> OK - once more to see if we can get it to work.....
>
> Here is yet another variation:
>
> <Handler TunnelledByTTLS=1>
>
> 	 AuthByPolicy ContinueWhileAccept
> 	<AuthBy FILE>
> 		AuthenticateAttribute Calling-Station-Id
> 		Filename %D/addresses.mac
> 	</AuthBy>
> 	<AuthBy LDAP2>
> 		Host 		ren.chesterfield.mo.us
> 		AuthDN		cn=admin,o=coc
> 		AuthPassword	xxxxxxxxxx
> 		BaseDN		ou=Users,o=Private
> 		UsernameAttr 	cn
> 		ServerChecksPassword
> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> 	</AuthBy>
>
> </Handler>
>
> <Handler>
>
> 	<AuthBy FILE>
> 		Filename /etc/radiator/users
> 		EAPType TTLS
>
> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> 		EAPTLS_CertificateFile
> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile
> /etc/radiator/certificates/digicert.pem
> 		EAPTLS_PrivateKeyPassword locutusofborg
> 		EAPTLS_MaxFragmentSize 1000
> 		AutoMPPEKeys
> 		PreHandlerHook sub {${$_[0]}->add_attr('Calling-Station-Id', \
> 			${$_[0]}->{outerRequest}->get_attr('Calling-Station-Id'))}
> 	</AuthBy>
>
> </Handler>
>
>
> # CONTENTS OF addresses.mac
>
> 000bcd5a0861 Auth-Type = Accept
>
> ......
>
>
> Note that this requires Radiator 3.11 plus all the latest patches.
>
>
> Here's hoping .....
>
> :-)
>
> regards
>
> Hugh
>
> On 26 Jan 2005, at 10:32, Jim Michael wrote:
> > Hi Hugh-
> >
> > Thanks for YOUR patience with all this! I'm the newbie asking all the
> > questions ;-) I tried the new config with the modified users file, but
> > unfortunately it too does not work. Now users are authenticated
> > properly, no matter WHAT I put as the mac address in the users file.
> > The
> > intention was to NOT allow a user to authenticate unless their mac is
> > in
> > the list, but its letting everyone in, even if the mac address is
> > invalid.
> >
> > Perhaps this is just not something Radiator can do? I just don't see
> > how adding
> >
> > DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861
> >
> > changes anything? Nothing at all changed in the config file to make it
> > "aware" of the Calling-Station-ID or to look for its existence... its
> > just looking for ANY user named 'anonymous' and if found, then goes
> > ahead to do the inner authentication. Correct me if I'm wrong?
> >
> > Thanks again for all the help. I guess if we have to live without mac
> > address filtering, we will... but the boss won't be happy!
> >
> > Jim
> >
> >>>> Hugh Irvine <hugh at open.com.au> 1/25/2005 4:35:55 PM >>>
> >
> > Hello Jim -
> >
> > Sorry about all this - we'll get there soon I hope.
> >
> > I think we should forget about multiple AuthBy clauses and just do
> > something simpler.
> >
> > We can use the original configuration with a slightly more complex
> > /etc/radiator/users file.
> >
> > Here is yet another version of the configuration file to try.
> >
> >
> >
> > AuthPort 1812
> > AcctPort 1813
> > Foreground
> > LogStdout
> > LogDir	/var/log/radius
> > DbDir		/etc/radiator
> > Trace 		4
> >
> > <Client DEFAULT>
> > 	Secret	xxxxxxxxxx
> > 	DupInterval 0
> > </Client>
> >
> > <Handler TunnelledByTTLS=1>
> >
> > 	<AuthBy LDAP2>
> > 		Host 		ren.chesterfield.mo.us
> > 		AuthDN		cn=admin,o=coc
> > 		AuthPassword	xxxxxxxxxx
> > 		BaseDN		ou=Users,o=Private
> > 		UsernameAttr 	cn
> > 		ServerChecksPassword
> > 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> > 	</AuthBy>
> >
> > </Handler>
> >
> > <Handler>
> >
> > 	<AuthBy FILE>
> > 		Filename /etc/radiator/users
> > 		EAPType TTLS
> >
> > 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> > 		EAPTLS_CertificateFile
> > /etc/radiator/certificates/star_chesterfield_mo_us.crt
> > 		EAPTLS_CertificateType PEM
> > 		EAPTLS_PrivateKeyFile
> > /etc/radiator/certificates/digicert.pem
> > 		EAPTLS_PrivateKeyPassword locutusofborg
> > 		EAPTLS_MaxFragmentSize 1000
> > 		AutoMPPEKeys
> > 	</AuthBy>
> >
> > </Handler>
> >
> >
> > The file /etc/radiator/users should contain multiple lines like this
> > (one for each MAC address):
> >
> > # /etc/radiator/users
> >
> > DEFAULT User-Name = anonymous, Calling-Station-Id = 000bcd5a0861
> >
> > DEFAULT User-Name = anonymous, Calling-Station-Id = .....
> >
> > ......
> >
> > Please let me know if this one works any better.
> >
> > thanks for your patience
> >
> > regards
> >
> > Hugh
> >
> > On 26 Jan 2005, at 03:21, Jim Michael wrote:
> >> Hi Hugh-
> >>
> >> I think we're getting closer! (but still not working). Now it
> >
> > appears
> >
> >> that the mac address as listed in my addresses.mac file is not
> >> accepted.
> >> Could the format of the address be wrong? I see that my AP has
> >
> > various
> >
> >> options for the format (eg xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx,
> >> xx:xx:xx:xx:xx:xx, etc. I have it configured currently for no
> >> separators, just the raw mac address. Below is the exact contents of
> >
> > my
> >
> >> addresses.mac file again, as well as the log and my exact current
> >> config
> >> (in case you see a typo). You can see that the mac address in the
> >
> > file
> >
> >> is identical to the one in the log for calling-station-id, so I know
> >
> > it
> >
> >> is correct. Just not sure what else is wrong!
> >>
> >> Jim
> >>
> >> # CONTENTS OF addresses.mac
> >>
> >> 000bcd5a0861 Auth-Type = Accept
> >>
> >> START OF LOG
> >> Tue Jan 25 10:07:25 2005: DEBUG: Finished reading configuration file
> >> '/etc/radiator/coc.cfg'
> >> Tue Jan 25 10:07:25 2005: DEBUG: Reading dictionary file
> >> '/etc/radiator/dictionary'
> >> Tue Jan 25 10:07:25 2005: DEBUG: Creating authentication port
> >> 0.0.0.0:1812
> >> Tue Jan 25 10:07:25 2005: DEBUG: Creating accounting port
> >
> > 0.0.0.0:1813
> >
> >> Tue Jan 25 10:07:25 2005: NOTICE: Server started: Radiator 3.11 on
> >> suser (LOCKED)
> >> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
> >> *** Received from 192.168.10.41 port 1048 ....
> >> Code:       Access-Request
> >> Identifier: 11
> >> Authentic:  lKlKlKlKlKlKlKlK
> >> Attributes:
> >> 	NAS-IP-Address = 192.168.10.41
> >> 	NAS-Port-Type = Wireless-IEEE-802-11
> >> 	NAS-Port = 1
> >> 	Framed-MTU = 1400
> >> 	User-Name = "anonymous"
> >> 	Calling-Station-Id = "000bcd5a0861"
> >> 	Called-Station-Id = "000d9df60559"
> >> 	NAS-Identifier = "Enterprise AP"
> >> 	EAP-Message = <2><1><0><14><1>anonymous
> >> 	Message-Authenticator = <14>#<211>Z<138>+1<151>}~*M<138>[5<161>
> >>
> >> Tue Jan 25 10:07:35 2005: DEBUG: Handling request with Handler ''
> >> Tue Jan 25 10:07:35 2005: DEBUG:  Deleting session for anonymous,
> >> 192.168.10.41, 1
> >> Tue Jan 25 10:07:35 2005: DEBUG: Handling with Radius::AuthFILE:
> >> CheckMACAddress
> >> Tue Jan 25 10:07:35 2005: DEBUG: Handling with EAP: code 2, 1, 14
> >> Tue Jan 25 10:07:35 2005: DEBUG: Response type 1
> >> Tue Jan 25 10:07:35 2005: DEBUG: EAP result: 1, EAP authentication
> >
> > is
> >
> >> not permitted.
> >> Tue Jan 25 10:07:35 2005: INFO: Access rejected for anonymous: EAP
> >> authentication is not permitted.
> >> Tue Jan 25 10:07:35 2005: DEBUG: Packet dump:
> >> *** Sending to 192.168.10.41 port 1048 ....
> >> Code:       Access-Reject
> >> Identifier: 11
> >> Authentic:  lKlKlKlKlKlKlKlK
> >> Attributes:
> >> 	Reply-Message = "Request Denied"
> >>
> >> END OF LOG
> >>
> >> START OF CONFIG
> >> AuthPort 1812
> >> AcctPort 1813
> >> Foreground
> >> LogStdout
> >> LogDir	/var/log/radius
> >> DbDir		/etc/radiator
> >> Trace 		4
> >>
> >> <Client DEFAULT>
> >> 	Secret	xxxxxxxxxx
> >> 	DupInterval 0
> >> </Client>
> >>
> >> <AuthBy FILE>
> >> 	Identifier CheckMACAddress
> >> 	Filename /etc/radiator/addresses.mac
> >> 	AuthenticateAttribute Calling-Station-Id
> >> </AuthBy>
> >>
> >> 	<AuthBy LDAP2>
> >> 		Identifier CheckLDAP
> >> 		Host 		ren.chesterfield.mo.us
> >> 		AuthDN		cn=admin,o=coc
> >> 		AuthPassword	xxxxxxxxxx
> >> 		BaseDN		ou=Users,o=Private
> >> 		UsernameAttr 	cn
> >> 		ServerChecksPassword
> >> 		SearchFilter (&(cn=%1)(cocWLANAllowed=true))
> >> 	</AuthBy>
> >>
> >> <Handler TunnelledByTTLS=1>
> >>
> >> 	AuthBy CheckLDAP
> >>
> >> </Handler>
> >>
> >> <Handler>
> >>
> >> 	AuthByPolicy ContinueWhileAccept
> >>
> >> 	AuthBy CheckMACAddress
> >>
> >> 	<AuthBy FILE>
> >> 		Filename /etc/radiator/users
> >> 		EAPType TTLS
> >>
> >> 		EAPTLS_CAFile /etc/radiator/certificates/digicert.pem
> >> 		EAPTLS_CertificateFile
> >> /etc/radiator/certificates/star_chesterfield_mo_us.crt
> >> 		EAPTLS_CertificateType PEM
> >> 		EAPTLS_PrivateKeyFile
> >> /etc/radiator/certificates/digicert.pem
> >> 		EAPTLS_PrivateKeyPassword locutusofborg
> >> 		EAPTLS_MaxFragmentSize 1000
> >> 		AutoMPPEKeys
> >> 	</AuthBy>
> >>
> >> </Handler>
> >>
> >> END OF CONFIG
> >>
> >>>>> Hugh Irvine <hugh at open.com.au> 1/24/2005 6:40:34 PM >>>
> >>
> >> Hello Jim -
> >>
> >> Thanks for sending the configuration and debug - it helps
> >
> > enormously.
> >
> >> The problem is that the Called-Station-Id / Calling-Station-Id are
> >
> > not
> >
> >> included in the inner request.
> >>
> >> Therefore here is an alternative configuration - note the changed
> >> addresses.mac file and the changed configuration file.
> >>
> >> Please let me know how you get on.
> >>
> >> regards
> >>
> >> Hugh
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list