[RADIATOR] Client MAC:xx-xx-xx-xx-xx-xx

Adam Bishop Adam.Bishop at ja.net
Tue Mar 29 10:02:39 CDT 2011


It seems that it was not being detected as the NAS is appending its SSID
to the C-S-I.

Rather than using a hook, I have taken the line terminators out of the
regex and it seems to give the intended behaviour (I don't really want to
strip the AP name as it is useful metadata, though writing it to another
attribute is an option (Real-Called-Station-ID?)).

I wonder if pulling the MAC out of C-S-I is something radiator should do
by default regardless of its formatting as far as possible (adjusting the
regex to pick up MAC's "in-line", and allowing for - : and maybe . as
separators), as it seems that most AP's do append the SSID.

There are a number of limitations to using MAC client identification
anyway (spoofing etc.) so I don't think changing this behaviour would
cause any repercussions, as anyone who is using is _should_ understand its
weaknesses.

Adam Bishop
JANET(UK)

On 28/03/2011 12:50, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 03/28/2011 02:39 PM, Christian Kratzer wrote:
>
>>>> Which attribute does radiator use for comparison when using
>>>> MAC-filtering on a client block?  Trying to pin down why one of our
>>>> clients isn't being picked up by the client block we have set:
>>>
>>> The attribute is Calling-Station-Id. Its format is like what you have
>>> below with hyphens being optional.
>> 
>> I just had a look at the code myself. It seems like it uses
>> Called-Station-Id:
>
>Good catch, thanks. That is true, and that is also what I was thinking.
>For some reason I still managed to type Calling :)
>
>> This is most propably the access points mac address on the air which is
>> not necessarily the same as the mac adresse seen on the ethernet.
>
>That's quite common too.
>
>With WLANs the SSID might also be added to the end of the MAC address.
>
>And in case of WLAN controllers the C-S-I may belong to the WLAN
>controller. Some controllers also have a setting with which you can
>choose to put controller or AP MAC address into Called-Station-Id.
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.


Book your place at Networkshop 2011  http://www.ja.net/networkshop

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG



More information about the radiator mailing list