Trouble Getting Mac-Auth to Work

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Trouble Getting Mac-Auth to Work

Seth Turner
I'm new to FreeRadius, but have managed to get LDAP authentication working
properly. Now I am trying to add in mac-auth as well for certain devices,
but all devices are being rejected when they connect to the SSID regardless
if the MAC is in the file. Based on what I am seeing, the
calling-station-Id is being rewritten to the proper format, which matches
what I have in the mac file, but RADIUS still rejects the connection.  Can
somebody help direct me as to what the issue may be?

*NOTE: The end goal is actually to block certain MAC's from connecting to
an SSID, which is why the file is called blocked_macs instead of
authorized_mac like the documentation. I'm just trying to follow the guide
for mac_auth atm before I try using it to restrict by MAC.*

This is what I have under the Authorize section of default.conf.

* preprocess*

*        # If cleaning up the Calling-Station-Id...*
*        rewrite_calling_station_id*

*        # Now check against the blocked_macs file*
*        blocked_macs*

*        if (!ok) {*
*                # No match was found, so reject*
*                reject*
*        }*

* else {*
*                # The MAC address was found, so update Auth-Type*
*                # to accept this auth.*
*                update control {*
*                        Auth-Type := Accept*
*               }*
*        }*


This is what I get while running radiusd -X. Hopefully that is the proper
logging needed for troubleshooting.

*(0)     [preprocess] = ok*
*(0)     policy rewrite_calling_station_id {*
*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{*
*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE*
*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{*
*(0)         update request {*
*(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
*(0)              --> 60-D8-19-D4-F0-83*
*(0)           &Calling-Station-Id := 60-D8-19-D4-F0-83*
*(0)         } # update request = noop*
*(0)         [updated] = updated*
*(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated*
*(0)       ... skipping else: Preceding "if" was taken*
*(0)     } # policy rewrite_calling_station_id = updated*
*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
*(0) blocked_macs:    --> 60-D8-19-D4-F0-83*
*(0)     [blocked_macs] = noop*
*(0)     if (!ok) {*
*(0)     if (!ok)  -> TRUE*
*(0)     if (!ok)  {*
*(0)       [reject] = reject*
*(0)     } # if (!ok)  = reject*
*(0)   } # authorize = reject*
*(0) Using Post-Auth-Type Reject*






--

*Seth Turner*Gasconade County R-2 School District
Network Manager
OHS Hunting and Fishing Club Sponsor
Phone (573)-437-2172
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble Getting Mac-Auth to Work

jm+freeradiususer
I'm wondering if setting the MAC address to all uppercase characters (toupper) will be fruitful when later you're matching against a regex only containing lowercase characters.

On February 6, 2019 10:58:40 PM GMT+01:00, Seth Turner <[hidden email]> wrote:

>I'm new to FreeRadius, but have managed to get LDAP authentication
>working
>properly. Now I am trying to add in mac-auth as well for certain
>devices,
>but all devices are being rejected when they connect to the SSID
>regardless
>if the MAC is in the file. Based on what I am seeing, the
>calling-station-Id is being rewritten to the proper format, which
>matches
>what I have in the mac file, but RADIUS still rejects the connection.
>Can
>somebody help direct me as to what the issue may be?
>
>*NOTE: The end goal is actually to block certain MAC's from connecting
>to
>an SSID, which is why the file is called blocked_macs instead of
>authorized_mac like the documentation. I'm just trying to follow the
>guide
>for mac_auth atm before I try using it to restrict by MAC.*
>
>This is what I have under the Authorize section of default.conf.
>
>* preprocess*
>
>*        # If cleaning up the Calling-Station-Id...*
>*        rewrite_calling_station_id*
>
>*        # Now check against the blocked_macs file*
>*        blocked_macs*
>
>*        if (!ok) {*
>*                # No match was found, so reject*
>*                reject*
>*        }*
>
>* else {*
>*                # The MAC address was found, so update Auth-Type*
>*                # to accept this auth.*
>*                update control {*
>*                        Auth-Type := Accept*
>*               }*
>*        }*
>
>
>This is what I get while running radiusd -X. Hopefully that is the
>proper
>logging needed for troubleshooting.
>
>*(0)     [preprocess] = ok*
>*(0)     policy rewrite_calling_station_id {*
>*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>{*
>*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>-> TRUE*
>*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>{*
>*(0)         update request {*
>*(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
>*(0)              --> 60-D8-19-D4-F0-83*
>*(0)           &Calling-Station-Id := 60-D8-19-D4-F0-83*
>*(0)         } # update request = noop*
>*(0)         [updated] = updated*
>*(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
>= updated*
>*(0)       ... skipping else: Preceding "if" was taken*
>*(0)     } # policy rewrite_calling_station_id = updated*
>*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
>*(0) blocked_macs:    --> 60-D8-19-D4-F0-83*
>*(0)     [blocked_macs] = noop*
>*(0)     if (!ok) {*
>*(0)     if (!ok)  -> TRUE*
>*(0)     if (!ok)  {*
>*(0)       [reject] = reject*
>*(0)     } # if (!ok)  = reject*
>*(0)   } # authorize = reject*
>*(0) Using Post-Auth-Type Reject*
>
>
>
>
>
>
>--
>
>*Seth Turner*Gasconade County R-2 School District
>Network Manager
>OHS Hunting and Fishing Club Sponsor
>Phone (573)-437-2172
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Trouble Getting Mac-Auth to Work

Seth Turner
Well you pointed me in the right direction. The issue was I had the MAC
entries in the blocked_macs file listed with lower case letters instead of
upper case. I'm now able to reject by MAC address. Now I just need to dig
deeper and tie in an SSID check.

On Thu, Feb 7, 2019 at 1:20 AM <[hidden email]> wrote:

> I'm wondering if setting the MAC address to all uppercase characters
> (toupper) will be fruitful when later you're matching against a regex only
> containing lowercase characters.
>
> On February 6, 2019 10:58:40 PM GMT+01:00, Seth Turner <
> [hidden email]> wrote:
> >I'm new to FreeRadius, but have managed to get LDAP authentication
> >working
> >properly. Now I am trying to add in mac-auth as well for certain
> >devices,
> >but all devices are being rejected when they connect to the SSID
> >regardless
> >if the MAC is in the file. Based on what I am seeing, the
> >calling-station-Id is being rewritten to the proper format, which
> >matches
> >what I have in the mac file, but RADIUS still rejects the connection.
> >Can
> >somebody help direct me as to what the issue may be?
> >
> >*NOTE: The end goal is actually to block certain MAC's from connecting
> >to
> >an SSID, which is why the file is called blocked_macs instead of
> >authorized_mac like the documentation. I'm just trying to follow the
> >guide
> >for mac_auth atm before I try using it to restrict by MAC.*
> >
> >This is what I have under the Authorize section of default.conf.
> >
> >* preprocess*
> >
> >*        # If cleaning up the Calling-Station-Id...*
> >*        rewrite_calling_station_id*
> >
> >*        # Now check against the blocked_macs file*
> >*        blocked_macs*
> >
> >*        if (!ok) {*
> >*                # No match was found, so reject*
> >*                reject*
> >*        }*
> >
> >* else {*
> >*                # The MAC address was found, so update Auth-Type*
> >*                # to accept this auth.*
> >*                update control {*
> >*                        Auth-Type := Accept*
> >*               }*
> >*        }*
> >
> >
> >This is what I get while running radiusd -X. Hopefully that is the
> >proper
> >logging needed for troubleshooting.
> >
> >*(0)     [preprocess] = ok*
> >*(0)     policy rewrite_calling_station_id {*
> >*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >{*
> >*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >-> TRUE*
> >*(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >{*
> >*(0)         update request {*
> >*(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}*
> >*(0)              --> 60-D8-19-D4-F0-83*
> >*(0)           &Calling-Station-Id := 60-D8-19-D4-F0-83*
> >*(0)         } # update request = noop*
> >*(0)         [updated] = updated*
> >*(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~
>
> >/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
> >= updated*
> >*(0)       ... skipping else: Preceding "if" was taken*
> >*(0)     } # policy rewrite_calling_station_id = updated*
> >*(0) blocked_macs: EXPAND %{Calling-Station-ID}*
> >*(0) blocked_macs:    --> 60-D8-19-D4-F0-83*
> >*(0)     [blocked_macs] = noop*
> >*(0)     if (!ok) {*
> >*(0)     if (!ok)  -> TRUE*
> >*(0)     if (!ok)  {*
> >*(0)       [reject] = reject*
> >*(0)     } # if (!ok)  = reject*
> >*(0)   } # authorize = reject*
> >*(0) Using Post-Auth-Type Reject*
> >
> >
> >
> >
> >
> >
> >--
> >
> >*Seth Turner*Gasconade County R-2 School District
> >Network Manager
> >OHS Hunting and Fishing Club Sponsor
> >Phone (573)-437-2172
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--

*Seth Turner*Gasconade County R-2 School District
Network Manager
OHS Hunting and Fishing Club Sponsor
Phone (573)-437-2172
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html