Discussion:
Radius MAC filtering with EAP-PEAP
Alexey Eronko
2008-02-27 08:20:38 UTC
Permalink
I want to setup two WIFI networks:



MAC Filter with EAP-PEAP.

MAC Filter with WEP.



How can I use Radius MAC filtering and EAP-PEAP simultaneously in one
network.



Could you please suggest me how can I check MAC filter(via Radius) and after
that do EAP-PEAP authorization?



Thank you



Alexey
Ivan Kalik
2008-02-27 09:33:26 UTC
Permalink
Post by Alexey Eronko
Could you please suggest me how can I check MAC filter(via Radius) and after
that do EAP-PEAP authorization?
Read your NAS documentation.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Era
2008-02-27 10:00:27 UTC
Permalink
Hi!

Could you please assist me to find my fault. I have test user with laptop. I
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345
credentials.

:(

Here is my AP request :

rad_recv: Access-Request packet from host 10.10.10.139:6001, id=65,
length=195
User-Name = "testuser"
NAS-IP-Address = 89.10.10.139
Called-Station-Id = "00-20-a6-64-66-a3:A"
Calling-Station-Id = "00-18-de-4e-8f-1d"
NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
State = 0x47e0330ad155ef064a62de62873e8690
Framed-MTU = 1400
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020900261900170301001b139845f4c8e9bcb46

Debug log:

rlm_checkval: Item Name: Calling-Station-Id, Value: 00-18-de-4e-8f-1d
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
modcall[authorize]: module "checkval" returns notfound for request 8



Here is my users file:

testuser User-Password == "12345"
Calling-Station-Id = "00-18-de-4e-8f-11"

Here is my checkval config:

checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi
valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in
the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}

Era

-----Original Message-----
From: freeradius-users-bounces+alexey.eronko=***@lists.freeradius.org
[mailto:freeradius-users-bounces+alexey.eronko=***@lists.freeradius.or
g] On Behalf Of Ivan Kalik
Sent: Wednesday, February 27, 2008 12:33 PM
To: FreeRadius users mailing list
Subject: Re: Radius MAC filtering with EAP-PEAP
Post by Alexey Eronko
Could you please suggest me how can I check MAC filter(via Radius) and after
that do EAP-PEAP authorization?
Read your NAS documentation.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2008-02-27 10:13:59 UTC
Permalink
Post by Era
Could you please assist me to find my fault. I have test user with laptop. I
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345
credentials.
Did you read the documentation for the "users" file?
Post by Era
testuser User-Password == "12345"
Calling-Station-Id = "00-18-de-4e-8f-11"
What do you think this entry does?
I don't think you need to use the "checkval" module.

In 2.0, you can just write the logic you want in "unlang".

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Era
2008-02-27 11:19:55 UTC
Permalink
Post by Era
Could you please assist me to find my fault. I have test user with laptop. I
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with
testuser/12345
Post by Era
credentials.
Did you read the documentation for the "users" file?

[Era]: Yes I did. But no result.
Post by Era
testuser User-Password == "12345"
Calling-Station-Id = "00-18-de-4e-8f-11"
What do you think this entry does?

[Era:] I thought that this entry maps user with mac hardware address.
I don't think you need to use the "checkval" module.

[Era:] I'm using 1.1.7 on debian.

Please don't judge me hard. I didn't find any howto or manual about mac
filtering feature in freeradius doc.
I found howto about eap-peap and setup it thought ldap. Because of that I
ask these stupid questions.
Where can I find this howto ?

In 2.0, you can just write the logic you want in "unlang".

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Liran Tal
2008-02-27 11:42:29 UTC
Permalink
Post by Era
Post by Era
Could you please assist me to find my fault. I have test user with
laptop.
I
Post by Era
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with
testuser/12345
Post by Era
credentials.
Did you read the documentation for the "users" file?
[Era]: Yes I did. But no result.
Post by Era
testuser User-Password == "12345"
Calling-Station-Id = "00-18-de-4e-8f-11"
What do you think this entry does?
[Era:] I thought that this entry maps user with mac hardware address.
No that lines means that the user tester/12345 will be granted access and
freeradius will send a Calling-Station-Id attribute reply to the NAS in
return,
which is not what you wanted...

I hope this makes more sense.


Regards,
Liran Tal.
Ivan Kalik
2008-02-27 11:58:45 UTC
Permalink
1. Debug is a bit longer than that. You should post the whole thing.

2. This is not a mac authentication request.

3. That Calling-Station-Id is not going to get checked. Read instruction
in users file where do check items go.

Ivan Kalik
Kalik Informatika ISP
Post by Era
Hi!
Could you please assist me to find my fault. I have test user with laptop. I
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345
credentials.
:(
rad_recv: Access-Request packet from host 10.10.10.139:6001, id=65,
length=195
User-Name = "testuser"
NAS-IP-Address = 89.10.10.139
Called-Station-Id = "00-20-a6-64-66-a3:A"
Calling-Station-Id = "00-18-de-4e-8f-1d"
NAS-Identifier = "ORiNOCO-AP-700-64-66-a3"
State = 0x47e0330ad155ef064a62de62873e8690
Framed-MTU = 1400
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020900261900170301001b139845f4c8e9bcb46
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-18-de-4e-8f-1d
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
modcall[authorize]: module "checkval" returns notfound for request 8
testuser User-Password == "12345"
Calling-Station-Id = "00-18-de-4e-8f-11"
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi
valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in
the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}
Era
-----Original Message-----
g] On Behalf Of Ivan Kalik
Sent: Wednesday, February 27, 2008 12:33 PM
To: FreeRadius users mailing list
Subject: Re: Radius MAC filtering with EAP-PEAP
Post by Alexey Eronko
Could you please suggest me how can I check MAC filter(via Radius) and
after
Post by Alexey Eronko
that do EAP-PEAP authorization?
Read your NAS documentation.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...