2

I am trying to limit every user to a small set of Mac-IDs in RADIUS, by directly including the appropriate information in the users file. It would be acceptable even if every user was limited to one mac. The server is running FreeRADIUS version 2.1.12 from the Ubuntu 13.10 repos. The authentication used is PEAP and MSCHAPv2.

When a physical client (Nexus 5) tries to connect through the access point (Netgear WG-102) then FreeRADIUS seems to identify the Mac-id's in the access request, but not use it in the checks. The only devices on the network in my current test setup are the radius server, the access point and a test client. The entries in the users file are set up like:

testuser   NT-Password := "<hash>", Calling-Station-Id == "a1b2c3d4e5f6"

The policy.conf file has a rewrite.calling_station_id function that normalizes the Mac ids to the above format and this is called in available-sites/default right after preprocess. The properly formatted mac-id's show up in the log on running freeradius -X. However, the requests are rejected. Even if the check is replaced by Calling-Station-Id =* "a1b2c3d4e5f6", which is supposed to pass whenever the attribute just exists, the requests are rejected. If however, it is replaced by Calling-Station-Id !* "a1b2c3d4e5f6", which is supposed to pass only if the attribute is not present in the request, the requests are accepted.

Contrastingly, if I use radclient, expected behaviour is observed. The configuration files and relevant logs are linked below. The whole /etc/freeradius folder is linked, and also containing the logs for the following four cases. Note that number 2 is the only unexpected behaviour:

  1. nexus-without-mac-success: The users file had no mac checks and authentication succeeded
  2. nexus-with-mac-fail: The users file had the correct mac address and authentication failed
  3. radclient-with-mac-expected-behaviour-fail-with-wrong: radclient run with wrong mac address and is rejected: echo "User-Name=testuser,User-Password=test,Calling-Station-Id=8c:3a:e3:19:70:0e" | radclient localhost auth testing123
  4. radclient-with-mac-expected-behaviour-success-with-correct: radclient run with correct mac address and is accepted: echo "User-Name=testuser,User-Password=test,Calling-Station-Id=8c:3a:e3:19:70:0f" | radclient localhost auth testing123

Is it not possible to use Calling-Station-Id this way? Contrary to http://wiki.freeradius.org/guide/Mac-Auth, I want to have the Mac-Id's limited on a per-user basis, so if you have an alternate method of doing this, that would also be welcome.

http://portmasters.com/tech/docs/radius/userinfo.html#1004825 seems to say this is the correct way of doing this, although it's written in 1999.

http://www.cmi.ac.in/~ronno/freeradius-test contains the following:

  • freeradius - contents of /etc/freeradius
  • logs - the four logs described above
  • wg102.cfg - the access point configuration
  • snapshot.tar.gz - tarball containing all of the above
ronno
  • 123
  • 1
  • 1
  • 7

1 Answers1

3

You've not fed through the attributes in the outer request to the inner server.

Set copy_tunnel_request = yes in eap{peap{}} (in eap.conf or mods-available/eap).

https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/eap#L594

The files call in the inner server does not have access to the Calling-Station-ID attribute in the outer request, does not match any entries, and so does not set the NT-Password control attribute.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18