0

So I set up a freeradius 3.0 server on Debian 9 following the official documentation here and here. I have an authorized_mac file with the addresses of my devices and in the file /etc/freeradius/3.0/mods-enabled/files I indicated which file my mac addresses are in:

files authorized_macs {
    # The default key attribute to use for matches.  The content
    # of this attribute is used to match the "name" of the
    # entry.
    key = "%{Calling-Station-ID}"

    usersfile = ${confdir}/authorized_macs

    #  If you want to use the old Cistron 'users' file
    #  with FreeRADIUS, you should change the next line
    #  to 'compat = cistron'.  You can the copy your 'users'
    #  file from Cistron.
    #compat = no
}

My WiFi access point sends the MAC addresses to the radius server in the format 1A:2B:3C:4D:5E:6F but to be sure that the problem is not coming from there, my authorized_macs file looks like this:

1A:2B:3C:4D:5E:6F
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a:2b:3c:4d:5e:6f
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1A2B3C4D5E6F
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a2b3c4d5e6f
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1A-2B-3C-4D-5E-6F
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a-2b-3c-4d-5e-6f
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

So when I start the freeradius server in debug mode (freeradius -X) and try to connect to the SSID with my device, an error occurs:

[...] -- line 777
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
[...] -- line 783

Full logs available here. For information, 10.42.0.7 is my freeradius server and 10.42.0.22 is my WiFi access point. The SSID is named "testtt".

TL;DR: The configuration is correct according to the official documentation. The WiFi access point and the freeradius are well connected to each other but the radius server seems not to know the addresses even though they have been given...

EDIT

Here is the end of the file /etc/freeradius/3.0/sites-enabled/default :

server {
        authorize {
                preprocess

                # If cleaning up the Calling-Station-Id...
                rewrite_calling_station_id

                # Now check against the authorized_macs file
                authorized_macs

                if (!ok) {
                        # No match was found, so reject
                        reject
                }
                else {
                        # The MAC address was found, so update Auth-Type
                        # to accept this auth.
                        update control {
                                Auth-Type := Accept
                        }
                }
        }
}

1 Answers1

1

Problem solved.

The piece of code I showed in my EDIT should not be added at the end of the file. In fact, the "authorize" section already exists and only this should be added after it (line 281):

rewrite_calling_station_id
       # Now check against the authorized_macs file
       authorized_macs
       if (!ok) {
               # No match was found, so reject
               reject
       }
       else {
               # The MAC address was found, so update Auth-Type
               # to accept this auth.
               update control {
                       Auth-Type := Accept
               }
       }