Issues configuring FreeRADIUS2

elliot01 · 01-11-2011, 11:47 AM

Hi all,

Bit of a newb to linux, total newb to FreeRADIUS (so maybe this belongs in the newbie section?).

Using CentOS 5.5, FreeRADIUS 2.1.7.

Objective is simply to be able to allow wireless clients access to my network based on their MAC address (I have about 10 WAPs around the country which I need to be able to manage user access centrally). Not interested in LDAP or dishing out keys/certificates etc.

I have been trying to follow the guide here. Sounds like it's exactly what I need but I'm not sure about a few things.

1) For each of the conf files am I supposed to be replacing everything currently existing in the respective file with what is suggested?
2) "raddb/modules/file" does not exist, so I assume I should use "raddb/modules/files"?
3) If I uncomment the line:

Code:

#rewrite_calling_station_id

under the "raddb/sites-available/default authorize{}" section, the radiusd startup gives me the following error:
/etc/raddb/sites-enabled/default[69]: Failed to find module "rewrite_calling_station_id".

If anyone familiar with FreeRADIUS 2 could answer these queries I might be on the right path

Thanks in advance.

truboy · 01-13-2011, 07:36 AM

Quote:

Originally Posted by elliot01

Objective is simply to be able to allow wireless clients access to my network based on their MAC address

We're talking about MAC address check AND standard WPA2 authentication right (PEAP or EAP-TTLS if you want to avoid certificates on the client machines) ?

elliot01 · 01-13-2011, 11:24 AM

Hi truboy,

I've been trawling posts and guides all day to try and learn more about freeRADIUS but so much of the lingo is very new to me, so please forgive me if I come over a it dense!

I am trying to simply have freeRADIUS check the client's MAC address against a list; if the address is listed then it allows the client to connect to the network.

I don't really need any form of user credentials, certificates, passphrases etc.

Some guides seem to imply that I have to use certificates for WPA2-Enterprise (TKIP/AES), others hint that I can achieve what I want, I'm just getting nowhere at the moment.

Cheers.

truboy · 01-14-2011, 03:38 AM

Quote:

Originally Posted by elliot01

Some guides seem to imply that I have to use certificates for WPA2-Enterprise (TKIP/AES), others hint that I can achieve what I want, I'm just getting nowhere at the moment.

I totaly understand your doubts because I've been through this too !

As you may know, a RADIUS server like FreeRADIUS is the actual most secure way to authenticate a user trying to join a WLAN protected by WPA/WPA2 (that's why it's called Enterprise). From what I remember, RADIUS works with EAP, which allow a bunch of authentication methods. The three main are EAP-TLS, EAP-TTLS and PEAP.
You need at least one ID/passphrase for the TTLS and PEAP anthentication modes per user, and a certificate for the TLS anthentication mode per user.
In all three modes, I believe the RADIUS server has to have its certificate.

Don't worry, it wasn't clear for myself neither until I spent six months working on this...

If you just want to allow machines on your WLAN with a MAC address check, then you don't need a RADIUS server. Just configure the MAC address check on your AP (Access Point) (I think every of them can do it), and set the WPA mode to Personnal (this means there will be only one password to enter the whole network, the same for everyone).
And if you don't even want the users to need a password to join the network, just disable the encryption (WPA/WPA2 or WEP) (this is something I wouldn't recommand).

I hope I understood your request, and don't hesitate to ask questions !

elliot01 · 01-18-2011, 05:44 AM

Hi Truboy,

Yep I think you understand my request

My problem though, is that we have about 20 WAPs around our sites and around 50~60 roaming users. No WAP we have come across (USRobotics, LinkSys or Cisco) can hold this many MAC addresses (about 20 maximum is typical), and neither do any of them allow any form of labelling (i.e.: we have no idea who a user is by simply looking at their MAC address).

When my colleague spoke to one of the manufacturers asking if they did WAPs with ~100 MAC address capacities they simply told us to look at a RADIUS server.

Ideally, we just want a situation where upon purchase of a new company laptop, as part of the configuration we just add its MAC address to the central MAC address list (like a RADIUS server), then that user can access any of the WAPs at any of our sites. Or, in another situation, if a site has a guest (i.e.: customer/supplier) we can add their MAC remotely. Trying to install a certificate onto such a laptop will be a no-go!

Our user base is 99% computer illiterate so you can imagine the existing challenges with trying to ask users for their MAC details when they arrive at various sites!

I was hoping there'd be a way to 'cheat' freeRADIUS into doing what we want, given our reasonably basic requirements.

If you can advise any other workable alternatives I would be extremely grateful!

Best Regards,

Elliot

truboy · 01-18-2011, 08:16 AM

Quote:

Originally Posted by elliot01

Ideally, we just want a situation where upon purchase of a new company laptop, as part of the configuration we just add its MAC address to the central MAC address list (like a RADIUS server), then that user can access any of the WAPs at any of our sites. Or, in another situation, if a site has a guest (i.e.: customer/supplier) we can add their MAC remotely. Trying to install a certificate onto such a laptop will be a no-go!

OK, I got it, of course deploying certificates on the whole site would be a herculean task, and asking guests to do so is not conceivable.

Code:

If you can advise any other workable alternatives I would be extremely grateful!

The first thing that comes to my mind is why not just use your WAPs with a simple WPA2-Personnal encryption (this means one password for the whole network) ?
Of course the password will be spreaded and some people that are not granted to join the network might be able to do it anyway, but using a MAC address check is no more secure.
Well, actually, it is a little, because it needs a bit of computer knowledge in order to change the MAC of the machine to fit another that is allowed on your network. But you might know it takes a single shell-command on Linux

!

Anyway, I took a look at the link you gave in your first post.

Quote:

1) For each of the conf files am I supposed to be replacing everything currently existing in the respective file with what is suggested?

No, I'm pretty sure you should just modify the section they're talking about.
What I would do, following the guide you gave :

- Optionally (I mean if you tried everything and it still doesn't work) add the rewrite_calling_station_id section at begin or end of raddb/policy.conf
- Add the authorized_macs section in raddb/raddb/modules/files (you were right, it's not raddb/modules/file !)
- Create the file raddb/authorized_macs and add some MAC that you want to check with the given syntax
- Add the next modification to raddb/sites-available/default, section authorize{}. It's written that this must be placed under the eap section and above the chap section, but it doesn't make sense since the chap section is above the eap one... Try both if you suspect this might throw an error !
- Add the Auth-Type CSID section in raddb/sites-available/default, section authenticate{}
- Add the final modification to raddb/sites-available/default post-auth{}
- Get all this running and try to connect with the configured MAC address

Is this what you did too ?

Quote:

... the radiusd startup gives me the following error:
/etc/raddb/sites-enabled/default[69]: Failed to find module "rewrite_calling_station_id".

What does radiusd say if you let rewrite_calling_station_id commented ? And what does it say when you try to connect to the WLAN ?

Cheers.

elliot01 · 01-18-2011, 09:34 AM

Hi truboy,

Thanks again for your valuable input!

I'll try the suggestions you have posted, but in the meantime, to address the global-password versus MAC issue.

Unfortunately, our users will do anything but work, so we frequently have people trying to connect PS3's, personal netbooks, mobile phones and all manner of other gadgetry to the WAPs to waste a bit of time (for some reason they think they can circumvent our web filtering by using the WAPs...). The WAP password has been spilled so many times that it became pointless.

As previously mentioned, the majority of our users wouldn't know a MAC address if it smacked them in the face, let alone try and spoof one, so this has seemed the most workable method.

Cheers

elliot01 · 01-18-2011, 12:01 PM

Right, I have started the freeRADIUS setup again, following your steps (in regards to the original guide).

Tried inserting

Code:

if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)){
	update control {
		Auth-Type = 'CSID'
	}
}

before 'chap' and after 'eap'.

Have added

Code:

hayley  Cleartext-Password := "hayley"

to raddb/users.

But if I try to connect from my laptop, it asks me for the username and password but fails to ultimately connect. I get the following log file:

Code:

FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib64/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	require_message_authenticator = no
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
	irt = 2
	mrt = 16
	mrc = 5
	mrd = 30
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client 10.11.22.252 {
	require_message_authenticator = no
	secret = "TESTPASS"
	shortname = "hayleywap6"
	nastype = "other"
 }
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "TESTPASS"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_always
 Module: Instantiating ok
  always ok {
	rcode = "ok"
	simulcount = 0
	mpp = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating authorized_macs
  files authorized_macs {
	usersfile = "/etc/raddb/authorized_macs"
	compat = "no"
	key = "%{Calling-Station-ID}"
  }
 Module: Instantiating reject
  always reject {
	rcode = "reject"
	simulcount = 0
	mpp = no
  }
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.11.22.252 port 1024, id=74, length=156
	User-Name = "hayley"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
	Calling-Station-Id = "00-16-E3-EA-5E-9B"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x0200000b016861796c6579
	Message-Authenticator = 0xd6a7658258659d4be6292ab60417bf28
+- entering group authorize {...}
++[preprocess] returns ok
++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))
    (Attribute Service-Type was not found)
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hayley", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry hayley at line 52
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 74 to 10.11.22.252 port 1024
	EAP-Message = 0x0101001604106a36b456943f2ae35b4328997d310710
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x91a5161b91a4122fa8e7f994107af0a3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.22.252 port 1024, id=75, length=169
	User-Name = "hayley"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
	Calling-Station-Id = "00-16-E3-EA-5E-9B"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x020100060319
	State = 0x91a5161b91a4122fa8e7f994107af0a3
	Message-Authenticator = 0x269eff0a238cf19c937dc383d0350b96
+- entering group authorize {...}
++[preprocess] returns ok
++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))
    (Attribute Service-Type was not found)
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hayley", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry hayley at line 52
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 75 to 10.11.22.252 port 1024
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x91a5161b90a70f2fa8e7f994107af0a3
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.22.252 port 1024, id=76, length=285
	User-Name = "hayley"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
	Calling-Station-Id = "00-16-E3-EA-5E-9B"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x0202007a198000000070160301006b0100006703014d35cd60ecc451580bba32c375ef9a183fec3987955beb2b03c7c34dbb4a3233000018002f00350005000ac009c00ac013c0140032003800130004010000260000000b00090000066861796c6579000a00080006001700180019000b00020100ff01000100
	State = 0x91a5161b90a70f2fa8e7f994107af0a3
	Message-Authenticator = 0xbc6d5089acef9406bcd4fb24fa614bd7
+- entering group authorize {...}
++[preprocess] returns ok
++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))
    (Attribute Service-Type was not found)
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hayley", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 08c3], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 76 to 10.11.22.252 port 1024
	EAP-Message = 0x0103040019c00000090716030100310200002d03014d35cd86275018f8a20d45b94c5ea530af1beb4ee02457bcbcd1c54fbb25b5e300002f000005ff0100010016030108c30b0008bf0008bc0003d0308203cc308202b4a003020102020101300d06092a864886f70d01010405003081a6310b300906035504061302554b311630140603550408130d57657374204d69646c616e6473311230100603550407130948616c65736f77656e31193017060355040a13104861796c65792047726f757020504c433129302706092a864886f70d010901161a69742d64657074406861796c65792d67726f75702e636f2e756b312530230603550403131c7761
	EAP-Message = 0x707261646975732e6861796c65792d67726f75702e6c6f63616c301e170d3131303131333133353031325a170d3231303131303133353031325a308192310b300906035504061302554b311630140603550408130d57657374204d69646c616e647331193017060355040a13104861796c65792047726f757020504c43312530230603550403131c574150526164697573205365727665722043657274696669636174653129302706092a864886f70d010901161a69742d64657074406861796c65792d67726f75702e636f2e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100e2e5504ec467067d1f891ac7ac
	EAP-Message = 0x510296305846e27a0c8e47dba75e41107173c2a6c69640706730a8770fb69898be08e4187d4dc0f665f17ab2558b04a55257f07eb8fda2dbeccf26a72a07acdcdf2fbefd9764b5e456c2bee25c11c29802907fb5a2839268f67fd7bf5bebf8596aa0338a0315a6ace9fb023268329f76f0bb339e78dcf9556f9e1e3ac71c454031b10fdef858d157a73ac8814acaa42efad66d8daeffa82473860d294ad49d92cd81ddc490f49f29b05422ff19d3df91e70d6f048b0f248597d969d17f892fce4552a392341a333900a89a9de31e4a9fbfa4bc513579e957ad8078d641efd004bb318bb2610b56af7f1da92734573b874b6caf0203010001a317301530
	EAP-Message = 0x130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101006d7298cff5870d7b95d31901d51dbba4e0afa82846b16eeb08ef18b15a32246ac2ebcbae3baec39a784d37bd374d06aae7b841e7d7d10bb0f1c5ce966aaa72696ea0c2d58c1db95c81c9d6d9f0fee77d1bba00299a33f72c97fde740be2cf6fe09d6d80ca9d645819fb0993fab97b1a0807d3ee55bcec5d49dbcc682ffbd184cc1bf59a454c2d37948d1ee23263ed5dd96fba8261c7e71958a69e37f9d7324ea5848be1483d73a77e0b5f0e0361ba0bfdd4e5f930bae6416956df7d030023cdb813b8178f96b198b69e4f3c393c843c5925dc0e8f2
	EAP-Message = 0x0e022ebdac47a065449ba4ce
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x91a5161b93a60f2fa8e7f994107af0a3
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.22.252 port 1024, id=77, length=169
	User-Name = "hayley"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
	Calling-Station-Id = "00-16-E3-EA-5E-9B"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x020300061900
	State = 0x91a5161b93a60f2fa8e7f994107af0a3
	Message-Authenticator = 0x8eb85135b04e8e42d489ea076f1ee426
+- entering group authorize {...}
++[preprocess] returns ok
++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))
    (Attribute Service-Type was not found)
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hayley", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 77 to 10.11.22.252 port 1024
	EAP-Message = 0x010403fc19401646432a3f29daeb2f02e82204f85c8df57d79c313edadfb35fe4c0de049810004e6308204e2308203caa003020102020900924d9ec7fb23fe7a300d06092a864886f70d01010505003081a6310b300906035504061302554b311630140603550408130d57657374204d69646c616e6473311230100603550407130948616c65736f77656e31193017060355040a13104861796c65792047726f757020504c433129302706092a864886f70d010901161a69742d64657074406861796c65792d67726f75702e636f2e756b312530230603550403131c7761707261646975732e6861796c65792d67726f75702e6c6f63616c301e170d31
	EAP-Message = 0x31303131333133353031325a170d3231303131303133353031325a3081a6310b300906035504061302554b311630140603550408130d57657374204d69646c616e6473311230100603550407130948616c65736f77656e31193017060355040a13104861796c65792047726f757020504c433129302706092a864886f70d010901161a69742d64657074406861796c65792d67726f75702e636f2e756b312530230603550403131c7761707261646975732e6861796c65792d67726f75702e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bcacc2f39159712b1f9db140e20a0952d0ebd9b5dd8bcfd0
	EAP-Message = 0x45e5e6890248f0de651c9646ca18eebbf90f1f388cd6184c4a2a355841be7452cf072ab99636776efe0cf9b113046599771a6803b0e532d745b0ffd23e556b9bdbe79ca0ffac6d2d5a76340ee2faac024224e280f28259bb40a2f11439456129d6979d75da3525125b335c7befb69ca531f3b6fcb22d3b14242e8fed6b91b29b9712018bb43e3c1f427b4fd9948faaebf1d1a0d1e5b0eb791948ba60b9a131a9e6fbcc53b5c364898c8096feedc23b3ef6a05ebd7f7bb695392ad8e5dfa4265f58411d371499f531f8d0a12e50644df9304d2788d9ea66b9f2e7143cc4b349fe62673217701942e70203010001a382010f3082010b301d0603551d0e04
	EAP-Message = 0x1604141f6786e00ae4094dc3c8e3007952ef5557d2a0ee3081db0603551d230481d33081d080141f6786e00ae4094dc3c8e3007952ef5557d2a0eea181aca481a93081a6310b300906035504061302554b311630140603550408130d57657374204d69646c616e6473311230100603550407130948616c65736f77656e31193017060355040a13104861796c65792047726f757020504c433129302706092a864886f70d010901161a69742d64657074406861796c65792d67726f75702e636f2e756b312530230603550403131c7761707261646975732e6861796c65792d67726f75702e6c6f63616c820900924d9ec7fb23fe7a300c0603551d1304
	EAP-Message = 0x0530030101ff300d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x91a5161b92a10f2fa8e7f994107af0a3
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.22.252 port 1024, id=78, length=169
	User-Name = "hayley"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
	Calling-Station-Id = "00-16-E3-EA-5E-9B"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x020400061900
	State = 0x91a5161b92a10f2fa8e7f994107af0a3
	Message-Authenticator = 0x40759f5e316538fa71893d951d553776
+- entering group authorize {...}
++[preprocess] returns ok
++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))
    (Attribute Service-Type was not found)
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hayley", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 78 to 10.11.22.252 port 1024
	EAP-Message = 0x01050121190006092a864886f70d01010505000382010100ba2cb829640eff734961495c5f646b398547084d95317dd9cc11b4c5571fb3f689b93a7f2a7652dae2879230cc5c569a3665f30f9e58bf44167f926ac562d703fc47d1aeb447d0df7fc90fe8c7592357bb1b8955e8ca1366697445998b18a90874b25af3fa17de24798399009a53a9a01c502b80b07c659f84168f6a7aaaad58072008ba14d55ef8bcda89de208fac63739335d901a754d817d98a11183e4d38847d28d158f3a5d08628d7295506a87f88ad4d07fc14a297e062c88c694b4f190f6849b618d06555c0932a6c7b059230b8dc388e800bf20ab2a14411077da1cd5a8cfaaae7
	EAP-Message = 0x27960772caf5a7a3fdebd0cb67ef3d84a5177718fa1668e47b3bb716030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x91a5161b95a00f2fa8e7f994107af0a3
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.22.252 port 1024, id=79, length=169
	User-Name = "hayley"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 1
	Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
	Calling-Station-Id = "00-16-E3-EA-5E-9B"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 54Mbps 802.11g"
	EAP-Message = 0x020500061900
	State = 0x91a5161b95a00f2fa8e7f994107af0a3
	Message-Authenticator = 0x635f6964af1f6128f42ed06d0c5596b4
+- entering group authorize {...}
++[preprocess] returns ok
++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i))
    (Attribute Service-Type was not found)
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hayley", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 79 to 10.11.22.252 port 1024
	EAP-Message = 0x010600061900
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x91a5161b94a30f2fa8e7f994107af0a3
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 74 with timestamp +17
Cleaning up request 1 ID 75 with timestamp +17
Cleaning up request 2 ID 76 with timestamp +17
Cleaning up request 3 ID 77 with timestamp +17
Cleaning up request 4 ID 78 with timestamp +17
Cleaning up request 5 ID 79 with timestamp +17
Ready to process requests.

truboy · 01-19-2011, 02:17 AM

Quote:

Originally Posted by elliot01

I get the following log file: (...)

It's weird because the server doesn't seem to reject the user ! But neither does it clearly say that the user has been successfully granted...

Quote:

Have added

Code:

hayley  Cleartext-Password := "hayley"

to raddb/users.

Does the server complain if you don't ?

I have to admit I'm running out of ideas here

!

Between the following, what is your actual MAC address ?

Code:

Called-Station-Id = "00-14-C1-47-AE-D0:HAYLEYWAP6"
Calling-Station-Id = "00-16-E3-EA-5E-9B"

Are those both in raddb/authorized_macs ? If not try that, maybe even with the :HAYLEYWAP6 thing.

truboy · 01-19-2011, 02:18 AM

Quote:

Originally Posted by elliot01

As previously mentioned, the majority of our users wouldn't know a MAC address if it smacked them in the face, let alone try and spoof one, so this has seemed the most workable method.

I agree completely

!

elliot01 · 01-20-2011, 05:20 AM

Hi truboy,

Thank you for your continuing input

I am sincerely grateful!

I'm going to have another stab at this hopefully this afternoon. Something I meant to bring up previously though, was regarding case sensitivy. Are these scripts case sensitive, do you? As, in particular, sometimes I see 'Calling-Station-ID' and other times I see 'Calling-Station-Id'. No errors appear to be reported, but I just wanted to eliminate it as a factor.

Cheers.

truboy · 01-20-2011, 08:30 AM

Quote:

Originally Posted by elliot01

Thank you for your continuing input

I am sincerely grateful!

You're welcome !

About case-sensitivity, as I personally don't know about that, I googled a bit but found not much about it. It makes not doubts that things like user-names or passwords are case-sensitive, but I couldn't figure that out for what you talked about.

You might want to simply try and run radiusd with i.e. DEFAULT_EAP_TYPE or CALLING_STATION_ID, just to make sure, and see if it complains.

Good luck for this afternoon

!

singh.deep · 05-27-2011, 05:17 AM

Hello Everybody
I am new to freeradius, I installed freeradius2 on centos 5.5. Its working on basic PAP authorization. I want to use Mac address authorization for my lan pcs not wireless access points. I tried the default guide http://wiki.freeradius.org/Mac-Auth, but its giving errors -Failed to find module "rewrite_calling_station_id"..

If anybody know how to fix this. please reply with detailed step by step configuration.

Thank you very much

singh.deep001@gmail.com

wenkow · 03-10-2015, 10:11 AM

[QUOTE=singh.deep;4368450]Hello Everybody
I am new to freeradius, I installed freeradius2 on centos 5.5. Its working on basic PAP authorization. I want to use Mac address authorization for my lan pcs not wireless access points. I tried the default guide wiki.freeradius.org/Mac-Auth, but its giving errors -Failed to find module "rewrite_calling_station_id"..

If anybody know how to fix this. please reply with detailed step by step configuration.

The policy.conf should look like this:

policy {

rewrite_calling_station_id {
.
.
.
.
}

}

then rewrite_calling_station_id policy could be used in configuration. The FreeRadius wiki is actually missing this point.