I am trying to limit every user to a small set of Mac-IDs in RADIUS, by directly including the appropriate information in the users file. It would be acceptable even if every user was limited to one mac. The server is running FreeRADIUS version 2.1.12 from the Ubuntu 13.10 repos. The authentication used is PEAP and MSCHAPv2.
When a physical client (Nexus 5) tries to connect through the access point (Netgear WG-102) then FreeRADIUS seems to identify the Mac-id's in the access request, but not use it in the checks. The only devices on the network in my current test setup are the radius server, the access point and a test client. The entries in the users file are set up like:
testuser NT-Password := "<hash>", Calling-Station-Id == "a1b2c3d4e5f6"
The policy.conf file has a rewrite.calling_station_id function that normalizes the Mac ids to the above format and this is called in available-sites/default right after preprocess. The properly formatted mac-id's show up in the log on running freeradius -X. However, the requests are rejected. Even if the check is replaced by Calling-Station-Id =* "a1b2c3d4e5f6", which is supposed to pass whenever the attribute just exists, the requests are rejected. If however, it is replaced by Calling-Station-Id !* "a1b2c3d4e5f6", which is supposed to pass only if the attribute is not present in the request, the requests are accepted.
Contrastingly, if I use radclient, expected behaviour is observed. The configuration files and relevant logs are linked below. The whole /etc/freeradius folder is linked, and also containing the logs for the following four cases. Note that number 2 is the only unexpected behaviour:
nexus-without-mac-success: Theusersfile had no mac checks and authentication succeedednexus-with-mac-fail: Theusersfile had the correct mac address and authentication failedradclient-with-mac-expected-behaviour-fail-with-wrong: radclient run with wrong mac address and is rejected:echo "User-Name=testuser,User-Password=test,Calling-Station-Id=8c:3a:e3:19:70:0e" | radclient localhost auth testing123radclient-with-mac-expected-behaviour-success-with-correct: radclient run with correct mac address and is accepted:echo "User-Name=testuser,User-Password=test,Calling-Station-Id=8c:3a:e3:19:70:0f" | radclient localhost auth testing123
Is it not possible to use Calling-Station-Id this way? Contrary to http://wiki.freeradius.org/guide/Mac-Auth, I want to have the Mac-Id's limited on a per-user basis, so if you have an alternate method of doing this, that would also be welcome.
http://portmasters.com/tech/docs/radius/userinfo.html#1004825 seems to say this is the correct way of doing this, although it's written in 1999.
http://www.cmi.ac.in/~ronno/freeradius-test contains the following:
freeradius– contents of/etc/freeradiuslogs– the four logs described abovewg102.cfg– the access point configurationsnapshot.tar.gz– tarball containing all of the above
Best Answer
You've not fed through the attributes in the outer request to the inner server.
Set
copy_tunnel_request = yesineap{peap{}}(in eap.conf or mods-available/eap).https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/eap#L594
The files call in the inner server does not have access to the Calling-Station-ID attribute in the outer request, does not match any entries, and so does not set the NT-Password control attribute.