我已经在 RHEL 6.5 服务器上配置了 freeradius 以进行基于 MAC 的身份验证,为此,我遵循了本指南。
根据上述指南,我authorized_macs为有效的 MAC 地址创建了文件,如下所示:
xx-xx-xx-xx-xx-xx Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
yy-yy-yy-yy-yy-yy Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
我尝试对文件authorize部分进行某些更改/etc/raddb/sites-available/default,以便设置Reply-Message失败的身份验证,如下所示:
authorize {
preprocess
# if cleaning up the Calling-Station-Id...
rewrite.calling_station_id
# now check against the authorized_macs file
authorized_macs
if (!ok) {
update control {
Reply-Message := "Login Failed. MAC Address %{Calling-Station-ID} is NOT valid."
}
reject
}
else {
# accept
users
update control {
Auth-Type := Accept
}
}
}
当使用测试配置时radclient,
认证成功:
> echo "Calling-Station-Id=xx-xx-xx-xx-xx-xx" | radclient -s localhost:1812 auth testing123
Received response ID 55, code 2, length = 93
Reply-Message = "Device with MAC Address xx-xx-xx-xx-xx- authorized for network access"
Total approved auths: 1
Total denied auths: 0
Total lost auths: 0
验证失败:
> echo "Calling-Station-Id=zz-zz-zz-zz-zz-zz" | radclient -s localhost:1812 auth testing123
Received response ID 220, code 3, length = 20
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
如果验证失败,则Reply-Message显示 no。
如果我需要启用访问-拒绝响应消息,该怎么办?
答案1
设置Reply-Message在update reply块,而不是update control.使用你的例子:
update reply {
Reply-Message := "Login Failed. MAC Address %{Calling-Station-ID} is NOT valid."
}