freeradius mac 认证错误(未找到 mac 地址?)

tag-icon tag-icon debian freeradius
freeradius mac 认证错误(未找到 mac 地址?)

因此我按照官方文档在 Debian 9 上设置了一个 freeradius 3.0 服务器这里这里。我有一个authorized_mac文件,里面有我的设备的地址,/etc/freeradius/3.0/mods-enabled/files我在文件中指出了我的mac地址在哪个文件中:

files authorized_macs {
    # The default key attribute to use for matches.  The content
    # of this attribute is used to match the "name" of the
    # entry.
    key = "%{Calling-Station-ID}"

    usersfile = ${confdir}/authorized_macs

    #  If you want to use the old Cistron 'users' file
    #  with FreeRADIUS, you should change the next line
    #  to 'compat = cistron'.  You can the copy your 'users'
    #  file from Cistron.
    #compat = no
}

我的 WiFi 接入点以 1A:2B:3C:4D:5E:6F 格式将 MAC 地址发送到 radius 服务器,但为了确保问题不是来自那里,我的authorized_macs文件如下所示:

1A:2B:3C:4D:5E:6F
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a:2b:3c:4d:5e:6f
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1A2B3C4D5E6F
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a2b3c4d5e6f
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1A-2B-3C-4D-5E-6F
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

1a-2b-3c-4d-5e-6f
    Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"

因此,当我以调试模式()启动 freeradius 服务器freeradius -X并尝试使用我的设备连接到 SSID 时,会发生错误:

[...] -- line 777
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
[...] -- line 783

完整日志可在此处查看。供参考,10.42.0.7 是我的 freeradius 服务器,10.42.0.22 是我的 WiFi 接入点。SSID 名为“testtt”。

总结:根据官方文档,配置是正确的。WiFi 接入点和 freeradius 彼此连接良好,但 radius 服务器似乎不知道地址,即使它们已经给出...

编辑

以下是文件的结尾/etc/freeradius/3.0/sites-enabled/default

server {
        authorize {
                preprocess

                # If cleaning up the Calling-Station-Id...
                rewrite_calling_station_id

                # Now check against the authorized_macs file
                authorized_macs

                if (!ok) {
                        # No match was found, so reject
                        reject
                }
                else {
                        # The MAC address was found, so update Auth-Type
                        # to accept this auth.
                        update control {
                                Auth-Type := Accept
                        }
                }
        }
}

答案1

问题解决了。

我在 EDIT 中展示的代码片段不应添加到文件末尾。事实上,“授权”部分已经存在,只需在其后添加此部分(第 281 行):

rewrite_calling_station_id
       # Now check against the authorized_macs file
       authorized_macs
       if (!ok) {
               # No match was found, so reject
               reject
       }
       else {
               # The MAC address was found, so update Auth-Type
               # to accept this auth.
               update control {
                       Auth-Type := Accept
               }
       }

相关内容