Security

Reply
Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

FreeRadius MAC-Authentication

[ Edited ]

Hi all,

 

anyone ever did MAC-Authentication using FreeRadius and Aruba over here ?

I spent some time to finally configure freeradius on an ubuntu VM and have it running + working. I'm currently able to authenticate on my external captive portal which is pointed to my webserver + freeradius for RADIUS auth.

 

I'm authenticating against a SQL database that I created and it works fine. Since MAC-Auth uses the MAC as a calling-station-id, i'd like to extract this information and store it into my SQL database. Then if a user connects, it will send it's MAC and i'd like to verify it against this same database so the users don't have to enter their credentials again (basically same as MAC caching). 

 

Also, I created an entry within my database with my phone's MAC as a username and same for password and it's working. Since I plan to have loads of connections, I want to have this process automated.

Any idea/procedure on how to achieve this ?

Thanks a lot :)

ACMP, ACCP, BCNE
Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

Re: FreeRadius MAC-Authentication

15 hours of work later and dedication, I managed to make it work :)

Thanks

ACMP, ACCP, BCNE
New Contributor
Posts: 1
Registered: 2 weeks ago

Re: FreeRadius MAC-Authentication

I have the exact same scenario to deploy. How did you do that?

Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

Re: FreeRadius MAC-Authentication

Hi,

 

it's been a while and I didn't document everything since it was for a personnal project but still I can help.

 

Heres what I was using to have it work :

 

 

        sql 
if("%{sql:SELECT COUNT(*) FROM radpostauth WHERE username ='%{Calling-Station-Id}'}" > 0){     
   ok 
update control { 
Auth-Type := Accept 
} 
} 
else{ 
reject 
}

I'm not an SQL expert so this might not be optimal/fastest way to achieve it ... but did the trick for me.

The idea is that once a user authenticated successfuly, it will be added to radpostauth. Now we verify that if this calling-station-id exist in radpostauth, we authorize it.

 

This string should be added under the Authorize section of  /etc/freeradius/sites-available/conf

 

HTH

 

ACMP, ACCP, BCNE
Search Airheads
Showing results for 
Search instead for 
Did you mean: