[ previous ] [ next ] [ threads ]
 
 From:  David Orman <david dot orman at orblivion dot com>
 To:  mirassou at cict dot fr
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] troubles with radius/captive portal - please advise
 Date:  Thu, 21 Oct 2004 01:20:34 -1000
When a user creates an account on my system (via my own code/system) it  
inserts the info into the radius db. I need a way to #1 get their MAC  
addie (not the m0n0wall machines) and #2 a way to make radius deny  
clients access if they attempt to login w/ a username/password that  
doesn't match the MAC address they signed up with. The only way I can  
see this happening is if m0n0wall providers their MAC to radius or  
something when logging in.

Cheers,
David

On Oct 20, 2004, at 21:27, Denis Mirassou wrote:

> Ok, I was wrong :-(
>
> How do you want to do a check on user MAC address ? Using "Deny  
> unknown clients" in DHCP config ?
>
> Denis
>
> David Orman wrote:
>> The secret was wrong in the client configuration table. I sorted it,  
>> and it worked like a charm. Now I'm trying to figure out to get each  
>> user's MAC address so I can prevent them from sharing accounts with  
>> buddies. :) Any input would be much appreciated.
>> Cheers,
>> David
>> On Oct 20, 2004, at 20:57, Denis Mirassou wrote:
>>> Hi,
>>>
>>> According logs, Radius is taking care of user name and password  
>>> provided by this NAS, so I think the NAS is well configured in his  
>>> Free Radius clients.conf file.
>>>
>>> It seems there is a pb of password encryption, I don't use MySQL  
>>> with Radius.
>>> Are MySQL tables of MyISAM type ?
>>> Is Value attribute from radcheck table of Password type (ie  
>>> encrypted ?)
>>>
>>> Denis
>>>
>>> Mitch (WebCob) wrote:
>>>
>>>> Is your mono in the allow list on the radius server? radius servers  
>>>> don't
>>>> accept auth's from all "NAS" - you have to have the NAS in the  
>>>> config of the
>>>> radius server, and you have to have set the same shared secret,  
>>>> which is
>>>> used to encrypt the password...
>>>> m/
>>>>
>>>>> -----Original Message-----
>>>>> From: David Orman [mailto:david dot orman at orblivion dot com]
>>>>> Sent: Wednesday, October 20, 2004 3:00 AM
>>>>> To: m0n0wall at lists dot m0n0 dot ch
>>>>> Subject: [m0n0wall] troubles with radius/captive portal - please  
>>>>> advise
>>>>>
>>>>>
>>>>> Hi all. :)
>>>>>
>>>>>     I've gotten my soekris in, and am trying to get captive
>>>>> portal working
>>>>> w/ radius (freeradius + mysql specifically).
>>>>>
>>>>> I made an entry for a "test" user with "test" password in the db,  
>>>>> this
>>>>> is what it looks like...
>>>>>
>>>>> mysql> select * from usergroup;
>>>>> +----------+-----------+----------+
>>>>> | UserName | GroupName | priority |
>>>>> +----------+-----------+----------+
>>>>> | test     | test      |        0 |
>>>>> +----------+-----------+----------+
>>>>> 1 row in set (0.00 sec)
>>>>>
>>>>> mysql> select * from radcheck;
>>>>> +----+----------+-----------+----+-------+
>>>>> | id | UserName | Attribute | op | Value |
>>>>> +----+----------+-----------+----+-------+
>>>>> |  1 | test     | Password  | == | test  |
>>>>> +----+----------+-----------+----+-------+
>>>>> 1 row in set (0.00 sec)
>>>>>
>>>>> mysql>
>>>>>
>>>>>
>>>>> Now, in testing...
>>>>>
>>>>> pulsar# radtest test test localhost 1812 secret
>>>>> Sending Access-Request of id 69 to 127.0.0.1:1812
>>>>>         User-Name = "test"
>>>>>         User-Password = "test"
>>>>>         NAS-IP-Address = pulsar.orblivion.com
>>>>>         NAS-Port = 1812
>>>>> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=69,
>>>>> length=20
>>>>> pulsar#
>>>>>
>>>>> So it seems freeradius/mysql is working fine. The problem arises  
>>>>> when I
>>>>> try to use the captive portal/m0n0wall. :)
>>>>>
>>>>> My captive portal code is just the default code:
>>>>>
>>>>> <html>
>>>>> <body>
>>>>> <form method="post" action="">
>>>>>     <input name="accept" type="submit" value="Continue">
>>>>>     <input name="auth_user" type="text">
>>>>>     <input name="auth_pass" type="password">
>>>>> </form>
>>>>> </body>
>>>>> </html>
>>>>>
>>>>> This is what I see in the error logs when attempting test/test as
>>>>> username/password:
>>>>>
>>>>> Tue Oct 19 23:52:52 2004 : Info: rlm_sql (sql): No matching entry  
>>>>> in
>>>>> the database for request from user [test]
>>>>> Tue Oct 19 23:52:52 2004 : Auth: Login incorrect:
>>>>> [test/\272}S\0045\244\351i\317h\332\366s\2231\346] (from client ap1
>>>>> port 0)
>>>>>
>>>>> More detail:
>>>>>
>>>>> Tue Oct 19 23:52:52 2004
>>>>>         Service-Type = Login-User
>>>>>         User-Name = "test"
>>>>>         User-Password =  
>>>>> "\272}S\0045\244\351i\317h\332\366s\2231\346"
>>>>>         NAS-Identifier = "ap1.orblivion.com"
>>>>>         NAS-Port = 0
>>>>>         NAS-Port-Type = Ethernet
>>>>>         NAS-IP-Address = 67.52.79.22
>>>>>         Client-IP-Address = 67.52.79.22
>>>>>
>>>>> It seems the user-password is being garbled into something  
>>>>> strange/odd.
>>>>> I've attempted shuffling the pap password encryption scheme to all  
>>>>> the
>>>>> available options in freeradius as I read in the mailing list  
>>>>> m0n0wall
>>>>> uses PAP, but it's made no difference. Any ideas on what the  
>>>>> problem
>>>>> is? I'm sure it's user error, i've never touched radius before. :)
>>>>>
>>>>> Cheeers,
>>>>> David Orman
>>>>>
>>>>> ------------------------------------------------------------------- 
>>>>> --
>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>
>>>>>
>>>> -------------------------------------------------------------------- 
>>>> -
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>> -- 
>>> Denis Mirassou

>>> Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
> -- 
> Denis Mirassou

> Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>