(Solved) Re: MAC authorisation (but not authentication) via LDAP

Alan Walters alan at radiowave.ie
Wed Apr 11 22:12:52 CEST 2007 

this  looks great for my purpose as well thanks very much for your help


Alan,

The problem for me was that when the ldapsearch failed to find the MAC 
address, freeradius didn't reject authorisation.

The solution for me, ( I'm sure the big boys can point out how it's 
wrong ), was the following script..

-------snip-------
#!/bin/sh
if $( echo $MODULE_FAILURE_MESSAGE | grep "not found" > /dev/null ); then
     echo "Auth-Type := reject";
     exit 0;
fi
-------snip-------
and the following clause in radiusd.conf
-------snip-------
exec rejectOnNotFound {
         wait = yes
         program = "/usr/local/etc/raddb/rejectOnNotFound.sh"
         input_pairs = request
         output_pairs = config
}
-------snip-------
which is used in the authorise section thus
-------snip-------
Autz-Type LdapMAC {
         ldapMAC
         rejectOnNotFound
         }
-------snip-------


As I said, works for me.

Hope it helps..

Mart

Alan Walters wrote:
> we a trying to add mac authentication to our wireless aps radius request
> comes in like so.
> 
> rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
> length=95
>         Service-Type = Framed-User
>         NAS-Port-Id = "wlan1"
>         User-Name = "00:0B:6B:56:1D:48"
>         User-Password = ""
>         NAS-Identifier = "ballyvaughan_ap_1"
>         NAS-IP-Address = 10.250.100.3
> 
> 
> the mac address is in a field in the ldap so i created a second
> ldap.attrib.map and a new ldap autz-type. the problem is that the
> user-password that is sent i blank so i added this to the users file.
> like so.
> 
> DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
> "", Simultaneous-Use := 1
>        Fall-Through = 0
> 
> great now the user with authorise and authenticate from files. but what
> i had hoped would happen was if they failure authorisation they would
> not continue, i can see this is not the default proceedure. how can i
> make this work this way.
> 
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     users: Matched entry DEFAULT at line 4
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
>   Found Autz-Type ldapMAC
>   Processing the authorize section of radiusd.conf
> modcall: entering group ldapMAC for request 0
> modcall: entering group redundant  for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
> radius_xlat:  '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
> radius_xlat:  'o=clients,dc=radiowave,dc=net'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
> rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxxxxxx to 127.0.0.1:389
> radiustest:/etc/freeradius/config-clients#
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
> filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldapmac1" returns notfound for request 0
> modcall: leaving group redundant  (returns notfound) for request 0
> modcall: leaving group ldapMAC (returns notfound) for request 0
> 
> 
> but when the authentication starts this stilll happens, below was an
> idea someone had in respect to this issue or a similar one but i have no
> idea how to deploy this look forward to your replys.
> 
> auth: type Local
> auth: user supplied User-Password matches local User-Password
>   Processing the session section of radiusd.conf
> modcall: entering group session for request 0
> modcall: entering group redundant  for request 0
>   modcall[session]: module "sql2" returns noop for request 0
> modcall: leaving group redundant  (returns noop) for request 0
> modcall: leaving group session (returns noop) for request 0
> Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
> Sending Access-Accept of id 119 to 10.250.100.3 port 1038
> 
> 
> On Sun, 2007-02-25 at 20:05 +0000, Martin Whinnery wrote:
>> Martin Whinnery wrote:
>>> Markus Krause wrote:
>>>   
>>>> Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:
>>>>
>>>>   
>>>>     
>>>>> Hi.
>>>>>
>>>>> Probly just me not understanding...
>>>>>
>>>>> What I want is for our switches to only allow access to MAC addresses in
>>>>> our LDAP database.
>>>>>
>>>>> I don't want to store passwords on our LDAP host entries.
>>>>>
>>>>> I'm set up to check LDAP during authorisation, and it correctly returns
>>>>> authorised / not authorised depending on whether the appropriate
>>>>> attribute contains the right value.
>>>>>
>>>>> The trouble comes with authentication - either I set Auth-Type :=
>>>>> Accept, in which case and failed authorisation is overridden, or I allow
>>>>> authentication to carry on against LDAP ( or System, or whatever ), in
>>>>> which case it fails always and access is denied, even for authorised MACs.
>>>>>
>>>>> Is there a way to make the Authorisation part final and authoritative?
>>>>>
>>>>>
>>>>> As I say, probly just being stoopid.
>>>>>
>>>>>
>>>>> Mart
>>>>>
>>>>>
>>>>>     
>>>>>       
>>>> don't no if it is a good solution, but i just do this by setting the  
>>>> following in radiusd.conf:
>>>>
>>>> authenticate {
>>>>      ...
>>>>      Auth-Type LdapMAC {
>>>>         ok
>>>>      }
>>>>      ...
>>>> }
>>>>
>>>> the Auth-Type is set in users file depending on huntgroups:
>>>>
>>>> DEFAULT  Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
>>>>
>>>> i assume there are better/smarter sollutions as one can read "don't  
>>>> set Auth-Type" on many places but it works here ;-)
>>>>
>>>> regards
>>>>    markus
>>>>
>>>>   
>>>>     
>>> Thanks Markus,
>>>
>>> the problem seems to be that the authorisation pass returns "notfound", 
>>> whereas I want it to "reject", as if it found an entry in LDAP without 
>>> the appropriate attribute.
>>>
>>> Mart
>>>
>>>   
>> This was exactly the problem. What I've done is created an exec module, 
>> which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning 
>> non-zero if there's a match. So authorization *fails* rather than 
>> succeeds with 'not found'.
>>
>> I think.
>>
>> Anyway, it works.
>>
>> Thanks for all your help.
>>
>> Mart
>>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070411/a58b94fe/attachment.html>

More information about the Freeradius-Users mailing list