Problems to do an SSID based authentication
Peter Carlstedt
pc_007 at hotmail.com
Mon Nov 16 10:44:11 CET 2009
Hello everyone!
I am trying to do an SSID based authentication per user.
What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user.
The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows.
My users.conf file looks like this:
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
Peter Cleartext-Password := "kaffe" , Called-Station-Id == "04-0B-6B-33-62-35:raket"
# Tunnel-Type = VLAN,
# Tunnel-Medium-Type = IEEE-802,
# Tunnel-Private-Group-Id = 2
Jens Cleartext-Password := "kaffe" , Called-Station-Id == "02-0B-6B-33-62-35:3"
# Tunnel-Type = VLAN,
# Tunnel-Medium-Type = IEEE-802,
# Tunnel-Private-Group-Id = 3
# NAS-Port-Id == "wlan1"
Mattias user-password := "kaffe"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 1
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.168.1.32+,
# Fall-Through = Yes
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
# Framed-IP-Address = 192.168.2.32+,
# Fall-Through = Yes
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
DEFAULT Auth-Type := Reject
Is there any wrong with my users file?
What happens when I try to authenticate with an Windows machine? i get rejected and it dont matter which SSID im logging into.
What happens when I try to authenticate with an Mac OSX machine? I get rejected but succeed anyway in getting into the network.
Best regards/ Peter
> From: freeradius-users-request at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 55, Issue 65
> To: freeradius-users at lists.freeradius.org
> Date: Mon, 16 Nov 2009 09:40:46 +0100
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: usergroup and radgroupcheck problem! (Hamid Reza Hasani)
> 2. Re: DHCP in FR (Alan DeKok)
> 3. Re: DHCP in FR (Kassai Istvan)
> 4. Re: DHCP in FR (Alan DeKok)
> 5. Re: Crash due to fr_packet_cmp (Alan DeKok)
> 6. Re: DHCP in FR (Kassai Istvan)
> 7. Co-existing of tls and ttls configuration (Koichi Yagishita)
> 8. Re: Co-existing of tls and ttls configuration (Alan DeKok)
> 9. Re: Problem with template.conf in proxy.conf (Ana Gallardo)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 15 Nov 2009 16:14:45 +0330
> From: Hamid Reza Hasani <hr.hasani at gmail.com>
> Subject: Re: usergroup and radgroupcheck problem!
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> <33b9c8d70911150444vd250018h6c51b5cbe8e58617 at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,(salaam)
> Thanks for your help, But I solved the problem and I changed the
> radgroupcheck query so it get groupname from usergroup table and then
> compare it! I think I have a better solution, isn't it?
>
> BTW thank for your help, please inform me if you know why this problem
> exist? is it a bug?
>
> Ya Ali
> Hamid Reza Hasani
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091115/7e5d53fe/attachment.html>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 15 Nov 2009 16:58:11 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: DHCP in FR
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4B002513.4040002 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kassai Istvan wrote:
> > When I set up an ip address in the "sites-enabled/dhcp" DHCP-Request
> > section, I can see it in the debug log (rad.log), as
> > DHCP-Your-IP-Address, but the client isn't gets it.
>
> The debug log shows that the "mac2ip" module isn't finding the MAC:
>
> ...
> ++[mac2ip] returns notfound
> ...
>
> So... what are the contents of the file?
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 15 Nov 2009 19:34:29 +0100
> From: Kassai Istvan <kako at zhnet.hu>
> Subject: Re: DHCP in FR
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <1258310070.17627.0.camel at kako-desktop>
> Content-Type: text/plain; charset="UTF-8"
>
> 2009. 11. 15, vas?rnap keltez?ssel 16.58-kor Alan DeKok ezt ?rta:
> > Kassai Istvan wrote:
> > > When I set up an ip address in the "sites-enabled/dhcp" DHCP-Request
> > > section, I can see it in the debug log (rad.log), as
> > > DHCP-Your-IP-Address, but the client isn't gets it.
> >
> > The debug log shows that the "mac2ip" module isn't finding the MAC:
> >
> > ...
> > ++[mac2ip] returns notfound
> > ...
> >
> > So... what are the contents of the file?
>
> As I wrote:
> > > There is a mac2ip text file in the usr/local/etc/raddb dir, with
> > > this content:
>
> > > 08:00:27:27:8F:E1,192.168.5.55
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 15 Nov 2009 21:03:18 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: DHCP in FR
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4B005E86.6060604 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
>
> Kassai Istvan wrote:
> > As I wrote:
> >>> There is a mac2ip text file in the usr/local/etc/raddb dir, with
> >>> this content:
> >
> >>> 08:00:27:27:8F:E1,192.168.5.55
>
> I'm not sure what's going wrong, then. It works for me...
>
> I suggest simply editing the sites-available/dhcp file directly.
> Hard-code the assignment of an IP address, and see if that works.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 5
> Date: Sun, 15 Nov 2009 21:19:55 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Crash due to fr_packet_cmp
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4B00626B.9080203 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
>
> fabiana marvani wrote:
> > After some time with load the freeradius crashes
> >
> > We first noticed this crash with our plugins activated, but then we deactivated
> > all plugins and used "default" configuration:
>
> There have been a few reports similar to this. They all require
> sending the server many 10s of millions of packets over a long time.
> This makes it hard to reproduce && debug.
>
> It's likely a race condition. But it's hard to say where, or why.
>
> > core.8555
> > Program terminated with signal 11, Segmentation fault.
> > (gdb) bt
> > #0 fr_packet_cmp (a=0xb4897cd8, b=0x0) at packet.c:139
> ...
> > #6 0x0806cf83 in received_request (listener=0x8d4f608, packet=0xb4897cd8,
> > prequest=0xbf89d0dc, client=0x8d2fc80)
> > at event.c:2723
>
> The server keeps all packets in a hash, to ensure it catches
> duplicates, etc. The hash is keyed by the source packet (src/dst
> ip/port). The crash comes because the "request" structure is still in
> the hash, though the "packet" entry in that structure has become NULL.
>
> The only problem is... the packet entry is *only* set to NULL after
> the request has been deleted from hash. And *only* the main thread
> adds/deletes entries to the hash. And *only* the main thread allocates
> or free's request data structures.
>
> So this is a problem that should be avoided completely by the design
> of the server.
>
> Some questions:
>
> - which OS && CPU (32 / 64-bit)
> - which version of the server
> - which command line was used to run the server
> - is this reproducible in non-threaded mode (radiusd -fs)
>
> If you are using an older version of the server, please also try with
> the current git "stable" branch (see git.freeradius.org). It has some
> changes which give it only one code path for doing certain kinds of
> request mangling. This makes it less likely for there to be errors,
> race conditions, etc.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Sun, 15 Nov 2009 22:42:47 +0100
> From: Kassai Istvan <kako at zhnet.hu>
> Subject: Re: DHCP in FR
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <1258321367.23541.9.camel at kako-desktop>
> Content-Type: text/plain; charset="UTF-8"
>
> 2009. 11. 15, vas?rnap keltez?ssel 21.03-kor Alan DeKok ezt ?rta:
> > Kassai Istvan wrote:
> > > As I wrote:
> > >>> There is a mac2ip text file in the usr/local/etc/raddb dir, with
> > >>> this content:
> > >
> > >>> 08:00:27:27:8F:E1,192.168.5.55
> >
> > I'm not sure what's going wrong, then. It works for me...
> >
> > I suggest simply editing the sites-available/dhcp file directly.
> > Hard-code the assignment of an IP address, and see if that works.
> I edited that at the DHCP-Request section like this:
>
>
> dhcp DHCP-Request
> {
> update reply
> {
>
> DHCP-Message-Type=DHCP-Ack
> }
>
> update reply
> {
> DHCP-Domain-Name-Server=127.0.0.1
> DHCP-Domain-Name-Server=127.0.0.2
> DHCP-Subnet-Mask=255.255.255.0
> DHCP-Router-Address=10.10.10.254
> DHCP-IP-Address-Lease-Time=86400
> DHCP-DHCP-Server-Identifier=10.10.10.254
> DHCP-Your-IP-Address=10.10.10.10
> }
>
> #mac2ip
> ok
> }
>
> I can see in the log, the assigned client ip (rad.log), but somehow the
> client doesn't use it. I think I done wrong something, but what?
> But it is only the first step. The next must be to assign addresses from
> an sql database :-( As I think it will be a little harder work.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 16 Nov 2009 15:06:53 +0900
> From: Koichi Yagishita <yagishita.koichi at jrc.co.jp>
> Subject: Co-existing of tls and ttls configuration
> To: Freeradius-Users at lists.freeradius.org
> Message-ID: <JF200911161506533.23747640 at jrc.co.jp>
> Content-Type: text/plain; charset=ISO-2022-JP
>
>
> Dear All,
>
> Can I coexist eap tls and ttls configuration in a freeradius?
> If yes, please let me know of the configuration.
>
>
> Regards,
> Yagishita
>
>
>
> ------------------------------
>
> Message: 8
> Date: Mon, 16 Nov 2009 09:27:30 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Co-existing of tls and ttls configuration
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4B010CF2.2070508 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Koichi Yagishita wrote:
> > Can I coexist eap tls and ttls configuration in a freeradius?
>
> Yes.
>
> > If yes, please let me know of the configuration.
>
> The server ships with this configuration.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 9
> Date: Mon, 16 Nov 2009 09:40:43 +0100
> From: Ana Gallardo <ana.gallardo.77 at gmail.com>
> Subject: Re: Problem with template.conf in proxy.conf
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <74556fcf0911160040v7f799d13yb29dee263af207ad at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thank you very much Alan.
>
>
>
> 2009/11/14 Alan DeKok <aland at deployingradius.com>
>
> > Ana Gallardo wrote:
> > > WARNING: No such configuration item tld-rediris
> > > /etc/freeradius/proxy.conf[28]: Reference "tld-rediris" not found
> > > Errors reading /etc/freeradius/radiusd.conf
> >
> > I've committed a fix to git. It will be in 2.1.8.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
> --
> ____________________
>
> Ana Gallardo G?mez
> ____________________
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091116/a47516e2/attachment.html>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 55, Issue 65
> ************************************************
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091116/d3963e72/attachment.html>
More information about the Freeradius-Users
mailing list