Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

Sat Dec 12 23:21:36 CET 2015

2015-12-11 20:52 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
> On Dec 11, 2015, at 2:18 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
>> \\
>> It works normally, no problem IMHO.
>> Debug output from freeradius 3.0.10 :
>>
>> Fri Dec 11 20:05:09 2015 : Debug: (1) ldap: EXPAND
>> (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>
>   Please use "radiusd -X" as recommend in the FAQ, "man" pages, web pages and on this list.  Adding another "-x" to get the dates doesn't help.  It makes the debug output harder to read in most cases.
Sorry for this misunderstanding of the mailing-list guidelines.
I'll use -X only in any further posts.

>   And the debug output doesn't show anything unusual.  The user is in LDAP, and is allowed to log in.

Indeed.

>
>> My NAS has always the same IP when only the NAS Port-Id takes different values.
>> I can only differentiate the networks my users try to reach by NAS Port-Id
>
>   I have no idea what that means.  I don't know what equipment you're using, and I don't know your network topology.
>
>   Please describe what you're talking about.  Are your NASes behind a NAT?  If so, say so.

In my first mail, it was mentionned that the NAS was Strongswan 5.2.1,
but I didn't thought that exposing this part of the problem might be
useful.
Its configuration exposes many different connections capabilities
distinguished by the public key used to authenticate the strongwan
side.

My roadwarrior users always use the same public IP address to reach it
but can ask for different ids during the IKEv2 process (strongswan's
ipsec.conf left|rightid parameters)
To each id correspond a tunnel IP configuration and thus give access
to different LAN depending of the L3 routing/firewall.

The current question, and this is where freeradius+ldap are useful, is
to know if each user is allowed to access to a given network area.
Strongswan informs the radius of which connection configuration the
user is asking for in the NAS-Port-Id.
I can use it to filter my users account when requesting the LDAP as
the piece of config I provide below show.

>
>> Furthermore, RFC2865 say that we shouldn't use NAS-Identifier to find
>> the shared secret but we'd better deal with NAS-IP Address.
>
>   No.  The *source IP* of the packet is used to determine the shared secret.  The NAS-IP-Address is informational, but has minimal meaning.

Understood.
This is a really useful detail.
In my situation, all users are roadwarriors, may use any public IP
they can depending of their location and it can't be part of any
stable conf.

>
>> Is this the same with NAS-Port Id?
>> Should I take care of that ?
>
>   Define what you mean "take care of that" ?

To conform to the RFC2865 guidelines.

>
>> Ok, so I can write things like :
>>
>> user {
>>
>>    filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(accessNetwork=%{request:NAS-Port-Id}))"
>
>   Yes that should work.

Nice, thank you

François L