Access-Accept / Access-Reject based on LDAP Group & SSID
Alan DeKok
aland at deployingradius.com
Fri Mar 20 22:19:19 CET 2015
If you don't have the time to *summarize* what you're doing, I don't have time to read the hundreds of lines of ldap dump you posted.
> On Mar 20, 2015, at 5:05 PM, Ben Humpert <ben at an3k.de> wrote:
>
> 2015-03-20 16:05 GMT+01:00 Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
>>
>> It's not really clear what you're trying to do...
>
> # Guest, Groups, example.com
> dn: cn=Guest,ou=Groups,dc=example,dc=com
> objectClass: posixGroup
> objectClass: top
> objectClass: radiusprofile
> cn: Guest
> gidNumber: 17068
> memberUid: guest
> radiusCalledStationId: 00-11-22-33-44-55
> radiusCalledStationSsid: guest
> radiusTunnelMediumType: IEEE-802
> radiusTunnelPrivateGroupId: 1
> radiusTunnelType: VLAN
>
> # Developers, Groups, example.com
> dn: cn=Developers,ou=Groups,dc=example,dc=com
> objectClass: posixGroup
> objectClass: top
> objectClass: radiusprofile
> cn: Developers
> gidNumber: 1421
> memberUid: marc
> memberUid: tim
> memberUid: johnny
> radiusCalledStationId: 00-11-22-33-44-55
> radiusCalledStationId: 22-33-44-55-66-77
> radiusCalledStationSsid: developers
> radiusCalledStationSsid: employees
> radiusTunnelMediumType: IEEE-802
> radiusTunnelPrivateGroupId: 43
> radiusTunnelType: VLAN
>
> # tim, Users, example.com
> dn: uid=tim,ou=Users,dc=example,dc=com
> objectClass: posixAccount
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: radiusprofile
> gidNumber: 0
> givenName: Tim
> sn: Buktu
> displayName: Buktu, Tim
> uid: tim
> homeDirectory: /dev/null
> loginShell: /bin/false
> cn: TimBuktu
> uidNumber: 18459
> radiusCalledStationId: 44-55-66-77-88-99
> radiusCalledStationSsid: management
> radiusTunnelMediumType: IEEE-802
> radiusTunnelPrivateGroupId: 24
> radiusTunnelType: VLAN
> dialupAccess: Yes
>
> # johnny, Users, example.com
> dn: uid=johnny,ou=Users,dc=example,dc=com
> objectClass: posixAccount
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: radiusprofile
> gidNumber: 0
> givenName: John
> sn: Doe
> displayName: Doe, John
> uid: johhny
> homeDirectory: /dev/null
> loginShell: /bin/false
> cn: JohnDoe
> uidNumber: 4552
> dialupAccess: Yes
>
> When a user connects to a wifi access point that NAS sends
> Called-Station-Id = 00-11-22-33-44-55:SSID in the Access-Request
> packet. RADIUS converts it (based on rewrite.called_station_id) to
> Called-Station-Id = 00-11-22-33-44-55 and to Called-Station-Ssid =
> SSID. After doing the basics (checking if user exists, if password
> matches, if attribute dialupAccess is set)
> RADIUS should check if the users group has a radiusCalledStationId
> attribute matching the Called-Station-Id. If not it should check if
> the user itself has a matching attribute. If not, Access-Reject. In
> case a match is found and Called-Station-Ssid is set RADIUS should now
> check if the users group has a matching radiusCalledStationSsid
> attribute. If not it should check if the user itself has a matching
> attribute. If not, Access-Reject. In case a match is found RADIUS
> should finally check the users group for other attributes (eg.
> radiusTunnelType, etc.) and apply them as long as the user itself
> doesn't have these attributes set too. In that case the users
> attributes take precedence.
>
> So user tim will always get into VLAN 24 (user attributes precedence)
> and can get authorized through NAS' with the MAC address
> 00-11-22-33-44-55, 22-33-44-55-66-77 or 44-55-66-77-88-99 (user and
> group attributes merged) and is allowed to connect to SSID developers,
> employees or management (user and group attributes merged).
>
> User johnny always gets into VLAN 43 and can get authorized through
> NAS' with the MAC address 00-11-22-33-44-55 or 22-33-44-55-66-77 and
> is allowed to connect to SSID developers or employees.
>
>
> Normally I don't have a problem understanding the documentation and
> how software works but in this case I don't know where to put what
> kind of code. Should I do everything with unlang in the authorize
> section of sites-enabled/default (+ policy.conf) or post-auth or
> modify modules/ldap or the users file ...
> I guess it's because with freeradius everything is already configured
> and enabled and I'm flooded with information I don't need (yet). It's
> very nice and appreciated since you guys already did the configuring
> job (eap, peap, mschap, etc.) but in my case it's just confusing me.
> I'm used to start with minimal configurations and slowly adding stuff
> I need step by step.
>
>
> If anybody is willed to help me but upgrading to 2.2.6 or even 3.0.7
> is necessary I for sure will upgrade first and will greatly appreciate
> any help offered. I'm definitely not asking for the whole
> configuration but an example of how to get RADIUS to eg. check for
> radiusCalledStationId first in Group and then in Users and merge both
> will greatly help.
>
>
> Best regards,
>
> Ben
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list