Trying to Authorize Users based on AD Groups and SSIDs

Misbah Hussaini misbhauddin at gmail.com
Thu Feb 16 21:23:03 CET 2017 

I think I found the reason why the ldap group check is not working.

My ldap config has the filter set to sAMAccountName as shown below but the
EAP packet is passing username as DOMAIN\USERNAME which is incorrect format
for sAMAccountName.

filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

Now, the question is how do I remove the domain\ from the username field,
as I read elsewhere changing the username will cause EAP auth to fail.

Pointers are welcome... Quest continues..

Regards
Misbah

On 16 February 2017 at 21:45, Misbah Hussaini <misbhauddin at gmail.com> wrote:

> Thanks for pointer, changing the condition to below worked, but im a uable
> to figure out how to do ldap-group lookups inside inner tunnel config? I
> have tried to do the ldap lookup inside default config by  removing the if
> condition from inner tunnel and adding to default but still it fails.
>
> If (outer.Called-Station-SSID != "SSID02362") {
> Reject
> }
>
>
> On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin at quarantainenet.nl>
> wrote:
>
>> On 16-02-17 14:12, Misbah Hussaini wrote:
>> > Dear Alan,
>> >
>> >> The "if" condition doesn't match.  Why?  Go read the debug output.  Run
>> > tests on each "if" check.  >*Understand* how the server works.
>> >
>> > I changed the if condition to below but still the if condition is not
>> > matching, I can confirm from logs that Called-Station-SSID is set to
>> > SSID02362, what's wrong in the if condition?
>> >
>> >  if (!State) {
>> >                 if ((Called-Station-SSID == "SSID02362") ) {
>> >                         reject
>> >                 }
>> >         }
>> >
>> > Here is processing of rewrite statement from debug, full debug can be
>> found
>> > here -> http://pastebin.com/SuS2t9Er
>>
>> You're changing the Called-Station-SSID in the outer tunnel (line 1848),
>> then send a tunneled request (line 1911) with only a few attributes. The
>> check is performed in the inner tunnel, and can't find the
>> Called-Station-SSID.
>>
>> Possible solutions:
>> - Perform the check in the outer tunnel
>> - Write to/Read from session-state:Called-Station-SSID
>> - Use outer:request:Called-Station-SSID (or whatever the exact syntax
>>   was) to use the outer request.
>>
>> --
>> Herwin Weststrate
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>

More information about the Freeradius-Users mailing list