Hello Alan, thanks for your reply even afeter years, each freeradius server replacement/upgrade reminds me how a newbee in freeradius using.... Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
On Mar 2, 2023, at 9:43 AM, cedric delaunay <Cedric.Delaunay@insa-rennes.fr> wrote:
On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal : Force the vlan for unknown mac adresses OR eduroam SSID use user's one (comming from ldap module) for known mac adresses (yes it looks like a small network access control) That for, I add this unlang command in default site : Be aware of the differences between the "default" virtual server, and the "inner-tunnel" virtual server. The "inner-tunnel" is for authenticating passwords inside of EAP methods (PEAP or TTLS). But attributes you set there are set for the inner-tunnel. They don't get sent to the NAS unless you make sure that happens. See the comments in "inner-tunnel" for more details. Ok, my comprehension is : "setting this attribute depends of computer (which don't care about inner tunnel) AND username (which have to be read into inner-tunnel)" authorize { ..... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } else { if (Called-Station-Id =~ /.eduroam./i ) { update reply { Tunnel-Private-Group-Id := 602 } } } That likely gets run before the "eap" module... yes it is, I'm running this script just after preprocess and of course in ldap module : reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId' Does the LDAP module get run in the "inner-tunnel" virtual server? Yes it is, as my password database is ldap server and most of users use anonymous identity as external And my guess is that you're copying the inner-tunnel reply to the outer reply. And therefore adding another Tunnel-Private-Group-Id. Exact but not shure I have to. maybe to have inner identity and error message if any in logs...
inner-tunnel post-auth { .... # # Instead of "use_tunneled_reply", change this "if (0)" to an # "if (1)". # if (1) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } # # Copy the inner reply attributes to the outer # session-state list. The post-auth policy will take # care of copying the outer session-state list to the # outer reply. # update { &outer.session-state: += &reply: } }
Not shure why but sometimes, known mac addresses fall in vlan 602. reading debug log, I see that access-accept request has 2 Tunnel-Private-Group-Id values. The debug log also shows you why it has 2 Tunnel-Private-Group-Id attributes. How can the WAP know which one apply ??? It doesn't. It picks one. My questions are : * Is that method a valid one ? If not, how to ? * should I use an other operator to set Tunnel-Private-Group-Id value ? * why is the attribute present twice Because you told it do to that. Yep, unfortunately, sometimes freeradius and me don't speak same language even if := operator is always used and wiki says : Because at some point you're not using ":=" for Tunnel-Private-Group-Id, you're using "+=". Read the debug output and your local configuration. The simple solution here is to move the check for authorized MACs from the "authorize" section to the "post-auth" section. Put it at the bottom of the post-auth section: post-auth { ... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (!&reply.Tunnel-Private-Group-Id) { if (Called-Station-Id =~ /.eduroam./i ) { update reply { Tunnel-Private-Group-Id := 602 } } } } i.e. for non-authorized MACs, always put them in 602. If SOMETHING set Tunnel-Private-Group-Id, then don't change it. Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602 for eduroam. Ok, I'll try this But... are you really setting Tunnel-Private-Group-Id to something other than 602 for Eduroam users? I'd do it this way: shure not, so I'll try next solution. juste have to put linelog call after this to log real affected vlan post-auth { ... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (Called-Station-Id =~ /.eduroam./i ) { update reply { Tunnel- Private-Group-Id := 602 } } } That's it. Unauthorized MACs get 602. Eduroam users get 602. Everyone else gets a VLAN which was previously assigned by something else. Alan DeKok.
Let's go and check debug log. Thanks a lot Alan Cédric -- <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br> </b></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b>Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information</b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b><span style="font-size: small;"><span style="font-size: 11pt;">RSSI Suppléant </span></span></b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23 8568</span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #333333;"><strong>INSA Rennes</strong></span><br> <span style="color: #808080;">20 avenue des Buttes de Coêsmes</span><br> <span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex 7</span></div> <div><span style="color: #ff0000;"><a href="http://www.insa-rennes.fr/" style="color: #ff0000; font-size: 13px; font-family: 'arial';" target="_blank" rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div> </div> </body>