hello, Looks like there is somethink wrong in my config based on your suggests. First I tried to move as you suggest authorized_mac script from default
authorize TO default > post-auth
nothing else changed but now the Calling-Station-ID isn't find in authorized mac file... * module is loadedd successfully # Loading module "authorized_macs" from file /etc/freeradius/mods- enabled/authorized_macs files authorized_macs { usersfile = "/etc/freeradius/authorized_macs" key = "%{Calling-Station-ID}" } ..... # Instantiating module "authorized_macs" from file /etc/freeradius/mods-enabled/authorized_macs reading pairlist file /etc/freeradius/authorized_macs * expand is ok (93) post-auth { (93) authorized_macs: EXPAND %{Calling-Station-ID} (93) authorized_macs: --> A0-AF-BD-E8-93-9C (93) [authorized_macs] = noop (93) if (!ok) { (93) if (!ok) -> TRUE (93) if (!ok) { (93) update reply { (93) Tunnel-Private-Group-Id := 602 (93) } # update reply = noop (93) } # if (!ok) = noop (93) ... skipping elsif: Preceding "if" was taken mac adresse is present in file : /etc/freeradius# grep "A0-AF-BD-E8-93-9C" authorized_macs A0-AF-BD-E8-93-9C Same Script in authorize section works fine : authorized_macs: EXPAND %{Calling-Station-ID} (82) authorized_macs: --> A0-AF-BD-E8-93-9C (82) authorized_macs: users: Matched entry A0-AF-BD-E8-93-9C at line 2691 (82) [authorized_macs] = ok (82) if (!ok) { (82) if (!ok) -> FALSE (82) elsif (Called-Station-Id =~ /.*eduroam.*/i ) { (82) elsif (Called-Station-Id =~ /.*eduroam.*/i ) -> FALSE same script in inner post-auth fails Something in post-auth section prevent mac searching ???? Any help would be aprecied. Cédric Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
On Mar 2, 2023, at 9:43 AM, cedric delaunay <Cedric.Delaunay@insa-rennes.fr> wrote:
On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal :
Force the vlan for unknown mac adresses OR eduroam SSID use user's one (comming from ldap module) for known mac adresses
(yes it looks like a small network access control)
That for, I add this unlang command in default site :
Be aware of the differences between the "default" virtual server, and the "inner-tunnel" virtual server.
The "inner-tunnel" is for authenticating passwords inside of EAP methods (PEAP or TTLS). But attributes you set there are set for the inner-tunnel. They don't get sent to the NAS unless you make sure that happens.
See the comments in "inner-tunnel" for more details.
authorize { ..... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } else { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } }
That likely gets run before the "eap" module...
and of course in ldap module :
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
Does the LDAP module get run in the "inner-tunnel" virtual server?
And my guess is that you're copying the inner-tunnel reply to the outer reply. And therefore *adding* another Tunnel-Private-Group-Id.
Not shure why but sometimes, known mac addresses fall in vlan 602.
reading debug log, I see that access-accept request has 2 Tunnel- Private-Group-Id values.
The debug log also shows you *why* it has 2 Tunnel-Private-Group-Id attributes.
How can the WAP know which one apply ???
It doesn't. It picks one.
My questions are :
- Is that method a valid one ? If not, how to ? - should I use an other operator to set Tunnel-Private-Group-Id value ? - why is the attribute present twice
Because you told it do to that.
even if := operator is always used and wiki says :
Because at some point you're not using ":=" for Tunnel-Private- Group-Id, you're using "+=". Read the debug output and your local configuration.
The simple solution here is to move the check for authorized MACs from the "authorize" section to the "post-auth" section. Put it at the *bottom* of the post-auth section:
post-auth { ...
authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (!&reply.Tunnel-Private-Group-Id) { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } } }
i.e. for non-authorized MACs, always put them in 602.
If SOMETHING set Tunnel-Private-Group-Id, then don't change it.
Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602 for eduroam.
But... are you really setting Tunnel-Private-Group-Id to something other than 602 for Eduroam users? I'd do it this way:
post-auth { ...
authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } }
That's it. Unauthorized MACs get 602. Eduroam users get 602. Everyone else gets a VLAN which was *previously* assigned by something else.
Alan DeKok.
-- <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br> </b></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b>Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information</b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b><span style="font-size: small;"><span style="font-size: 11pt;">RSSI Suppléant </span></span></b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23 8568</span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #333333;"><strong>INSA Rennes</strong></span><br> <span style="color: #808080;">20 avenue des Buttes de Coêsmes</span><br> <span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex 7</span></div> <div><span style="color: #ff0000;"><a href="http://www.insa-rennes.fr/" style="color: #ff0000; font-size: 13px; font-family: 'arial';" target="_blank" rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div> </div> </body>