Hello, I'm running Freeradius : freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Apr 5 2016 at 13:40:43 I've configurated Active Directory integration, and it's working fine for authentication. Local users in users file are also ok. In the local users file I can specify a calling station id like : customer Cleartext-Password := "password",Calling-Station-Id == "AA-AA-AA-AA-AA-AA" How can I use a local file (or sql table) to link a user authenticated in Active Directory with one or several calling-station-id ? If possible I'd really prefer not to use the ActiveDirectory to store the Mac addresses. The goal is to limit each login to a few devices (I know it's possible to mask mac address, this is not the point here). I've tried to insert in the users file : customer2 Calling-Station-Id := "BB-BB-BB-BB-BB-BB" but with correct password customer2 is always authenticated using the BB-....-BB mac adress or not. Thks a lot for any help, Ethariel
On 22/02/2017 08:18, Ethariel wrote:
I've tried to insert in the users file :
customer2 Calling-Station-Id := "BB-BB-BB-BB-BB-BB"
but with correct password customer2 is always authenticated using the BB-....-BB mac adress or not.
The users file has some magic you need to know about. The structure of each entry is like this: <key> <first line> <subsequent lines> Any comparison operators (like ==) in the first line cause an attribute to the *checked* on the *request* list. If any of the checks fail, this entire entry in the users file is skipped. If there are more entries with the same key, it will try those. However, if all the checks on the first line succeed, then: * Any assignment operators (like :=) in the first line cause attributes to be *set* on the *control* list * The subsequent lines cause attributes to be *set* on the *reply* list. So you could do this: customer2 Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB" This means: "if the user name is customer2, AND the (request) calling station id is not the given value, THEN set control:Auth-Type to Reject". It will then reject them without even checking the supplied password. You could also add reply attributes if you wish: customer2 Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB" Reply-Message := "Wrong MAC Address" If the condition is not true, this entire entry is skipped, so neither Auth-Type nor Reply-Message is set. If you want to allow multiple MAC addresses then you could either do a regex match, or you could split the logic like this: customer2 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" customer2 Calling-Station-Id == "CC-CC-CC-CC-CC-CC" customer2 Auth-Type := Reject Reply-Message := "Wrong MAC Address" The first two entries make no updates to either control or reply lists. However since they don't have "Fall-Through := 1" then all subsequent entries for the same username are skipped. All examples above untested by me, but should be close to what you need. Regards, Brian.
Hello, so I can test this morning and your solution is working like a charm. customer2 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" customer2 Calling-Station-Id == "CC-CC-CC-CC-CC-CC" customer2 Auth-Type := Reject Reply-Message := "Wrong MAC Address" Thks a lot for your help. Now I'll search the doc so the server can check users in differents groups for two SSID. Have a good day 2017-02-22 12:37 GMT+01:00 Brian Candler <b.candler@pobox.com>:
On 22/02/2017 08:18, Ethariel wrote:
I've tried to insert in the users file :
customer2 Calling-Station-Id := "BB-BB-BB-BB-BB-BB"
but with correct password customer2 is always authenticated using the BB-....-BB mac adress or not.
The users file has some magic you need to know about. The structure of each entry is like this:
<key> <first line> <subsequent lines>
Any comparison operators (like ==) in the first line cause an attribute to the *checked* on the *request* list. If any of the checks fail, this entire entry in the users file is skipped. If there are more entries with the same key, it will try those.
However, if all the checks on the first line succeed, then:
* Any assignment operators (like :=) in the first line cause attributes to be *set* on the *control* list * The subsequent lines cause attributes to be *set* on the *reply* list.
So you could do this:
customer2 Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB"
This means: "if the user name is customer2, AND the (request) calling station id is not the given value, THEN set control:Auth-Type to Reject". It will then reject them without even checking the supplied password.
You could also add reply attributes if you wish:
customer2 Auth-Type := Reject, Calling-Station-Id != "BB-BB-BB-BB-BB-BB" Reply-Message := "Wrong MAC Address"
If the condition is not true, this entire entry is skipped, so neither Auth-Type nor Reply-Message is set.
If you want to allow multiple MAC addresses then you could either do a regex match, or you could split the logic like this:
customer2 Calling-Station-Id == "BB-BB-BB-BB-BB-BB"
customer2 Calling-Station-Id == "CC-CC-CC-CC-CC-CC"
customer2 Auth-Type := Reject Reply-Message := "Wrong MAC Address"
The first two entries make no updates to either control or reply lists. However since they don't have "Fall-Through := 1" then all subsequent entries for the same username are skipped.
All examples above untested by me, but should be close to what you need.
Regards,
Brian.
Hello to all again, as said all is working for checking multiple MAC addresses using "users" file. Now I'm trying to use SQL and I don't figure how to "convert" "users" file to sql table. I've read https://wiki.freeradius.org/modules/Rlm_sql and with one MAC address it's ok with : customer1 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" in radcheck table customer1 wifi 1 in radusergroup wifi Auth-Type := reject in radgroupcheck read_groups directive set to "no" If the customer1 is connecting with the correct MAC address as there is no Fall-Through, the Group processing doesn't apply. If the customer1 is connecting with another MAC, then user is found, check item do not match so Group processing applies. But with two MAC addresses : customer1 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" in radcheck table customer1 Calling-Station-Id == "AA-AA-AA-AA-AA-AA" in radcheck table Group processing always applies as one of the two lines above is not corresponding to the current connection. How can I do ? Thks a lot for your help Ethariel 2017-02-22 12:37 GMT+01:00 Brian Candler <b.candler@pobox.com>:
If you want to allow multiple MAC addresses then you could either do a regex match, or you could split the logic like this: customer2 Calling-Station-Id == "BB-BB-BB-BB-BB-BB"
customer2 Calling-Station-Id == "CC-CC-CC-CC-CC-CC"
customer2 Auth-Type := Reject Reply-Message := "Wrong MAC Address"
The first two entries make no updates to either control or reply lists. However since they don't have "Fall-Through := 1" then all subsequent entries for the same username are skipped.
Ok, I've found using another syntax : in radcheck table : customer1 Calling-Station-Id =~ AA-AA-AA-AA-AA-AA|BB-BB-BB-BB-BB-BB Have a good day 2017-06-13 10:11 GMT+02:00 Ethariel <ethariel@gmail.com>:
Hello to all again,
as said all is working for checking multiple MAC addresses using "users" file.
Now I'm trying to use SQL and I don't figure how to "convert" "users" file to sql table.
I've read https://wiki.freeradius.org/modules/Rlm_sql and with one MAC address it's ok with :
customer1 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" in radcheck table customer1 wifi 1 in radusergroup wifi Auth-Type := reject in radgroupcheck read_groups directive set to "no"
If the customer1 is connecting with the correct MAC address as there is no Fall-Through, the Group processing doesn't apply. If the customer1 is connecting with another MAC, then user is found, check item do not match so Group processing applies.
But with two MAC addresses : customer1 Calling-Station-Id == "BB-BB-BB-BB-BB-BB" in radcheck table customer1 Calling-Station-Id == "AA-AA-AA-AA-AA-AA" in radcheck table Group processing always applies as one of the two lines above is not corresponding to the current connection.
How can I do ?
Thks a lot for your help
Ethariel
2017-02-22 12:37 GMT+01:00 Brian Candler <b.candler@pobox.com>:
If you want to allow multiple MAC addresses then you could either do a regex match, or you could split the logic like this: customer2 Calling-Station-Id == "BB-BB-BB-BB-BB-BB"
customer2 Calling-Station-Id == "CC-CC-CC-CC-CC-CC"
customer2 Auth-Type := Reject Reply-Message := "Wrong MAC Address"
The first two entries make no updates to either control or reply lists. However since they don't have "Fall-Through := 1" then all subsequent entries for the same username are skipped.
participants (2)
-
Brian Candler -
Ethariel