Hello, I am actually using freeradius with EAP-TLS and x509 user certificat authentication. After authentication I would like to chack the common name or email address propertires of te certificate againsta LDAP, to authorize the user connection. is it possible to do this ? I tyed but it seems not working in my configuration. any hints ? thank you very much Riccardo
Riccardo Veraldi wrote:
After authentication I would like to chack the common name or email address propertires of te certificate againsta LDAP, to authorize the user connection.
It comes in the User-Name attribute.
is it possible to do this ? I tyed but it seems not working in my configuration. any hints ?
Give us more information? Q: Hi, I tried to do stuff, but it didn't work. How do I fix it? A: Uh... your guess is as good as mine. Alan DeKok.
I have this problem. if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant) my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user. Neverless I am authenticated anyway. So I have a doulbe problem 1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap. 2) if a user is not found how to drop it, avoiding radius authorization to take place rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=city,o=myorg,c=it, with filter (uid=Riccardo.Veraldi) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 11 modcall: group authenticate returns ok for request 11 Login OK: [Riccardo.Veraldi@city.myorg.it] (from client ciscoap3 port 451 cli 001e.5271.e700) Sending Access-Accept of id 73 to 192.168.252.13:1645 my correct username in LDAP is veraldi thank you very much Riccardo Alan DeKok ha scritto:
Riccardo Veraldi wrote:
After authentication I would like to chack the common name or email address propertires of te certificate againsta LDAP, to authorize the user connection.
It comes in the User-Name attribute.
is it possible to do this ? I tyed but it seems not working in my configuration. any hints ?
Give us more information?
Q: Hi, I tried to do stuff, but it didn't work. How do I fix it? A: Uh... your guess is as good as mine.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Riccardo Veraldi Sent: Friday, 23 May 2008 16:43 To: FreeRadius users mailing list Subject: Re: radius x509 authentication + LDAP ?
I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0
Does the string Riccardo.Veraldi exist in another attribute, like CN or Mail? If so change your filter: filter = "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it)) " Provided that the record is located, radius will use the dn of the record to authenticate. I don't know why failed ldap lookups aren't rejecting the request. Maybe you don't have ldap block in the authenticate section. Regards, Frank Ranner
ok changing the ldap filter everything seems to work and I am authorized. but if the user is not found in LDAP it is authorized anyway and authenticated at the end rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed Login OK: [Riccardo.Veraldi@city.myorg.it] (from client ciscoap3 port 273 cli 001e.5271.e700) iI would like the login to fail. Basically I Want to check against certificate subject and allow or not allow users to get access to WiFi. ho can I configure freeradius to drop users not recognized inside ldap ? thanks Rick Ranner, Frank MR ha scritto:
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre
eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On
Behalf Of Riccardo Veraldi Sent: Friday, 23 May 2008 16:43 To: FreeRadius users mailing list Subject: Re: radius x509 authentication + LDAP ?
I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0
Does the string Riccardo.Veraldi exist in another attribute, like CN or Mail?
If so change your filter:
filter = "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it)) "
Provided that the record is located, radius will use the dn of the record to authenticate.
I don't know why failed ldap lookups aren't rejecting the request. Maybe you don't have ldap block in the authenticate section.
Regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i tryed to set access_attr = "uid" access_attr_used_for_allow = yes but still authentication is succesful using EAP-TLS even if user is not in LDAP Directory. any hints ? thanks Rick Riccardo Veraldi ha scritto:
ok changing the ldap filter everything seems to work and I am authorized.
but if the user is not found in LDAP it is authorized anyway and authenticated at the end
rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed
Login OK: [Riccardo.Veraldi@city.myorg.it] (from client ciscoap3 port 273 cli 001e.5271.e700)
iI would like the login to fail. Basically I Want to check against certificate subject and allow or not allow users to get access to WiFi.
ho can I configure freeradius to drop users not recognized inside ldap ?
thanks
Rick
Ranner, Frank MR ha scritto:
UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre
eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On
Behalf Of Riccardo Veraldi Sent: Friday, 23 May 2008 16:43 To: FreeRadius users mailing list Subject: Re: radius x509 authentication + LDAP ?
I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0
Does the string Riccardo.Veraldi exist in another attribute, like CN or Mail?
If so change your filter:
filter = "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it)) "
Provided that the record is located, radius will use the dn of the record to authenticate.
I don't know why failed ldap lookups aren't rejecting the request. Maybe you don't have ldap block in the authenticate section.
Regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riccardo Veraldi wrote:
but still authentication is succesful using EAP-TLS even if user is not in LDAP Directory.
any hints ?
That's how EAP-TLS works. If you issued them a certificate, it means that they are authenticated. If you don't want to authenticate them, I'm curious why you issued them a certificate. But if you still want to reject them... you can. Just put them into an LDAP group, and reject everyone in that LDAP group. Alan DeKok.
Hello, the problem is this. Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS, but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it. So my question now is. Can I use the OU field to select if the user is valid or not ? How can I tell freeradius to reject users which has X509 certificate with a OU different from a certain value ? thanks Rick Alan DeKok wrote:
Riccardo Veraldi wrote:
but still authentication is succesful using EAP-TLS even if user is not in LDAP Directory.
any hints ?
That's how EAP-TLS works. If you issued them a certificate, it means that they are authenticated.
If you don't want to authenticate them, I'm curious why you issued them a certificate.
But if you still want to reject them... you can. Just put them into an LDAP group, and reject everyone in that LDAP group.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riccardo Veraldi wrote:
Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS,
Then your PKI system is wrong. You should NOT issue certificates for multiple purposes. You should issue RADIUS (EAP-TLS) certificates ONLY to the people who are allowed to use EAP-TLS.
but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it.
Did you read my statement about using LDAP groups? Do you know what an LDAP group is? Alan DeKok.
I will try to put all the people I do not want to authenticate to a specific LDAP group, anyway I do not know how to do it using the users file to reject a specific LDAP group thanks Riccardo Alan DeKok wrote:
Riccardo Veraldi wrote:
Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS,
Then your PKI system is wrong. You should NOT issue certificates for multiple purposes.
You should issue RADIUS (EAP-TLS) certificates ONLY to the people who are allowed to use EAP-TLS.
but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it.
Did you read my statement about using LDAP groups? Do you know what an LDAP group is?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riccardo Veraldi wrote:
I will try to put all the people I do not want to authenticate to a specific LDAP group, anyway I do not know how to do it using the users file to reject a specific LDAP group
You use the LDAP-Group attribute to match the users, and then set Auth-Type to reject. Alan DeKok.
Alan DeKok wrote:
Riccardo Veraldi wrote:
I will try to put all the people I do not want to authenticate to a specific LDAP group, anyway I do not know how to do it using the users file to reject a specific LDAP group
You use the LDAP-Group attribute to match the users, and then set Auth-Type to reject.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I would like to add a control to users file in which O and OU field of certificate are checked, so I can reject users not belonging to a certain OU. Do I have to modify tls.c ? Might you give me a small hint about the source files involved ? thank you Riccardo
I wrote a rule in users file to reject login for users being in a certain grup, but still access is given DEFAULT Ldap-Group == "cn=rjgroup", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" user can authenticate succesfully with EAP-TLS. User is found in LDAP tree, user is part of ldap group rjgroup, but still is not being rejected. What am I missing ? thanks Riccardo Alan DeKok ha scritto:
Riccardo Veraldi wrote:
Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS,
Then your PKI system is wrong. You should NOT issue certificates for multiple purposes.
You should issue RADIUS (EAP-TLS) certificates ONLY to the people who are allowed to use EAP-TLS.
but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it.
Did you read my statement about using LDAP groups? Do you know what an LDAP group is?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Ranner, Frank MR -
Riccardo Veraldi