Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept
Hi I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 with an OpenLDAP backend, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which users belong to. From what I can gather, I need to add appropriate rules to /etc/freeradius/users which matches the SSID/group combinations, and rejects everything else. The problem I'm having is with the default reject, not the SSID/group matching. My first attempt was this: DEFAULT Ldap-Group == "employees" DEFAULT Auth-Type := Reject But this immediately rejects the Access-Request in the outer tunnel, because the "anonymous" user is not in the "employees" group. I then modified it to this so that it only matches inner tunnel requests: DEFAULT Ldap-Group == "employees" DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1" Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID." The inner tunnel Access-Request is now sent and members of the "employees" group are accepted, but non-members are not actually rejected. I see the users entry being matched, and the Reply-Message is even set, but the server responds with Access-Accept and eapol_test reports SUCCESS. Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member. Info: [files] users: Matched entry DEFAULT at line 209 Info: ++[files] returns ok ... Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel) Info: WARNING: Empty section. Using default return values. ... Info: [peap] Got tunneled reply code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Got tunneled reply RADIUS code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Tunneled authentication was successful. Info: [peap] SUCCESS Info: [peap] Saving tunneled attributes for later ... Sending Access-Accept of id 11 to 172.16.2.44 port 60746 Reply-Message = "User does not belong to any groups which may access this SSID." User-Name = "mgorven" eapol_test receives an Access-Accept with the Reply-Message set. RADIUS message: code=2 (Access-Accept) identifier=11 length=233 Attribute 18 (Reply-Message) length=64 Value: 'User does not belong to any groups which may access this SSID.' Attribute 1 (User-Name) length=9 Value: 'mgorven' ... SUCCESS Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and TTLS sections, but this didn't make a difference. How do I actually reject an inner tunnel request? Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8
Michael Gorven wrote:
I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 with an OpenLDAP backend, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which users belong to.
Write down in plain English what you want to happen. Not "I want to restrict access", but "when X happens and Y happens, then do Z"
From what I can gather, I need to add appropriate rules to /etc/freeradius/users which matches the SSID/group combinations, and rejects everything else. The problem I'm having is with the default reject, not the SSID/group matching.
My first attempt was this:
DEFAULT Ldap-Group == "employees"
This says "match the LDAP group employees". Note it *doesn't* say do anything else.
DEFAULT Auth-Type := Reject
This says "always reject the user".
But this immediately rejects the Access-Request in the outer tunnel, because the "anonymous" user is not in the "employees" group. I then modified it to this so that it only matches inner tunnel requests:
DEFAULT Ldap-Group == "employees" DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1" Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID."
That is very wrong on many levels. You've switched the "Auth-Type := Reject" from the first line to the second. That WILL NOT WORK. This is documented. Read "man users", and the comments in the default "users" file. There is extensive documentation on the format, and how it works.
The inner tunnel Access-Request is now sent and members of the "employees" group are accepted, but non-members are not actually rejected. I see the users entry being matched, and the Reply-Message is even set, but the server responds with Access-Accept and eapol_test reports SUCCESS.
Because that's what you told it to do.
Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and TTLS sections, but this didn't make a difference. How do I actually reject an inner tunnel request?
Edit raddb/sites-available/inner-tunnel. See "man unlang" for the format. Or, read "man users", and create a *good* entry in the "users" file: DEFAULT Ldap-Group != "employees", FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." Note that everything BUT the Reply-Message belongs on the first line with the "DEFAULT". The Reply-Message belongs on the second line. Again, this is extensively documented. Alan DeKok.
On 12/06/2012 14:08 PDT, Alan DeKok wrote:
Note that everything BUT the Reply-Message belongs on the first line with the "DEFAULT". The Reply-Message belongs on the second line.
*sigh*, moving the Auth-Type :- Reject to the first line fixed this. I thought that Auth-Type was a reply item and therefore went on the second line. Thank you for your assistance. Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8
On Tue, Jun 12, 2012 at 03:21:22PM -0700, Michael Gorven wrote:
On 12/06/2012 14:08 PDT, Alan DeKok wrote:
Note that everything BUT the Reply-Message belongs on the first line with the "DEFAULT". The Reply-Message belongs on the second line.
*sigh*, moving the Auth-Type :- Reject to the first line fixed this. I thought that Auth-Type was a reply item and therefore went on the second line. Thank you for your assistance.
Rather than test FreeRADIUS-Proxied-To == "127.0.0.1", you might also want to consider having a separate 'files' module instance just for the inner tunnel instead. Then you won't be checking this stuff for the anonymous user in the outer anyway. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Michael Gorven