Authorize mac addresses with dbm only
Dear freeradius users, maybe you can help me with a - probably simple - problem in authorizing wlan users. I am using freeradius 1.1.7 (on SLES 10sp4). My working configuration is able to authorize users with modules dbm and ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication. For some reason I need to reduce the number of requests our ldap server(s) gets. The actual configuration checks a mac address against dbm at first and then against ldap. I want mac-addresses exclusively checked against dbm. I can detect mac-authentication requests using the following hint: DEFAULT Colubris-AVPair == "ssid=tsunami" Hint = "DBM" Also I inserted a new DEFAULT entry in users: DEFAULT Hint == DBM Fall-Through = 0 Sending the following Radius-Request: User-Name = 001e52c90573 User-Password = 001e52c90573 Colubris-AVPair = "ssid=tsunami" results in the attached debug output. As you can see, rlm_dbm is used first (with success) but after that, rlm_ldap is used, too. Is it possible to configure radius so that mac-address authorizations are checked against dbm only (whether successful or not)? -- Kind regards Christoph rad_recv: Access-Request packet from host 141.26.71.252:42454, id=114, length=72 User-Name = "001e52c90573" User-Password = "001e52c90573" Colubris-AVPair = "ssid=tsunami" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 hints: Matched DEFAULT at 36 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "001e52c90573", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "001e52c90573" rlm_realm: Proxying request from user 001e52c90573 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched entry DEFAULT at line 149 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 3 rlm_dbm: try open database file: /etc/raddb/wlan rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add 001e52c90573 to user list sm_parse_user: start parsing: user: 001e52c90573 parse buffer: <<Auth-Type := Local, User-Password == "001e52c90573">> rlm_dbm: recod parsed process pattern rlm_dbm: Pattern matched, look for request parse buffer: <<Service-Type = Login-User>> rlm_dbm: recod parsed rlm_dbm: Reply found Remove 001e52c90573 from user list modcall[authorize]: module "dbm" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for 001e52c90573 radius_xlat: '(uid=001e52c90573)' radius_xlat: 'dc=uni-koblenz,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=uni-koblenz,dc=de, with filter (uid=001e52c90573) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [001e52c90573] (from client test port 0) _________________________________________ Christoph Litauer Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
Christoph Litauer wrote:
maybe you can help me with a - probably simple - problem in authorizing wlan users. I am using freeradius 1.1.7 (on SLES 10sp4).
Upgrade to 2.1.12.
My working configuration is able to authorize users with modules dbm and ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication. For some reason I need to reduce the number of requests our ldap server(s) gets. The actual configuration checks a mac address against dbm at first and then against ldap. I want mac-addresses exclusively checked against dbm.
In 2.1.12: dbm if (notfound) { ldap } Alan DeKok.
Alan, thanks for your quick response! Am 06.03.2012 um 16:21 schrieb Alan DeKok:
Christoph Litauer wrote:
maybe you can help me with a - probably simple - problem in authorizing wlan users. I am using freeradius 1.1.7 (on SLES 10sp4).
Upgrade to 2.1.12.
Ah, OK. I think I will try that, but ...
My working configuration is able to authorize users with modules dbm and ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication. For some reason I need to reduce the number of requests our ldap server(s) gets. The actual configuration checks a mac address against dbm at first and then against ldap. I want mac-addresses exclusively checked against dbm.
In 2.1.12:
dbm if (notfound) { ldap }
... I don't think this is what I need. I want some kind of requests (the ones including Colubris-AVPair = "ssid:tsunami") to _only_ be handled by dbm, successful or not. I read your suggestion as "check against dbm. If successful return, if not check against ldap" -- Freundliche Grüße Christoph
Christoph Litauer wrote:
... I don't think this is what I need.
Yes, it is.
I want some kind of requests (the ones including Colubris-AVPair = "ssid:tsunami") to _only_ be handled by dbm, successful or not. I read your suggestion as "check against dbm. If successful return, if not check against ldap"
$ man unlang if (Colubris-AVPair == "ssid:tsunami") { dbm ... } else { ldap } Alan DeKok.
Thanks a lot, works like a charm. Am 06.03.2012 um 18:42 schrieb Alan DeKok:
Christoph Litauer wrote:
... I don't think this is what I need.
Yes, it is.
I want some kind of requests (the ones including Colubris-AVPair = "ssid:tsunami") to _only_ be handled by dbm, successful or not. I read your suggestion as "check against dbm. If successful return, if not check against ldap"
$ man unlang
if (Colubris-AVPair == "ssid:tsunami") { dbm ... } else { ldap }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kind regards Christoph _________________________________________ Christoph Litauer Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
participants (2)
-
Alan DeKok -
Christoph Litauer