authorized_mac best usage way
hello list. On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal : Force the vlan for unknown mac adresses OR eduroam SSID use user's one (comming from ldap module) for known mac adresses (yes it looks like a small network access control) That for, I add this unlang command in default site : authorize { ..... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } else { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } } and of course in ldap module : reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId' Not shure why but sometimes, known mac addresses fall in vlan 602. reading debug log, I see that access-accept request has 2 Tunnel-Private-Group-Id values. (917721) Login OK: [anonymous] (from client APs port 0 cli 9C-B6-D0-93-43-9B) (917721) Sent Access-Accept Id 235 from 10..x.x.x:1812 to 10.y.y.y:34406 length 206 (917721)*Tunnel-Private-Group-Id := "602"* (917721) MS-MPPE-Recv-Key = 0x8b027fe2eb7a469ab2511b31ea16e1ea2c6f11b9846db09dce876d4333d99077 (917721) MS-MPPE-Send-Key = 0xc9b83651e9ff3adefbdf2371f127d2fbdc2b5334f3ed37c0729a1e4b468945ab (917721) EAP-Message = 0x03170004 (917721) Message-Authenticator = 0x00000000000000000000000000000000 (917721) User-Name = "anonymous" (917721) Framed-MTU += 1014 (917721) Tunnel-Type += VLAN (917721) Tunnel-Medium-Type += IEEE-802 (917721)*Tunnel-Private-Group-Id += "1001"* (917721) Service-Type += Administrative-User (917721) Finished request How can the WAP know which one apply ??? My questions are : - Is that method a valid one ? If not, how to ? - should I use an other operator to set Tunnel-Private-Group-Id value ? - why is the attribute present twice even if := operator is always used and wiki says : *:=* Attribute := value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. Thanks for your attention. Cédric -- *Cédric Delaunay * *Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information* *RSSI Suppléant * Tel. : +33 (0)2 23 23 8568 *INSA Rennes* 20 avenue des Buttes de Coêsmes CS 70839 - 35 708 RENNES Cedex 7 www.insa-rennes.fr <http://www.insa-rennes.fr/>
On Mar 2, 2023, at 9:43 AM, cedric delaunay <Cedric.Delaunay@insa-rennes.fr> wrote:
On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal :
Force the vlan for unknown mac adresses OR eduroam SSID use user's one (comming from ldap module) for known mac adresses
(yes it looks like a small network access control)
That for, I add this unlang command in default site :
Be aware of the differences between the "default" virtual server, and the "inner-tunnel" virtual server. The "inner-tunnel" is for authenticating passwords inside of EAP methods (PEAP or TTLS). But attributes you set there are set for the inner-tunnel. They don't get sent to the NAS unless you make sure that happens. See the comments in "inner-tunnel" for more details.
authorize { ..... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } else { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } }
That likely gets run before the "eap" module...
and of course in ldap module :
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
Does the LDAP module get run in the "inner-tunnel" virtual server? And my guess is that you're copying the inner-tunnel reply to the outer reply. And therefore *adding* another Tunnel-Private-Group-Id.
Not shure why but sometimes, known mac addresses fall in vlan 602.
reading debug log, I see that access-accept request has 2 Tunnel-Private-Group-Id values.
The debug log also shows you *why* it has 2 Tunnel-Private-Group-Id attributes.
How can the WAP know which one apply ???
It doesn't. It picks one.
My questions are :
- Is that method a valid one ? If not, how to ? - should I use an other operator to set Tunnel-Private-Group-Id value ? - why is the attribute present twice
Because you told it do to that.
even if := operator is always used and wiki says :
Because at some point you're not using ":=" for Tunnel-Private-Group-Id, you're using "+=". Read the debug output and your local configuration. The simple solution here is to move the check for authorized MACs from the "authorize" section to the "post-auth" section. Put it at the *bottom* of the post-auth section: post-auth { ... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (!&reply.Tunnel-Private-Group-Id) { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } } } i.e. for non-authorized MACs, always put them in 602. If SOMETHING set Tunnel-Private-Group-Id, then don't change it. Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602 for eduroam. But... are you really setting Tunnel-Private-Group-Id to something other than 602 for Eduroam users? I'd do it this way: post-auth { ... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } } That's it. Unauthorized MACs get 602. Eduroam users get 602. Everyone else gets a VLAN which was *previously* assigned by something else. Alan DeKok.
Hello Alan, thanks for your reply even afeter years, each freeradius server replacement/upgrade reminds me how a newbee in freeradius using.... Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
On Mar 2, 2023, at 9:43 AM, cedric delaunay <Cedric.Delaunay@insa-rennes.fr> wrote:
On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal : Force the vlan for unknown mac adresses OR eduroam SSID use user's one (comming from ldap module) for known mac adresses (yes it looks like a small network access control) That for, I add this unlang command in default site : Be aware of the differences between the "default" virtual server, and the "inner-tunnel" virtual server. The "inner-tunnel" is for authenticating passwords inside of EAP methods (PEAP or TTLS). But attributes you set there are set for the inner-tunnel. They don't get sent to the NAS unless you make sure that happens. See the comments in "inner-tunnel" for more details. Ok, my comprehension is : "setting this attribute depends of computer (which don't care about inner tunnel) AND username (which have to be read into inner-tunnel)" authorize { ..... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } else { if (Called-Station-Id =~ /.eduroam./i ) { update reply { Tunnel-Private-Group-Id := 602 } } } That likely gets run before the "eap" module... yes it is, I'm running this script just after preprocess and of course in ldap module : reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId' Does the LDAP module get run in the "inner-tunnel" virtual server? Yes it is, as my password database is ldap server and most of users use anonymous identity as external And my guess is that you're copying the inner-tunnel reply to the outer reply. And therefore adding another Tunnel-Private-Group-Id. Exact but not shure I have to. maybe to have inner identity and error message if any in logs...
inner-tunnel post-auth { .... # # Instead of "use_tunneled_reply", change this "if (0)" to an # "if (1)". # if (1) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } # # Copy the inner reply attributes to the outer # session-state list. The post-auth policy will take # care of copying the outer session-state list to the # outer reply. # update { &outer.session-state: += &reply: } }
Not shure why but sometimes, known mac addresses fall in vlan 602. reading debug log, I see that access-accept request has 2 Tunnel-Private-Group-Id values. The debug log also shows you why it has 2 Tunnel-Private-Group-Id attributes. How can the WAP know which one apply ??? It doesn't. It picks one. My questions are : * Is that method a valid one ? If not, how to ? * should I use an other operator to set Tunnel-Private-Group-Id value ? * why is the attribute present twice Because you told it do to that. Yep, unfortunately, sometimes freeradius and me don't speak same language even if := operator is always used and wiki says : Because at some point you're not using ":=" for Tunnel-Private-Group-Id, you're using "+=". Read the debug output and your local configuration. The simple solution here is to move the check for authorized MACs from the "authorize" section to the "post-auth" section. Put it at the bottom of the post-auth section: post-auth { ... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (!&reply.Tunnel-Private-Group-Id) { if (Called-Station-Id =~ /.eduroam./i ) { update reply { Tunnel-Private-Group-Id := 602 } } } } i.e. for non-authorized MACs, always put them in 602. If SOMETHING set Tunnel-Private-Group-Id, then don't change it. Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602 for eduroam. Ok, I'll try this But... are you really setting Tunnel-Private-Group-Id to something other than 602 for Eduroam users? I'd do it this way: shure not, so I'll try next solution. juste have to put linelog call after this to log real affected vlan post-auth { ... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (Called-Station-Id =~ /.eduroam./i ) { update reply { Tunnel- Private-Group-Id := 602 } } } That's it. Unauthorized MACs get 602. Eduroam users get 602. Everyone else gets a VLAN which was previously assigned by something else. Alan DeKok.
Let's go and check debug log. Thanks a lot Alan Cédric -- <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br> </b></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b>Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information</b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b><span style="font-size: small;"><span style="font-size: 11pt;">RSSI Suppléant </span></span></b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23 8568</span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #333333;"><strong>INSA Rennes</strong></span><br> <span style="color: #808080;">20 avenue des Buttes de Coêsmes</span><br> <span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex 7</span></div> <div><span style="color: #ff0000;"><a href="http://www.insa-rennes.fr/" style="color: #ff0000; font-size: 13px; font-family: 'arial';" target="_blank" rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div> </div> </body>
On Mar 7, 2023, at 10:12 AM, Delaunay Cédric <Cedric.Delaunay@insa-rennes.fr> wrote:
Hello Alan, thanks for your reply even afeter years, each freeradius server replacement/upgrade reminds me how a newbee in freeradius using....
The difficulty is usually just writing down what needs to be done. After that, poking FreeRADIUS is usually simpler.
Ok, my comprehension is : "setting this attribute depends of computer (which don't care about inner tunnel) AND username (which have to be read into inner-tunnel)"
The issue is *where* you set the attribute. That's up to you. You need to understand your local configuration. Alan DeKok.
hello, Looks like there is somethink wrong in my config based on your suggests. First I tried to move as you suggest authorized_mac script from default
authorize TO default > post-auth
nothing else changed but now the Calling-Station-ID isn't find in authorized mac file... * module is loadedd successfully # Loading module "authorized_macs" from file /etc/freeradius/mods- enabled/authorized_macs files authorized_macs { usersfile = "/etc/freeradius/authorized_macs" key = "%{Calling-Station-ID}" } ..... # Instantiating module "authorized_macs" from file /etc/freeradius/mods-enabled/authorized_macs reading pairlist file /etc/freeradius/authorized_macs * expand is ok (93) post-auth { (93) authorized_macs: EXPAND %{Calling-Station-ID} (93) authorized_macs: --> A0-AF-BD-E8-93-9C (93) [authorized_macs] = noop (93) if (!ok) { (93) if (!ok) -> TRUE (93) if (!ok) { (93) update reply { (93) Tunnel-Private-Group-Id := 602 (93) } # update reply = noop (93) } # if (!ok) = noop (93) ... skipping elsif: Preceding "if" was taken mac adresse is present in file : /etc/freeradius# grep "A0-AF-BD-E8-93-9C" authorized_macs A0-AF-BD-E8-93-9C Same Script in authorize section works fine : authorized_macs: EXPAND %{Calling-Station-ID} (82) authorized_macs: --> A0-AF-BD-E8-93-9C (82) authorized_macs: users: Matched entry A0-AF-BD-E8-93-9C at line 2691 (82) [authorized_macs] = ok (82) if (!ok) { (82) if (!ok) -> FALSE (82) elsif (Called-Station-Id =~ /.*eduroam.*/i ) { (82) elsif (Called-Station-Id =~ /.*eduroam.*/i ) -> FALSE same script in inner post-auth fails Something in post-auth section prevent mac searching ???? Any help would be aprecied. Cédric Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
On Mar 2, 2023, at 9:43 AM, cedric delaunay <Cedric.Delaunay@insa-rennes.fr> wrote:
On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal :
Force the vlan for unknown mac adresses OR eduroam SSID use user's one (comming from ldap module) for known mac adresses
(yes it looks like a small network access control)
That for, I add this unlang command in default site :
Be aware of the differences between the "default" virtual server, and the "inner-tunnel" virtual server.
The "inner-tunnel" is for authenticating passwords inside of EAP methods (PEAP or TTLS). But attributes you set there are set for the inner-tunnel. They don't get sent to the NAS unless you make sure that happens.
See the comments in "inner-tunnel" for more details.
authorize { ..... authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } else { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } }
That likely gets run before the "eap" module...
and of course in ldap module :
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
Does the LDAP module get run in the "inner-tunnel" virtual server?
And my guess is that you're copying the inner-tunnel reply to the outer reply. And therefore *adding* another Tunnel-Private-Group-Id.
Not shure why but sometimes, known mac addresses fall in vlan 602.
reading debug log, I see that access-accept request has 2 Tunnel- Private-Group-Id values.
The debug log also shows you *why* it has 2 Tunnel-Private-Group-Id attributes.
How can the WAP know which one apply ???
It doesn't. It picks one.
My questions are :
- Is that method a valid one ? If not, how to ? - should I use an other operator to set Tunnel-Private-Group-Id value ? - why is the attribute present twice
Because you told it do to that.
even if := operator is always used and wiki says :
Because at some point you're not using ":=" for Tunnel-Private- Group-Id, you're using "+=". Read the debug output and your local configuration.
The simple solution here is to move the check for authorized MACs from the "authorize" section to the "post-auth" section. Put it at the *bottom* of the post-auth section:
post-auth { ...
authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (!&reply.Tunnel-Private-Group-Id) { if (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } } }
i.e. for non-authorized MACs, always put them in 602.
If SOMETHING set Tunnel-Private-Group-Id, then don't change it.
Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602 for eduroam.
But... are you really setting Tunnel-Private-Group-Id to something other than 602 for Eduroam users? I'd do it this way:
post-auth { ...
authorized_macs if (!ok) { update reply { Tunnel-Private-Group-Id := 602 } } elsif (Called-Station-Id =~ /.*eduroam.*/i ) { update reply { Tunnel-Private-Group-Id := 602 } } }
That's it. Unauthorized MACs get 602. Eduroam users get 602. Everyone else gets a VLAN which was *previously* assigned by something else.
Alan DeKok.
-- <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br> </b></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b>Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information</b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b><span style="font-size: small;"><span style="font-size: 11pt;">RSSI Suppléant </span></span></b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23 8568</span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #333333;"><strong>INSA Rennes</strong></span><br> <span style="color: #808080;">20 avenue des Buttes de Coêsmes</span><br> <span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex 7</span></div> <div><span style="color: #ff0000;"><a href="http://www.insa-rennes.fr/" style="color: #ff0000; font-size: 13px; font-family: 'arial';" target="_blank" rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div> </div> </body>
On Mar 8, 2023, at 7:19 AM, Delaunay Cédric <Cedric.Delaunay@insa-rennes.fr> wrote:
Looks like there is somethink wrong in my config based on your suggests.
Ah, yes. Change it tow: post-auth { ... authorized_macs.authorize ... } It's currently trying to read a different "users" file. Adding the ".authorize" to the end of "authorized_macs" makes it read the normal "users" file. Alan DeKok.
Got It ! thanks a lot Alan. Found this option here https://wiki.freeradius.org/guide/Mac%20Auth#web-auth-safe-mac-auth but I would not be able to understand it without your help Cédric Le mercredi 08 mars 2023 à 10:00 -0500, Alan DeKok a écrit :
On Mar 8, 2023, at 7:19 AM, Delaunay Cédric <Cedric.Delaunay@insa-rennes.fr> wrote:
Looks like there is somethink wrong in my config based on your suggests.
Ah, yes. Change it tow:
post-auth { ...
authorized_macs.authorize ...
}
It's currently trying to read a different "users" file. Adding the ".authorize" to the end of "authorized_macs" makes it read the normal "users" file.
Alan DeKok.
On Mar 8, 2023, at 10:45 AM, Delaunay Cédric <Cedric.Delaunay@insa-rennes.fr> wrote:
Found this option here https://wiki.freeradius.org/guide/Mac%20Auth#web-auth-safe-mac-auth but I would not be able to understand it without your help
Please ask specific questions. That's a large Wiki page, and there's no reason to re-write that documentation, or to copy it to the list. Alan DeKok.
participants (3)
-
Alan DeKok -
cedric delaunay -
Delaunay Cédric