Hi All I have a two box wifi solution where the controller performs dot1x/EAP authentication of the end user then a policy management box that sits behind that implements appropriate QoS and traffic policies to the users traffic Of course the Authen part is easy as it's just the normal username/password in users The Author is a little bit trickier and I was interested in some opinions on how to resolve... Basically the policy manager uses the mac address to authorise the device The mac address was sent by the wifi controller as the calling-station-id but the question is how do I match that field against the user to authorise them? Darren
Darren Ward (darrward) wrote:
The mac address was sent by the wifi controller as the calling-station-id but the question is how do I match that field against the user to authorise them?
$ man unlang It tells you how to do if/then/else checks. Perhaps you have a more specific question? Alan DeKok.
Hi Alan I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address? i.e. I would need to parse the accounting files for the mac address and find the matching username then look up the username in the 'users' file to authorise with the appropriate attributes I'm not sure how to do that lookup of files or cache Darren -----Original Message----- From: freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, 10 March 2014 11:11 PM To: FreeRadius users mailing list Subject: Re: Authorise based on Calling Station ID ? Darren Ward (darrward) wrote:
The mac address was sent by the wifi controller as the calling-station-id but the question is how do I match that field against the user to authorise them?
$ man unlang It tells you how to do if/then/else checks. Perhaps you have a more specific question? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Darren Ward (darrward) wrote:
I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?
If the Calling-Station-ID and User-Name only appear in accounting messages, then you can't check for them in the authorize section.
i.e. I would need to parse the accounting files for the mac address and find the matching username then look up the username in the 'users' file to authorise with the appropriate attributes
That won't work. Accounting happens AFTER authorization. You'll need to find another solution. Run the server in debugging mode. Odds are you'll see something useful in the Access-Request. Alan DeKok.
Apologies again! The Wireless Controller (WLC) will send an Accounting Start to the FreeRADIUS with the username and calling-station-id after it successfully Authen's the user Then traffic for that mac address will be seen by the Policy Manager and it will then go and request an authorize for that mac address from FreeRADIUS So the authorise will be after the accounting start because they are separate NAS/Client as far as FreeRADIUS is concerned The WLC access-request username is the username and the ISG username is seen as the mac-address I'm wondering if there's any way to access the cache or accounting records to try and do the match up? Darren -----Original Message----- From: freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, 11 March 2014 8:49 AM To: FreeRadius users mailing list Subject: Re: Authorise based on Calling Station ID ? Darren Ward (darrward) wrote:
I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?
If the Calling-Station-ID and User-Name only appear in accounting messages, then you can't check for them in the authorize section.
i.e. I would need to parse the accounting files for the mac address and find the matching username then look up the username in the 'users' file to authorise with the appropriate attributes
That won't work. Accounting happens AFTER authorization. You'll need to find another solution. Run the server in debugging mode. Odds are you'll see something useful in the Access-Request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maybe the question I need to ask first is how can we have two usernames for the same user? i.e. 'jonathan' and 'a463.0dfe.ab36' as usernames for the same account credentials? Darren -----Original Message----- From: freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org] On Behalf Of Darren Ward (darrward) Sent: Tuesday, 11 March 2014 10:21 AM To: FreeRadius users mailing list Subject: RE: Authorise based on Calling Station ID ? Apologies again! The Wireless Controller (WLC) will send an Accounting Start to the FreeRADIUS with the username and calling-station-id after it successfully Authen's the user Then traffic for that mac address will be seen by the Policy Manager and it will then go and request an authorize for that mac address from FreeRADIUS So the authorise will be after the accounting start because they are separate NAS/Client as far as FreeRADIUS is concerned The WLC access-request username is the username and the ISG username is seen as the mac-address I'm wondering if there's any way to access the cache or accounting records to try and do the match up? Darren -----Original Message----- From: freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, 11 March 2014 8:49 AM To: FreeRadius users mailing list Subject: Re: Authorise based on Calling Station ID ? Darren Ward (darrward) wrote:
I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?
If the Calling-Station-ID and User-Name only appear in accounting messages, then you can't check for them in the authorize section.
i.e. I would need to parse the accounting files for the mac address and find the matching username then look up the username in the 'users' file to authorise with the appropriate attributes
That won't work. Accounting happens AFTER authorization. You'll need to find another solution. Run the server in debugging mode. Odds are you'll see something useful in the Access-Request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Darren Ward (darrward) wrote:
Maybe the question I need to ask first is how can we have two usernames for the same user?
You don't. Users are uniquely defined by their User-Name.
i.e. 'jonathan' and 'a463.0dfe.ab36' as usernames for the same account credentials?
You can't. If you have "a463.0dfe.ab36", how do you determine that it's really "jonathan"? The only way I can think of is to have a separate mapping table in SQL. It should have two columns, one with things like "a463.0dfe.ab36", and the other with the real names. Then when you get a request which has a name like "a463.0dfe.ab36", you look it up in the table to get the "real" name. But this is a very custom solution. You'll have to design it and implement it yourself. It's not part of any standard configuration. Alan DeKok.
Hi Guys One of the internal guys mentioned that the Cisco RADIUS product adds the mac address as an alternate username in the users database when it Authenticates a user (by grabbing the calling-station-id and inserting it as a alternate username) Is there a way I could similar with FreeRADIUS as this is the preferred platform Darren -----Original Message----- From: Darren Ward (darrward) Sent: Tuesday, 11 March 2014 10:21 AM To: FreeRadius users mailing list Subject: RE: Authorise based on Calling Station ID ? Apologies again! The Wireless Controller (WLC) will send an Accounting Start to the FreeRADIUS with the username and calling-station-id after it successfully Authen's the user Then traffic for that mac address will be seen by the Policy Manager and it will then go and request an authorize for that mac address from FreeRADIUS So the authorise will be after the accounting start because they are separate NAS/Client as far as FreeRADIUS is concerned The WLC access-request username is the username and the ISG username is seen as the mac-address I'm wondering if there's any way to access the cache or accounting records to try and do the match up? Darren -----Original Message----- From: freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, 11 March 2014 8:49 AM To: FreeRadius users mailing list Subject: Re: Authorise based on Calling Station ID ? Darren Ward (darrward) wrote:
I guess the question is because the accounting files are the only place that contains both the calling-station-id and username how can I write unlang in the authorise that would be able to look up the active session to match the mac address?
If the Calling-Station-ID and User-Name only appear in accounting messages, then you can't check for them in the authorize section.
i.e. I would need to parse the accounting files for the mac address and find the matching username then look up the username in the 'users' file to authorise with the appropriate attributes
That won't work. Accounting happens AFTER authorization. You'll need to find another solution. Run the server in debugging mode. Odds are you'll see something useful in the Access-Request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Darren Ward (darrward)