Freeradius 2.2.5 Access by SSID
Dear, I have a Debian server with Freeradius 2.2.5+dfsg-0.2, authenticating against an Active Directory server. I use PEAP / MSCHAPv2 and NTLM authentication. I have no MySQL server installed, all my config is in /etc/freeradius/* files. Everything work OK at the moment, but now I need to authenticate users by different SSID's, as below: SSID1 --> User-A and User-B SSID2 --> User-C and User-D Is this implementation possible in my current scenario? In the affirmartive case, what is the best way to do that? Thanks in advance!!! Alejandro
Hi, I want to add that in Freerdaius debug mode, I can see lines like this coming from the WiFi clients: Called-Station-Id = "44:05:d9:0e:dd:40:SSID1" Called-Station-Id = "44:ad:82:0e:2d:40:SSID2" For each SSID, I need to match a different AD group with the corresponding users. Regards!!! 2017-08-08 12:43 GMT-03:00 Alejandro Cabrera Obed <aco1967@gmail.com>:
Dear, I have a Debian server with Freeradius 2.2.5+dfsg-0.2, authenticating against an Active Directory server. I use PEAP / MSCHAPv2 and NTLM authentication.
I have no MySQL server installed, all my config is in /etc/freeradius/* files.
Everything work OK at the moment, but now I need to authenticate users by different SSID's, as below:
SSID1 --> User-A and User-B SSID2 --> User-C and User-D
Is this implementation possible in my current scenario? In the affirmartive case, what is the best way to do that?
Thanks in advance!!!
Alejandro
-- // Alejandro //
On Tue, 2017-08-08 at 13:23 -0300, Alejandro Cabrera Obed wrote:
Hi, I want to add that in Freerdaius debug mode, I can see lines like this coming from the WiFi clients:
Called-Station-Id = "44:05:d9:0e:dd:40:SSID1" Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"
For each SSID, I need to match a different AD group with the corresponding users.
In version 3 you can add the "rewrite_called_station_id" policy to sites-enabled/default, and that will split out the SSID into the Called-Station-SSID attribute for you. Add it before the call to 'files' so the attribute is there ready for that to use. You can do it in version 2 as well, but that's obsolete and I can't remember if the policy is already there. I don't think it is. So you'd have to write the unlang yourself, or copy the policy over from v3. Then you can update your users file to compare the SSID as well, e.g. something like bob Called-Station-SSID != 'SSID1', Auth-Type := Reject Or if you are already using the users file (sounds like you are) then you might want to add a second instantiation of the files module with a different file other than 'users' so the SSID check is completely separate. You could do it directly in unlang if there are a small number of users. Anything that compares the User-Name to Called-Station-SSID will work. -- Matthew
Dear Matthew, thanks for yor response. Maybe I have to update from Freeradius 2.x to 3.x, in order to have more benefits like the one I want. After reading your explanation, I understand I have to edit the users file with a line like "bob Called-Station-SSID != 'SSID1', Auth-Type := Reject" for each user that have to access to the WiFi service...so If I have 500 users, I will have a lot of work because I have to replicate all the AD users in the Freeradius "users" file. These 500 users are in our Active Directory service that Freeradius authenticate to. So is there any manner to validate user / SSID against the AD in place of the "users" local file???? Thanking in advance !!! Alejandro 2017-08-08 13:33 GMT-03:00 Matthew Newton <mcn@freeradius.org>:
On Tue, 2017-08-08 at 13:23 -0300, Alejandro Cabrera Obed wrote:
Hi, I want to add that in Freerdaius debug mode, I can see lines like this coming from the WiFi clients:
Called-Station-Id = "44:05:d9:0e:dd:40:SSID1" Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"
For each SSID, I need to match a different AD group with the corresponding users.
In version 3 you can add the "rewrite_called_station_id" policy to sites-enabled/default, and that will split out the SSID into the Called-Station-SSID attribute for you. Add it before the call to 'files' so the attribute is there ready for that to use.
You can do it in version 2 as well, but that's obsolete and I can't remember if the policy is already there. I don't think it is. So you'd have to write the unlang yourself, or copy the policy over from v3.
Then you can update your users file to compare the SSID as well, e.g. something like
bob Called-Station-SSID != 'SSID1', Auth-Type := Reject
Or if you are already using the users file (sounds like you are) then you might want to add a second instantiation of the files module with a different file other than 'users' so the SSID check is completely separate.
You could do it directly in unlang if there are a small number of users. Anything that compares the User-Name to Called-Station-SSID will work.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //
On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
Dear Matthew, thanks for yor response. Maybe I have to update from Freeradius 2.x to 3.x, in order to have more benefits like the one I want.
You don't need to for what you want to do, but you should do so in the long run. There isn't much interest here in version 2 any more, it's end of life. Version 4 is in the works, and version 3 has been out for nearly four years now.
After reading your explanation, I understand I have to edit the users file with a line like "bob Called-Station-SSID != 'SSID1', Auth-Type := Reject" for each user that have to access to the WiFi service...so If I have 500 users, I will have a lot of work because I have to replicate all the AD users in the Freeradius "users" file. These 500 users are in our Active Directory service that Freeradius authenticate to.
OK, I missed the bit where you said AD...
So is there any manner to validate user / SSID against the AD in place of the "users" local file????
Configure the ldap module to do group lookups against AD. If you add people into AD groups, let's say one per SSID, then you could look up the group based on the SSID they are trying to join. See the LDAP documentation on how to use the Ldap-Group virtual attribute, e.g. http://wiki.freeradius.org/modules/Rlm_ldap#group-support Then compare this to the SSID. Depending on how many SSIDs you have you might want to do a files lookup to get the group name from the SSID, or just hardcode it in unlang. Along the lines of if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid- one")) { reject } etc. -- Matthew
Matthew, thanks a lot for your support. According to your response, I see I have to configure the /etc/freeradius/modules/ldap file with my AD parameteres (IP, port, user/pass for query, etc). After that, please can you clarify this points? 1) Do I have to add a new attribute in the AD for each user, with a SSID field in order to check it through LDAP lookup ? 2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-one")) {reject}" sentence ? 3) What do I have to fill the Ldap-group attribute in my users file, If I want to check SSID attribute and after that compare it with the SSID coming into "Called-id-station"??? Regards!!! 2017-08-09 11:01 GMT-03:00 Matthew Newton <mcn@freeradius.org>:
On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
Dear Matthew, thanks for yor response. Maybe I have to update from Freeradius 2.x to 3.x, in order to have more benefits like the one I want.
You don't need to for what you want to do, but you should do so in the long run. There isn't much interest here in version 2 any more, it's end of life. Version 4 is in the works, and version 3 has been out for nearly four years now.
After reading your explanation, I understand I have to edit the users file with a line like "bob Called-Station-SSID != 'SSID1', Auth-Type := Reject" for each user that have to access to the WiFi service...so If I have 500 users, I will have a lot of work because I have to replicate all the AD users in the Freeradius "users" file. These 500 users are in our Active Directory service that Freeradius authenticate to.
OK, I missed the bit where you said AD...
So is there any manner to validate user / SSID against the AD in place of the "users" local file????
Configure the ldap module to do group lookups against AD. If you add people into AD groups, let's say one per SSID, then you could look up the group based on the SSID they are trying to join.
See the LDAP documentation on how to use the Ldap-Group virtual attribute, e.g.
http://wiki.freeradius.org/modules/Rlm_ldap#group-support
Then compare this to the SSID. Depending on how many SSIDs you have you might want to do a files lookup to get the group name from the SSID, or just hardcode it in unlang. Along the lines of
if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid- one")) { reject }
etc.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- // Alejandro //
On Wed, Aug 09, 2017 at 12:57:16PM -0300, Alejandro Cabrera Obed wrote:
According to your response, I see I have to configure the /etc/freeradius/modules/ldap file with my AD parameteres (IP, port, user/pass for query, etc).
Yes. And the group settings so it knows how to query groups correctly.
1) Do I have to add a new attribute in the AD for each user, with a SSID field in order to check it through LDAP lookup ?
No, you can add the users to an AD group. Then you check the user is in that group, for a certain condition. So if you add user 'bob' to group 'sales', and configure the group settings in ldap correctly, you can do something like if (Ldap-group == 'sales') { ... } Ldap-group is a "magic" attribute which will trigger an ldap lookup behind the scenes. The mods-enabled/ldap config has the settings to tell the ldap module to look up the User-Name attribute, hence it will look up 'bob' (User-Name) in 'sales' (from the if statement).
2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-one")) {reject}" sentence ?
sites-enabled/default (or sometimes sites-enabled/inner-tunnel, depending on what you're doing), likely in the authorize section, or the post-auth section.
3) What do I have to fill the Ldap-group attribute in my users file, If I want to check SSID attribute and after that compare it with the SSID coming into "Called-id-station"???
I wouldn't do it in your users file. Use unlang in the sites-enabled/ file as described above. The wiki page does give examples of this. -- Matthew
participants (3)
-
Alejandro Cabrera Obed -
Matthew Newton -
Matthew Newton