Trying to Authorize Users based on AD Groups and SSIDs
Dear, I'm trying to configure PEAP Authentication with AD backend on my FR Server which is running version 3.0.4 on Centos 7. So far, I'm able to authenticate against AD but group membership checking is not working, appreciate if some help can be provided. I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that users in specific groups can access that particular SSID. As mentioned in man page of rlm_ldap I have configured group membership check in post-auth by adding below configuration in default and inner-tunnel config files but my users are getting access-reject messages. If I remove the ldap-group check config then all users are able to authenticate and access SSID, off course without any control. post-auth { if (LDAP-Group == "FR-TEST") { noop } else { reject } } if group membership works then I can go ahead and add below config to test SSID with Group membership. (this is not one yet). post-auth { if (LDAP-Group == "FR-TEST" && Calling-Station-SSID == "SSID02362") { noop } else { reject } } Where am I going wrong? Debug can be found here -> http://pastebin.com/zSptQPaa Regards Misbah
On Feb 15, 2017, at 11:47 AM, Misbah Hussaini <misbhauddin@gmail.com> wrote:
I'm trying to configure PEAP Authentication with AD backend on my FR Server which is running version 3.0.4 on Centos 7. So far, I'm able to authenticate against AD but group membership checking is not working, appreciate if some help can be provided.
Group membership checking *should* be just LDAP group checking. And that's well documented in the wiki.
I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that users in specific groups can access that particular SSID. As mentioned in man page of rlm_ldap I have configured group membership check in post-auth by adding below configuration in default and inner-tunnel config files but my users are getting access-reject messages. If I remove the ldap-group check config then all users are able to authenticate and access SSID, off course without any control.
You need to check the inner identity against the group, which means checking it in the inner tunnel.
post-auth { if (LDAP-Group == "FR-TEST") { noop } else { reject } }
That's overly complex. Why not just "if group, reject"? Why the extra "noop" ? In the "inner-tunnel" virtual server, do: authorize { ... if (!State) { if ((Calling-Station-SSID == "SSID02362") && (LDAP-Group != "SSID02362")) { reject } ... and the same for other SSIDs and groups } } That's assuming that the SSID is in the Calling-Station-SSID attribute, of course. See the debug log for details. Alan DeKok.
Hi Alan, Thanks for the reply, I have configured below code in top section of authorize in inner tunnel config but all users are getting accessed to SSID though debug shows a ldap check happening. You can check the debug from pastebin here -> http://pastebin.com/1BXxxvtC if (!State) { if ((Called-Station-SSID == "SSID02362") && (LDAP-Group != "FR-TEST")) { reject } } The rewrite attribute for getting SSID is Called-Station-SSID and not Calling-Station-SSID as mentioned in canonicalization file. Regards Misbah On 15 February 2017 at 20:47, Misbah Hussaini <misbhauddin@gmail.com> wrote:
Dear,
I'm trying to configure PEAP Authentication with AD backend on my FR Server which is running version 3.0.4 on Centos 7. So far, I'm able to authenticate against AD but group membership checking is not working, appreciate if some help can be provided.
I want to map my SSIDs - SSID02362, SSID02363 etc to AD groups so that users in specific groups can access that particular SSID. As mentioned in man page of rlm_ldap I have configured group membership check in post-auth by adding below configuration in default and inner-tunnel config files but my users are getting access-reject messages. If I remove the ldap-group check config then all users are able to authenticate and access SSID, off course without any control.
post-auth { if (LDAP-Group == "FR-TEST") { noop } else { reject } }
if group membership works then I can go ahead and add below config to test SSID with Group membership. (this is not one yet).
post-auth { if (LDAP-Group == "FR-TEST" && Calling-Station-SSID == "SSID02362") { noop } else { reject } }
Where am I going wrong?
Debug can be found here -> http://pastebin.com/zSptQPaa
Regards Misbah
On Feb 16, 2017, at 2:12 AM, Misbah Hussaini <misbhauddin@gmail.com> wrote:lan,
Thanks for the reply, I have configured below code in top section of authorize in inner tunnel config but all users are getting accessed to SSID though debug shows a ldap check happening. You can check the debug from pastebin here -> http://pastebin.com/1BXxxvtC
You can read it, too. The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. *Understand* how the server works. Alan DeKok.
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition? if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } } Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er rewrite_called_station_id rewrite_called_station_id { (8) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) (8) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE (8) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { (8) update request { (8) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (8) --> 40-18-b1-8b-a7-54 (8) Called-Station-Id := "40-18-b1-8b-a7-54" (8) } # update request = noop (8) if ("%{8}") (8) EXPAND %{8} (8) --> SSID02362 (8) if ("%{8}") -> TRUE (8) if ("%{8}") { (8) update request { (8) EXPAND %{8} (8) --> SSID02362 (8) Called-Station-SSID := "SSID02362" Regards Misbah On 16 February 2017 at 16:51, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 16, 2017, at 2:12 AM, Misbah Hussaini <misbhauddin@gmail.com> wrote:lan,
Thanks for the reply, I have configured below code in top section of authorize in inner tunnel config but all users are getting accessed to
SSID
though debug shows a ldap check happening. You can check the debug from pastebin here -> http://pastebin.com/1BXxxvtC
You can read it, too.
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. *Understand* how the server works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Feb 16, 2017, at 8:12 AM, Misbah Hussaini <misbhauddin@gmail.com> wrote:
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition?
if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } }
Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er
The server receives multiple packets. Is that re-write piece being run in the same packet as the one doing the check? Did you set "copy_request_to_tunnel" in raddbs/mods-enabled/eap? If not, did you check the *outer* version of Called-Station-SSID? i.e. "outer.request:Called-Station-SSID"? See "man unlang" for details. Again, you need to pay attention, and to understand how the server works. RADIUS isn't a simple protocol like DNS or DHCP. There are many pieces, and many more possibilities. Understanding how it works is crucial for fixing any issue. Alan DeKok.
On 16-02-17 14:12, Misbah Hussaini wrote:
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition?
if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } }
Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er
You're changing the Called-Station-SSID in the outer tunnel (line 1848), then send a tunneled request (line 1911) with only a few attributes. The check is performed in the inner tunnel, and can't find the Called-Station-SSID. Possible solutions: - Perform the check in the outer tunnel - Write to/Read from session-state:Called-Station-SSID - Use outer:request:Called-Station-SSID (or whatever the exact syntax was) to use the outer request. -- Herwin Weststrate
Thanks for pointer, changing the condition to below worked, but im a uable to figure out how to do ldap-group lookups inside inner tunnel config? I have tried to do the ldap lookup inside default config by removing the if condition from inner tunnel and adding to default but still it fails. If (outer.Called-Station-SSID != "SSID02362") { Reject } On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin@quarantainenet.nl> wrote:
On 16-02-17 14:12, Misbah Hussaini wrote:
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition?
if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } }
Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er
You're changing the Called-Station-SSID in the outer tunnel (line 1848), then send a tunneled request (line 1911) with only a few attributes. The check is performed in the inner tunnel, and can't find the Called-Station-SSID.
Possible solutions: - Perform the check in the outer tunnel - Write to/Read from session-state:Called-Station-SSID - Use outer:request:Called-Station-SSID (or whatever the exact syntax was) to use the outer request.
-- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
I think I found the reason why the ldap group check is not working. My ldap config has the filter set to sAMAccountName as shown below but the EAP packet is passing username as DOMAIN\USERNAME which is incorrect format for sAMAccountName. filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" Now, the question is how do I remove the domain\ from the username field, as I read elsewhere changing the username will cause EAP auth to fail. Pointers are welcome... Quest continues.. Regards Misbah On 16 February 2017 at 21:45, Misbah Hussaini <misbhauddin@gmail.com> wrote:
Thanks for pointer, changing the condition to below worked, but im a uable to figure out how to do ldap-group lookups inside inner tunnel config? I have tried to do the ldap lookup inside default config by removing the if condition from inner tunnel and adding to default but still it fails.
If (outer.Called-Station-SSID != "SSID02362") { Reject }
On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin@quarantainenet.nl> wrote:
On 16-02-17 14:12, Misbah Hussaini wrote:
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition?
if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } }
Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er
You're changing the Called-Station-SSID in the outer tunnel (line 1848), then send a tunneled request (line 1911) with only a few attributes. The check is performed in the inner tunnel, and can't find the Called-Station-SSID.
Possible solutions: - Perform the check in the outer tunnel - Write to/Read from session-state:Called-Station-SSID - Use outer:request:Called-Station-SSID (or whatever the exact syntax was) to use the outer request.
-- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
Voila! Got it to work. Here is what was wrong. Windows machine passes username for EAP-MSCHAP packet response in Domain\Username format which does not goes well with our ldap filters as there is no attribute (as I know) in AD which holds domain\username value for a object and you cannot remove domain part from EAP packets as this will make eap auth to fail. As mentioned here http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057116.... (go through whole thread for complete understanding) we have to remove domain part from username field for ldap lookups (not from eap packets),so ass to make ldap lookups work and this is done by configuring domain realm in proxy.conf and configure ntdomain in virtual servers and ntdomain_hack in mshchap mod. Below are the config details. mods-enabled\eap set copy_request_to_tunnel = yes raddb/proxy.conf #add empty stanza for your domain realm domain { } mods-enabled\mschap set with_ntdomain_hack = yes sites-enabled\default Authorize { # These 2 lines will remove domain name when passing the username attribute for ldap lookups preprocess ntdomain ... .. } sites-enabled\inner-tunnel authrozie{ # These 2 lines will remove domain name when passing the username attribute for ldap lookups preprocess suffix ntdomain if (!State) { if ((outer.Called-Station-SSID =="XYZ") && (LDAP-Group != "ABC")) { reject } } ..... .... } Do let me know if there is a more diligent way of doing the same. Regards Misbah On 17 February 2017 at 00:23, Misbah Hussaini <misbhauddin@gmail.com> wrote:
I think I found the reason why the ldap group check is not working.
My ldap config has the filter set to sAMAccountName as shown below but the EAP packet is passing username as DOMAIN\USERNAME which is incorrect format for sAMAccountName.
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
Now, the question is how do I remove the domain\ from the username field, as I read elsewhere changing the username will cause EAP auth to fail.
Pointers are welcome... Quest continues..
Regards Misbah
On 16 February 2017 at 21:45, Misbah Hussaini <misbhauddin@gmail.com> wrote:
Thanks for pointer, changing the condition to below worked, but im a uable to figure out how to do ldap-group lookups inside inner tunnel config? I have tried to do the ldap lookup inside default config by removing the if condition from inner tunnel and adding to default but still it fails.
If (outer.Called-Station-SSID != "SSID02362") { Reject }
On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin@quarantainenet.nl> wrote:
On 16-02-17 14:12, Misbah Hussaini wrote:
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition?
if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } }
Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er
You're changing the Called-Station-SSID in the outer tunnel (line 1848), then send a tunneled request (line 1911) with only a few attributes. The check is performed in the inner tunnel, and can't find the Called-Station-SSID.
Possible solutions: - Perform the check in the outer tunnel - Write to/Read from session-state:Called-Station-SSID - Use outer:request:Called-Station-SSID (or whatever the exact syntax was) to use the outer request.
-- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
participants (3)
-
Alan DeKok -
Herwin Weststrate -
Misbah Hussaini