Authentication probation for VLAN
Hello, I am using freeradius to authenticate to multiple databases, some in other LDAP in SQL. I am doing authentication and wireless networks, where I have multiple SSIDs for wireless networks, and each one logs in a database. All these databases are in the same Radius server, which differentiate based authentication used by the users of the Realm, running as follows: authorize { ... if (Realm == "fpti") { ldap_fpti } if ( Realm == "pti") { ldap_pti } if ( Realm == "visitantes") { sql_visitantes } ... } This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information: ... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = "joao@fpti" Calling-Station-Id = "68-a3-c4-85-c5-89" Called-Station-Id = "00-26-cb-94-65-60:FPTI" NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = "WLC-PTI" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = "5"* EAP-Message = 0x020500061500 State = 0xfd87ee8cfe82fb655b300470157cca59 Message-Authenticator = 0xb9a2c29a193593e8f1165dc71ab487c1 # Executing section authorize from file /etc/freeradius/sites-enabled/default ... Once the session authorization, I tried to check the VLAN required before releasing the basis for authorization, did it as follows: authorize { ... if (Tunnel-Private-Group-Id:0 == 5){ # Base de dados LDAP da FPTI if (Realm == "fpti") { ldap_fpti } } if (Tunnel-Private-Group-Id:0 == 30){ # Todos os Hbitantes do PTI atraves do numero do cracha if ( Realm == "pti") { ldap_pti } # Base de dados SQL de Visitantes if ( Realm == "visitantes") { sql_visitantes } } ... } But unfortunately this is not working (as shown in the log below): [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++? if (Tunnel-Private-Group-Id:0 == 5) ? Evaluating (Tunnel-Private-Group-Id:0 == 5) -> FALSE ++? if (Tunnel-Private-Group-Id:0 == 5) -> FALSE ++? if (Tunnel-Private-Group-Id:0 == 30) ? Evaluating (Tunnel-Private-Group-Id:0 == 30) -> FALSE ++? if (Tunnel-Private-Group-Id:0 == 30) -> FALSE ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: joao@fpti [mschap] Told to do MS-CHAPv2 for joao@fpti with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Login incorrect: [joao@fpti] (from client controladora-wlan-1 port 0 via TLS tunnel) Note that all conditional "IF" fails. Also said that if I try to use the Tunnel-Private-Group-Id without the ":0" at the end, appears in the logs that the attribute was not found, I mention this because in several instances I saw on the internet was used only "Tunnel- Private -Group-Id" (with :0 at the end) I ask, how can I make this check? Thank you for listening; -- João Paulo de Lima Barbosa
Also said that if I try to use the Tunnel-Private-Group-Id without the ":0" at the end, appears in the logs that the attribute was not found, I mention this because in several instances I saw on the internet was used only "Tunnel-Private -Group-Id" (with :0 at the end)
Weird, trying using it in a string expansion (as a work around) e.g. "%{Tunnel-Private-Group-Id}" == 5 Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
joaocdc@gmail.com <joaocdc@gmail.com> wrote:
This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information:
... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = "joao@fpti" Calling-Station-Id = "68-a3-c4-85-c5-89" Called-Station-Id = "00-26-cb-94-65-60:FPTI" NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = "WLC-PTI" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = "5"*
string != integer Tunnel-Private-Group-Id is a string. I have to do a similar thing to map a silly attribute coughed up by Cisco's useless WLC: ---- policy.conf ---- rewrite.quirk.wlc { if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") { switch "%{Airespace-Wlan-Id}" { case "1" { update request { NAS-Port-Id := "eduroam" } } case "5" { update request { NAS-Port-Id := "UTILICOM" } } case "6" { update request { NAS-Port-Id := "BTOpenzone" } } case "7" { update request { NAS-Port-Id := "soas-wpa-psk" } } case { update request { NAS-Port-Id := "UNKNOWN" } } } ... } ---- You should use (I am almost certain you should not be looking at tagged attributes, so drop the ':0' too): ---- notice the "...." ---- if (Tunnel-Private-Group-Id == "5") { [stuff] } ---- Cheers -- Alexander Clouter .sigmonster says: Do not apply to broken skin.
On 25 Aug 2011, at 21:43, Alexander Clouter wrote:
joaocdc@gmail.com <joaocdc@gmail.com> wrote:
This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information:
... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = "joao@fpti" Calling-Station-Id = "68-a3-c4-85-c5-89" Called-Station-Id = "00-26-cb-94-65-60:FPTI" NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = "WLC-PTI" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = "5"*
string != integer
Tunnel-Private-Group-Id is a string.
Eww gross. Ok I thought unlang did the conversions automagically.... But obviously not -Arran
OK friends, I appreciate the help, I managed to solve. Dear Alexander Clouter really the type of data is an integer, but that I had already tested. But I appreciate the hint and attention. The problem is that I'm using EAP (PEAP and TTLS) server and default routes via internal proxy (or something) the request to the inner-tunnel, and when the request arrived at the inner-tunnel not all attributes of the original request were present in the package. To solve, it took Enable the option "copy_request_to_tunnel = yes" in the file eap.conf. This solved the problem. I appreciate everyone's help. 2011/8/25 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
On 25 Aug 2011, at 21:43, Alexander Clouter wrote:
joaocdc@gmail.com <joaocdc@gmail.com> wrote:
This model is funcionaç, however have a problem (very serious), Radius
does
not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information:
... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = "joao@fpti" Calling-Station-Id = "68-a3-c4-85-c5-89" Called-Station-Id = "00-26-cb-94-65-60:FPTI" NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = "WLC-PTI" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = "5"*
string != integer
Tunnel-Private-Group-Id is a string.
Eww gross. Ok I thought unlang did the conversions automagically.... But obviously not
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc "O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los."
Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
* Tunnel-Private-Group-Id:0 = "5"*
string != integer
Tunnel-Private-Group-Id is a string.
Eww gross. Ok I thought unlang did the conversions automagically.... But obviously not
Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/ Cheers -- Alexander Clouter .sigmonster says: Misfortunes arrive on wings and leave on foot.
On 26 Aug 2011, at 11:39, Alexander Clouter wrote:
Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
* Tunnel-Private-Group-Id:0 = "5"*
string != integer
Tunnel-Private-Group-Id is a string.
Eww gross. Ok I thought unlang did the conversions automagically.... But obviously not
Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/
Indeed. *stabby stabby* *sigh*. I thought it was weird, because I remembered reading the code that did the automagical conversions :) -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
participants (3)
-
Alexander Clouter -
Arran Cudbard-Bell -
joaocdc@gmail.com