Using NAS-Identifier with login criteria
We are in the process of setting up FreeRadius 2.1.1 on a SLES10 server to authenticate with/against eDirectory on the back end to allow access to our wireless networks. We having things working so far that users can get access to one of the wireless networks if they are a member of a specific eDirectory group. (using the users file and "DEFAULT Ldap-Group..." We are basically going to have 2 different wireless networks (wifi1 ad wifi2). When using the radius for authenticating, the different wireless networks use their SSID as the NAS-Identifier. (we are able to see this when running "radiusd -X". Ultimately we want to allow all users who have an edirectory account to be able to use wifi1, but only members of a specific edirectory group can have access to wifi2 (NAS-Identifier = wifi2) How do we go about accomplishing this? Thanks in advance for any suggestions. Brian
Use unlang for policy. Use that attribute (or define a unique client id and use that instead) in a policy %{client:shortname} %{NAS-IP-Address} etc etc are all available to be evaluated alan
Thanks for the response Alan. Which files and where would this information go into? Is it possible to get an example of a policy with %{NAS-Identifier} Thanks. Brian
Alan Buxey <A.L.M.Buxey@lboro.ac.uk> 4/11/2015 04:14 AM >>> Use unlang for policy. Use that attribute (or define a unique client id and use that instead) in a policy
%{client:shortname} %{NAS-IP-Address} etc etc are all available to be evaluated alan -- This email was Virus checked by Astaro Security Gateway. http://www.sophos.com
Hi,
Which files and where would this information go into? Is it possible to get an example of a policy with %{NAS-Identifier}
man unlang google searches for unlang and policy but heres some guidance: http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf something I knock up wont work for you as i dont know your requirements... you'd expect it to work...wonder why it doesnt do what you want..then get frustrated and lose trust with the platform. in the config files are quite a few examples of unlang and policy. look, read alan
Thanks for the info Alan. I have done some googling and found some examples that have gotten me real close. What I have done is: created an area called "my_policy" in the policy.conf file and added the following: if (NAS-Identifier =~ /Rad_test2/) { if ( Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) { reject } } In the /sites-available/default file: under authorize: update request { NAS-Identifier = "%{NAS-Identifier}" } and under ldap: my_policy Now when I attempt to login with a user account that is a member of the "Corporate Wireless Network" group, they get denied. People who are not members of the group can get connected. (exact opposite to what I desire) All users can get connected to WIFI#1 like we want. Here is he radiusd -X log: FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 28 2014 at 23:17:30 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 192.168.1.1 { require_message_authenticator = no secret = "sophos123" shortname = "SophosAppliance" } client 192.168.1.53 { require_message_authenticator = no secret = "sophos123" shortname = "RadiusServer" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/servercert.pem" certificate_file = "/etc/raddb/certs/servercert.pem" CA_file = "/etc/raddb/certs/rootcert.pem" private_key_password = "Donkey01" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "192.168.1.14" port = 636 password = "donkey" identity = "cn=admin,ou=ou,o=org" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = yes start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/etc/raddb/certs/rootcert.pem" require_cert = "allow" } basedn = "ou=ou,o=org" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "nspmPassword" auto_header = no access_attr_used_for_allow = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x7f5ddde25b30 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Loading virtual module my_policy Module: Linked to module rlm_always Module: Instantiating reject always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 44783, id=140, length=162 User-Name = "marissa" NAS-Identifier = "Rad_test2" Called-Station-Id = "00-1A-8C-29-A2-C2:Rad_test2" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "E4-CE-8F-92-53-B8" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x0224000c016d617269737361 Message-Authenticator = 0xc71be076cee41be37a0d2ca8d332273d +- entering group authorize {...} expand: %{NAS-Identifier} -> Rad_test2 expand: %{NAS-Port} -> 1 ++[request] returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "marissa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 36 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for marissa [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marissa) [ldap] expand: ou=ou,o=org -> ou=ou,o=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.14:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootcert.pem rlm_ldap: bind as cn=admin,ou=ou,o=org/donkey to 192.168.1.14:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=ou,o=org, with filter (uid=marissa) [ldap] Added the eDirectory password marissa in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user marissa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++- entering policy my_policy {...} +++? if (NAS-Identifier =~ /^Rad_test2/) ? Evaluating (NAS-Identifier =~ /^Rad_test2/) -> TRUE +++? if (NAS-Identifier =~ /^Rad_test2/) -> TRUE +++- entering if (NAS-Identifier =~ /^Rad_test2/) {...} ++++? if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) rlm_ldap: Entering ldap_groupcmp() expand: ou=ou,o=org -> ou=ou,o=org expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dMarissa\2cou\3dou\2co\3dorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Corporate Wireless Network,ou=ou,o=org, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dMarissa\2cou\3dou\2co\3dorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap::ldap_groupcmp: User found in group cn=Corporate Wireless Network,ou=ou,o=org rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) -> TRUE ++++? if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) -> TRUE ++++- entering if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {...} +++++[reject] returns reject ++++- if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) returns reject +++- if (NAS-Identifier =~ /^Rad_test2/) returns reject ++- policy my_policy returns reject Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> marissa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 140 to 192.168.1.1 port 44783 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 44783, id=141, length=162 User-Name = "marissa" NAS-Identifier = "Rad_test2" Called-Station-Id = "00-1A-8C-29-A2-C2:Rad_test2" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "E4-CE-8F-92-53-B8" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x0216000c016d617269737361 Message-Authenticator = 0xb6e5cd038eeba0b90ac46e186a58b061 +- entering group authorize {...} expand: %{NAS-Identifier} -> Rad_test2 expand: %{NAS-Port} -> 1 ++[request] returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "marissa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 22 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for marissa [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marissa) [ldap] expand: ou=ou,o=org -> ou=ou,o=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=ou,o=org, with filter (uid=marissa) [ldap] Added the eDirectory password marissa in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user marissa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++- entering policy my_policy {...} +++? if (NAS-Identifier =~ /^Rad_test2/) ? Evaluating (NAS-Identifier =~ /^Rad_test2/) -> TRUE +++? if (NAS-Identifier =~ /^Rad_test2/) -> TRUE +++- entering if (NAS-Identifier =~ /^Rad_test2/) {...} ++++? if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) rlm_ldap: Entering ldap_groupcmp() expand: ou=ou,o=org -> ou=ou,o=org expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dMarissa\2cou\3dou\2co\3dorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Corporate Wireless Network,ou=ou,o=org, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dMarissa\2cou\3dou\2co\3dorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap::ldap_groupcmp: User found in group cn=Corporate Wireless Network,ou=ou,o=org rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) -> TRUE ++++? if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) -> TRUE ++++- entering if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {...} +++++[reject] returns reject ++++- if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) returns reject +++- if (NAS-Identifier =~ /^Rad_test2/) returns reject ++- policy my_policy returns reject Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> marissa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 141 to 192.168.1.1 port 44783 Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 44783, id=142, length=162 User-Name = "marissa" NAS-Identifier = "Rad_test2" Called-Station-Id = "00-1A-8C-29-A2-C2:Rad_test2" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "E4-CE-8F-92-53-B8" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x0220000c016d617269737361 Message-Authenticator = 0xc1b10de3a3184f47ff4335273f738f01 +- entering group authorize {...} expand: %{NAS-Identifier} -> Rad_test2 expand: %{NAS-Port} -> 1 ++[request] returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "marissa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 32 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for marissa [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marissa) [ldap] expand: ou=ou,o=org -> ou=ou,o=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=ou,o=org, with filter (uid=marissa) [ldap] Added the eDirectory password marissa in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user marissa authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++- entering policy my_policy {...} +++? if (NAS-Identifier =~ /^Rad_test2/) ? Evaluating (NAS-Identifier =~ /^Rad_test2/) -> TRUE +++? if (NAS-Identifier =~ /^Rad_test2/) -> TRUE +++- entering if (NAS-Identifier =~ /^Rad_test2/) {...} ++++? if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) rlm_ldap: Entering ldap_groupcmp() expand: ou=ou,o=org -> ou=ou,o=org expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dMarissa\2cou\3dou\2co\3dorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Corporate Wireless Network,ou=ou,o=org, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dMarissa\2cou\3dou\2co\3dorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap::ldap_groupcmp: User found in group cn=Corporate Wireless Network,ou=ou,o=org rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) -> TRUE ++++? if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) -> TRUE ++++- entering if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {...} +++++[reject] returns reject ++++- if (Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) returns reject +++- if (NAS-Identifier =~ /^Rad_test2/) returns reject ++- policy my_policy returns reject Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> marissa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 142 to 192.168.1.1 port 44783 Waking up in 1.7 seconds. Cleaning up request 0 ID 140 with timestamp +3 Waking up in 1.6 seconds. Cleaning up request 1 ID 141 with timestamp +5 Waking up in 1.6 seconds. Your guidance is greatly appreciated. Thanks.
<A.L.M.Buxey@lboro.ac.uk> 4/11/2015 02:33 PM >>> Hi,
Which files and where would this information go into? Is it possible to get an example of a policy with %{NAS-Identifier}
man unlang google searches for unlang and policy but heres some guidance: http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf something I knock up wont work for you as i dont know your requirements... you'd expect it to work...wonder why it doesnt do what you want..then get frustrated and lose trust with the platform. in the config files are quite a few examples of unlang and policy. look, read alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Got it working this morning! Changed the policy to be: my_policy { if (NAS-Identifier =~ /^Rad_test2/) { if ( Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) { update request { Success = "Hello %{User-Name} you are allowed to use wireless network %{NAS-Identifier}" } } else { update request { Disallowed = "Hello %{User-Name} you are NOT allowed to use wireless network %{NAS-Identifier}" } reject } } } (also had to had to add lines to the dictionary file for the two update request lines) (did the update request lines just to see the success/disallow in the logs.) Seems to be working the way we want it to. All users that have an edirectory account can connect to the other wireless network, and only members of the "Corporate Wireless Network" edirectory group can connect to wireless network "Rad_test2". If there is something wrong with the policy, please point it out. Thanks. Brian
On Apr 11, 2015, at 9:15 PM, Brian Boere <brian.boere@netwize.ca> wrote:
What I have done is:
created an area called "my_policy" in the policy.conf file and added the following:
if (NAS-Identifier =~ /Rad_test2/) { if ( Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {
For various reasons you'll have to do: if (!(Ldap-Group == "cn=Corporate Wireless Network,ou=ou,o=org" )) { That will work better.
reject } }
In the /sites-available/default file: under authorize:
update request { NAS-Identifier = "%{NAS-Identifier}" }
Huh? That does nothing useful. Why do you think that's necessary?
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 28 2014 at 23:17:30
And why 2.1.1? That's almost 7 years old. Use 2.2.6. Alan DeKok.
Thanks for the feedback Alan. What is the benefit of the change to the Ldap-Group line? For the line in the sites-available/default, I had seen an example when I was trying to figure this out that had this in it. I will remove it. The version that I am using was installed from YAST2 on a SLES11 machine. I applied all of the updates through YAST and figured it was up to date. What is the best process to upgrade to 2.2.6? I appreciate your input. Brian
Alan DeKok <aland@deployingradius.com> 4/12/2015 08:54 AM >>> On Apr 11, 2015, at 9:15 PM, Brian Boere <brian.boere@netwize.ca> wrote: What I have done is:
created an area called "my_policy" in the policy.conf file and added the following:
if (NAS-Identifier =~ /Rad_test2/) { if ( Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {
For various reasons you'll have to do: if (!(Ldap-Group == "cn=Corporate Wireless Network,ou=ou,o=org" )) { That will work better.
reject } }
In the /sites-available/default file: under authorize:
update request { NAS-Identifier = "%{NAS-Identifier}" }
Huh? That does nothing useful. Why do you think that's necessary?
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 28 2014 at 23:17:30
And why 2.1.1? That's almost 7 years old. Use 2.2.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 12, 2015, at 9:15 AM, Brian Boere <brian.boere@netwize.ca> wrote:
What is the benefit of the change to the Ldap-Group line?
Various internal implementation things... Anyways, if it works now, don't change it.
For the line in the sites-available/default, I had seen an example when I was trying to figure this out that had this in it. I will remove it.
It helps to *understand* what the config does. If you don't understand it, don't put it in.
The version that I am using was installed from YAST2 on a SLES11 machine. I applied all of the updates through YAST and figured it was up to date. What is the best process to upgrade to 2.2.6?
Download 2.2.6. configure / make / make install. Alan DeKok.
On Sun, Apr 12, 2015 at 09:15:12AM -0400, Brian Boere wrote:
What is the benefit of the change to the Ldap-Group line?
You've got if (Ldap-Group != ...) { <success> } else { <failure> } but note your config actually says "!=" -> not equal. It's to do with the way Ldap-Group works internally; it's not a real attribute, and does a lookup at each use. The operator is essentially taken as "==" each time. I'd either do what Alan suggested (if (!(Ldap-Group == ...))), or just change your "!=" to "==" - in the way you've written your config, it should work the same. But record what you've done now, so if changes don't work you can go back to them. The reason I'd fix it? If you upgrade later on to a version where Ldap-Group and != _do_ work as written, your config will break at that point. Better to make sure the logic looks correct now IMO.
The version that I am using was installed from YAST2 on a SLES11 machine. I applied all of the updates through YAST and figured it was up to date. What is the best process to upgrade to 2.2.6?
Many distributions are seriously (and annoyingly) way out of date with FreeRADIUS packages. You can build up-to-date SuSE packages fairly easily which will have all the latest bug/security fixes in. See http://wiki.freeradius.org/building/Build#Building-SUSE-packages Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I removed the update request in the sites-available/default as suggested. (and just as you said, it did not affect anything) Just wanting to confirm something in the Ldap-Group area. does the "!" at the begining of your recommended line just switch the result from "True" to "False" (and vice-versa)? I made the change, and things stopped working. When I removed the "!" from your recommended line, things started working again. (I did take the original line from an example and honestly not really knowing what the "!" did) (end requirement is that if the user is a member of the "Corporate Wireless Network" edirectory group, they are allowed to use the wireless network Rad_test2) I will also look into upgrading to at least the most recent version of 2. Should I be able to install version 3 and just move my config files over to it? Thanks. Brian
Alan DeKok <aland@deployingradius.com> 4/12/2015 08:54 AM >>> On Apr 11, 2015, at 9:15 PM, Brian Boere <brian.boere@netwize.ca> wrote: What I have done is:
created an area called "my_policy" in the policy.conf file and added the following:
if (NAS-Identifier =~ /Rad_test2/) { if ( Ldap-Group != "cn=Corporate Wireless Network,ou=ou,o=org" ) {
For various reasons you'll have to do: if (!(Ldap-Group == "cn=Corporate Wireless Network,ou=ou,o=org" )) { That will work better.
reject } }
In the /sites-available/default file: under authorize:
update request { NAS-Identifier = "%{NAS-Identifier}" }
Huh? That does nothing useful. Why do you think that's necessary?
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 28 2014 at 23:17:30
And why 2.1.1? That's almost 7 years old. Use 2.2.6. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Should I be able to install version 3 and >just move my config files over to it?
No. Version 3 is not config compatible. You need to start from scratch. Version 2.2.x is with previous 2.2.x and 2.1.x releases (there is a minor minor config thing but noone I know used/uses that option) alan
On Apr 12, 2015, at 10:19 AM, Brian Boere <brian.boere@netwize.ca> wrote:
does the "!" at the begining of your recommended line just switch the result from "True" to "False" (and vice-versa)?
That's what the documentation says. See "man unlang".
I made the change, and things stopped working. When I removed the "!" from your recommended line, things started working again.
If you're going to make random changes and *not* understand them, you won't get it configured correctly. For various reasons you can't use "LDAP-Group != ...". That's enough to know. BUT you have to put that knowledge together with what else you want to do.
(I did take the original line from an example and honestly not really knowing what the "!" did)
Then that's a problem. The configuration isn't difficult to understand "if" and "else" are well-known terms, and are easy to understand.
(end requirement is that if the user is a member of the "Corporate Wireless Network" edirectory group, they are allowed to use the wireless network Rad_test2)
Then configure that. It isn't much more complicated than the sentence above. Just put the "if" and "else" into the correct "unlang" syntax. Alan DeKok.
Providing your logic - good Providing your debug output - good This all helps. Getting to a working state yourself - good :) However, I'm not sure that you read the debug output to see what the logic was doing. Or you'd see why you had a strange inverse of the idea (you'd also see that the assigning of the NAS identifier does nothing). As Alan has already said, the ldap_group comparison operator is rather interesting and you really want to do a classic 'c style' negative check ( if !(ldap_group...... ) ) Would seriously advise looking at upgrading to latest 2.2.x - however if you are building from source and only just getting your current solution into place then look at 3.0.x instead. There are big big changes which may hinder a future migration from 2.x so get 3.0.x into place now., not later alan
I have done some reading and playing with things. I have set in the users file to use some of the variables in the response: Reply-Message="Hello %{User-Name} you have been authenticated from %{NAS-IP-Address} and an SSID of %{NAS-Identifier}", when going through the logs when running radiusd -X, I can see the NAS-Identifier in some of the responses. Unfortunately being new to FreeRadius, I don't know where or how to start using these variables to control who has access to the wireless networks. I am reading through the wiki and looking for examples without much luck. Thanks. Brian
Alan Buxey <A.L.M.Buxey@lboro.ac.uk> 4/11/2015 04:14 AM >>> Use unlang for policy. Use that attribute (or define a unique client id and use that instead) in a policy
%{client:shortname} %{NAS-IP-Address} etc etc are all available to be evaluated alan -- This email was Virus checked by Astaro Security Gateway. http://www.sophos.com
On Apr 11, 2015, at 7:35 AM, Brian Boere <brian.boere@netwize.ca> wrote:
Reply-Message="Hello %{User-Name} you have been authenticated from %{NAS-IP-Address} and an SSID of %{NAS-Identifier}",
when going through the logs when running radiusd -X, I can see the NAS-Identifier in some of the responses.
Unfortunately being new to FreeRadius, I don't know where or how to start using these variables to control who has access to the wireless networks.
I am reading through the wiki and looking for examples without much luck.
See raddb/sites-available/default. That's where policies go. Also, run the server in debugging mode. You will see how the "default" file is processed. See "man unlang". It documents the policy language. And look at the examples in raddb/sites-available/. There are a LOT of examples of how the server works, and how to write policies. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Brian Boere -
Matthew Newton