Reject authentication attempts based on "cli" value?
It is a Cisco WLAN 4402. For reference, here is a log entry from a user connecting from the Guest network: Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from client PCMCWLANCTRLR1 port 0 cli 192.168.100.101) And here is a log entry from someone connecting via 802.1x on another network: Thu Mar 15 07:26:36 2007 : Auth: Login OK: [DOMAIN\\guestuser] (from client PCMCWLANCTRLR1 port 1 cli 00-12-F0-19-6E-B3) As you can see the only way I have to differentiate these two auth attempts is via the "cli" value. 192.168.100.x is the subnet range of my Guest network. I want all auth attempts from 192.168.100.x to be rejected. Hope someone can help me out with this. Thanks.
Date: Thu, 15 Mar 2007 10:55:55 -0400 From: "King, Michael" <MKing@bridgew.edu> Subject: RE: To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <6641F169E241EA40B29DE7BFAD24674DA7A43B@EXCH2.campus.bridgew.edu> Content-Type: text/plain; charset="iso-8859-1"
What manufacturer makes the NAS (the wireless controller?)
I would look to the Called-Station field. Usually (Based on Cisco AP's) this is the MAC of the AP, followed by the SSID they connected to.
-----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freer adius.org] On Behalf Of markcapelle@pcmc.com Sent: Thursday, March 15, 2007 10:48 AM To: freeradius-users@lists.freeradius.org Subject:
I have a situation where I have a wireless controller that services multiple wireless networks (vlans).? When the controller contacts the RADIUS server with an authentication request, it does so with the IP address of the controller as the client address.? The problem is I have a guest network that has lower security than my other wireless networks.? The guest network has it's own user/password database stored in the controller, but the way authentication occurs is that it checks RADIUS for the user first and assumes it will fail, then will use the internal database.? The issue with this is that if one of my users jumps on the guest network, they are authenticated which is not what I want to happen.? Looking at the logs, I noticed that all the guest network users have the IP address of the client in the "cli" field.? My guest network is a totally different VLAN and IP subnet.
Is there a way to key off of the "cli" field and then make it so that all requests from clients with a specific subnet in this field are not authenticated?? This would stop my internal users from connecting, but allow the correct users (those in the internal DB) to still get connected.
Thanks. CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.
On Thu, 2007-03-15 at 11:23 -0500, markcapelle@pcmc.com wrote:
It is a Cisco WLAN 4402. For reference, here is a log entry from a user connecting from the Guest network:
Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from client PCMCWLANCTRLR1 port 0 cli 192.168.100.101)
And here is a log entry from someone connecting via 802.1x on another network:
Thu Mar 15 07:26:36 2007 : Auth: Login OK: [DOMAIN\\guestuser] (from client PCMCWLANCTRLR1 port 1 cli 00-12-F0-19-6E-B3)
As you can see the only way I have to differentiate these two auth attempts is via the "cli" value. 192.168.100.x is the subnet range of my Guest network. I want all auth attempts from 192.168.100.x to be rejected.
Hope someone can help me out with this.
Thanks.
I apologize if you've already done this, but have you looked at the detail module in the radiusd.conf file. I have sometimes found that turning on the detail accounting files will provide clues when trying to figure out differences between different requests. You should find these in the modules section of the radiusd.conf file. If you un-comment them, you should be able to get some more information from each request. (The resultinig files should end up in some place like /var/log/radius/radacct or something like that.) -- John Guthrie guthrie@counterexample.org
participants (2)
-
John T. Guthrie -
markcapelleļ¼ pcmc.com