-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, please, where am I mistaking? I need to auth user, comming from via hostapd as client, only if the user belongs to definite Ldap-Group (works fine via radiusGroupName attribute set for user LDAP object) and SSID (which I'm unable to pick - From Called-Station-Id) ... please advise how to do that correct ... I am trying to do it the way described here: http://wiki.freeradius.org/guide/Mac%20Auth#Mac-Auth-authorisation-by-SSID in debug I see - ---[ quotation start ]------------------------------------------- ... rad_recv: Access-Request packet from host 10.241.16.117 port 58063, id=40, length=202 User-Name = "vudhNrF7zxJJmteIVF/Xzg==" NAS-Identifier = "es-student.wrt" Called-Station-Id = "48-5B-39-E7-B0-3B:USER_SSID" NAS-Port-Type = Wireless-802.11 NAS-Port = 2 Calling-Station-Id = "00-BD-3A-69-69-1B" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 EAP-Message = 0x0254001d01767564684e7246377a784a4a6d74654956462f587a673d3d Message-Authenticator = 0x6c46a58131867c13ca7fb318d9d407fd ... Fri Jan 31 22:50:48 2014 : Info: ++[logintime] = noop Fri Jan 31 22:50:48 2014 : Info: ++policy rewrite.called_station_id { ... Fri Jan 31 22:50:48 2014 : Info: ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) -> TRUE Fri Jan 31 22:50:48 2014 : Info: +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) -> TRUE Fri Jan 31 22:50:48 2014 : Info: +++if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) { Fri Jan 31 22:50:48 2014 : Info: ++++update request { Fri Jan 31 22:50:48 2014 : Info: expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 485b39e7b03b Fri Jan 31 22:50:48 2014 : Info: expand: %{7} -> USER_SSID Fri Jan 31 22:50:48 2014 : Info: ++++} # update request = noop Fri Jan 31 22:50:48 2014 : Info: +++} # if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) = noop Fri Jan 31 22:50:48 2014 : Info: +++ ... skipping else for request 1: Preceding "if" was taken Fri Jan 31 22:50:48 2014 : Info: ++} # policy rewrite.called_station_id = updated ... - ---[ quotation end ]------------------------------------------- but what is next? so, how to get Called-Station-Id and Called-Station-SSID set to be able to add SSID to user ldap attributes? - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlLsFQQACgkQr3jpPg/3oyrdogCgn6YZa0otNybkcWo38KHLRomD adsAoKVxMXQhF48JC6unIqdftzrEXZva =oe77 -----END PGP SIGNATURE-----
Zeus Panchenko writes:
so, how to get Called-Station-Id and Called-Station-SSID set to be able to add SSID to user ldap attributes?
It looks like the policy you ran worked. Are you saying that if you try to access the Called-Station-SSID attribute in the request after the policy has been run, that it does not contain the value? In that case, you should include the part of the debug output where the test for Called-Station-SSID (in users file or unlang) is done. If you have not written such a test yet you could put this underneath rewrite_called_station_id in the authorize section and your debug log should show you the expanded value. if ("%{Called-Station-SSID}" == "REJECTME") { reject }
From there, you should be able to work out how to compare against an attribute extracted from either a direct ldap module query, or loaded via the ldap.attrmap file.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brian Julin <BJulin@clarku.edu> writes: In that case, you should include the part of the debug output where the test for Called-Station-SSID (in users file or unlang) is done.
yes, it is there, thank you
From there, you should be able to work out how to compare against an attribute extracted from either a direct ldap module query, or loaded via the ldap.attrmap file.
what namely can I do to see where ldap attribute `radiusCheckItem' value, set to `Called-Station-SSID == "USER_SSID"', is extracted to? How to get it and how to use it? .ldif for user and profile are: - ---[ quotation start ]------------------------------------------- dn: cn=student2,ou=users,ou=radius,dc=es cn: student2 objectclass: radiusprofile objectclass: person radiusgroupname: students sn: student2 userpassword: student2 dn: cn=students,ou=profiles,ou=radius,dc=es cn: students description: checked in file users objectclass: radiusprofile objectclass: person radiuscheckitem: Called-Station-SSID == "USER_SSID" radiusreplyitem: Tunnel-Private-Group-Id = 21 radiusreplyitem: Tunnel-Type = 13 radiusreplyitem: Tunnel-Medium-Type = 6 radiusreplymessage: Hello, profile STUDENT was applied to you. radiussessiontimeout: 900 sn: students - ---[ quotation end ]------------------------------------------- here is what is in the debug: - ---[ quotation start ]------------------------------------------- ... Sat Feb 1 12:49:50 2014 : Info: ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) -> TRUE Sat Feb 1 12:49:50 2014 : Info: +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) -> TRUE Sat Feb 1 12:49:50 2014 : Info: +++if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i) { Sat Feb 1 12:49:50 2014 : Info: ++++update request { Sat Feb 1 12:49:50 2014 : Info: expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 485b39e7b03b Sat Feb 1 12:49:50 2014 : Info: expand: %{7} -> USER_SSID Sat Feb 1 12:49:50 2014 : Info: ++++} # update request = noop ... Sat Feb 1 12:49:50 2014 : Debug: [ldap] performing search in cn=students,ou=profiles,ou=radius,dc=es, with filter (objectclass=radiusprofile) Sat Feb 1 12:49:50 2014 : Debug: [ldap] extracted attribute Called-Station-SSID from generic item Called-Station-SSID := "USER_SSID" Sat Feb 1 12:49:50 2014 : Debug: [ldap] radiusReplyMessage -> Reply-Message = "Hello, profile STUDENT was applied to you." Sat Feb 1 12:49:50 2014 : Debug: [ldap] radiusSessionTimeout -> Session-Timeout = 900 Sat Feb 1 12:49:50 2014 : Debug: [ldap] extracted attribute Tunnel-Private-Group-Id from generic item Tunnel-Private-Group-Id = 21 Sat Feb 1 12:49:50 2014 : Debug: [ldap] extracted attribute Tunnel-Type from generic item Tunnel-Type = 13 Sat Feb 1 12:49:50 2014 : Debug: [ldap] extracted attribute Tunnel-Medium-Type from generic item Tunnel-Medium-Type = 6 Sat Feb 1 12:49:50 2014 : Info: [ldap] looking for check items in directory... Sat Feb 1 12:49:50 2014 : Debug: [ldap] userPassword -> Cleartext-Password == "student2" Sat Feb 1 12:49:50 2014 : Debug: [ldap] userPassword -> Password-With-Header == "student2" Sat Feb 1 12:49:50 2014 : Info: [ldap] looking for reply items in directory... Sat Feb 1 12:49:50 2014 : Info: [ldap] Pairs do not match. Rejecting user. Sat Feb 1 12:49:50 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Sat Feb 1 12:49:50 2014 : Info: ++[ldap] = reject ... - ---[ quotation end ]------------------------------------------- which pairs, ldap module complains, do not match? :( - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlLtLq4ACgkQr3jpPg/3oyrH+ACfZEAbMh8sPesD+1hcve6hFFjb 7SYAoO1i7o8YyNUjEDqr7ANenBoYDoVE =ZmFT -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brian Julin <BJulin@clarku.edu> writes: ...I do not see why radiusCheckItem would report that it is using the operator ":=" instead of "==". This might be usual behavior but that
it was my mistake, it was wrong peace of the debug info, sorry now I do can successfully split original Called-Station-Id on Called-Station-Id and Called-Station-SSID, but now I wonder, how to use them to assign User-Profile according to Called-Station-SSID ... and is it possible at all ... so, I changed: 1. [ quotation start raddb/policy.conf ]------------------------- rewrite.called_station_id { ... # SSID component? if ("%{8}") { update request { Called-Station-Id := "%{Called-Station-Id}" Called-Station-SSID := "%{8}" } } updated ... } - - ---[ quotation end ]------------------------------------------- 2. [ quotation start raddb/dictionary ]-------------------------- ... #ATTRIBUTE My-Local-String 3000 string #ATTRIBUTE My-Local-IPAddr 3001 ipaddr #ATTRIBUTE My-Local-Integer 3002 integer # The SSID the supplicant/user device connected to ATTRIBUTE Called-Station-SSID 3010 string - - ---[ quotation end ]------------------------------------------- 3. [ quotation start raddb/sites-available/default ]------------- authorize { ... rewrite.called_station_id if ("%{Called-Station-SSID}" == "REJECTME") { reject } ... } preacct { ... rewrite.called_station_id } - - ---[ quotation end ]------------------------------------------- and in the debug I have this: - - ---[ quotation start ]------------------------------------------- Thu Feb 6 15:39:32 2014 : Info: ++policy rewrite.called_station_id { Thu Feb 6 15:39:32 2014 : Info: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) Thu Feb 6 15:39:32 2014 : Info: ?? Evaluating (Called-Station-Id) -> TRUE Thu Feb 6 15:39:32 2014 : Info: expand: policy.mac-addr -> policy.mac-addr Thu Feb 6 15:39:32 2014 : Info: expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$ Thu Feb 6 15:39:32 2014 : Info: ? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE Thu Feb 6 15:39:32 2014 : Info: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE Thu Feb 6 15:39:32 2014 : Info: +++if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { Thu Feb 6 15:39:32 2014 : Info: ++++update request { Thu Feb 6 15:39:32 2014 : Info: expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 92-F6-52-5B-AC-CF Thu Feb 6 15:39:32 2014 : Info: expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 92-f6-52-5b-ac-cf Thu Feb 6 15:39:32 2014 : Info: ++++} # update request = noop Thu Feb 6 15:39:32 2014 : Info: ++++? if ("%{8}") Thu Feb 6 15:39:32 2014 : Info: expand: %{8} -> USER_SSID Thu Feb 6 15:39:32 2014 : Info: ? Evaluating ("%{8}") -> TRUE Thu Feb 6 15:39:32 2014 : Info: ++++? if ("%{8}") -> TRUE Thu Feb 6 15:39:32 2014 : Info: ++++if ("%{8}") { Thu Feb 6 15:39:32 2014 : Info: +++++update request { Thu Feb 6 15:39:32 2014 : Info: expand: %{Called-Station-Id} -> 92-f6-52-5b-ac-cf Thu Feb 6 15:39:32 2014 : Info: expand: %{8} -> USER_SSID Thu Feb 6 15:39:32 2014 : Info: +++++} # update request = noop Thu Feb 6 15:39:32 2014 : Info: ++++} # if ("%{8}") = noop Thu Feb 6 15:39:32 2014 : Info: ++++[updated] = updated Thu Feb 6 15:39:32 2014 : Info: +++} # if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) = updated Thu Feb 6 15:39:32 2014 : Info: +++ ... skipping else for request 0: Preceding "if" was taken Thu Feb 6 15:39:32 2014 : Info: ++} # policy rewrite.called_station_id = updated Thu Feb 6 15:39:32 2014 : Info: ++? if ("%{Called-Station-SSID}" == "REJECTME") Thu Feb 6 15:39:32 2014 : Info: expand: %{Called-Station-SSID} -> USER_SSID Thu Feb 6 15:39:32 2014 : Info: ? Evaluating ("%{Called-Station-SSID}" == "REJECTME") -> FALSE Thu Feb 6 15:39:32 2014 : Info: ++? if ("%{Called-Station-SSID}" == "REJECTME") -> FALSE - - ---[ quotation end ]------------------------------------------- so, how can I use Called-Station-SSID value to assign User-Profile to user coming with definite Called-Station-SSID? can I do that via ldap attribute radiusCheckItem at all? group object: - - ---[ quotation start ]------------------------------------------- dn: cn=students,ou=profiles,ou=radius,dc=es cn: students objectclass: radiusprofile objectclass: person radiuscheckitem: Called-Station-SSID == "USER_SSID" radiusreplymessage: "Good day student" radiussessiontimeout: 900 radiustunnelmediumtype: 6 radiustunnelprivategroupid: 22 radiustunneltype: 13 sn: students - - ---[ quotation end ]------------------------------------------- what I hoped for here, is: when coming user Called-Station-SSID is "USER_SSID" then the profile "students" is applied, if Called-Station-SSID differs, than this profile is not applied but while processing user data, radiusd assigns this profile and show no any activity upon this AVP ... - - ---[ quotation start ]------------------------------------------- ... Thu Feb 6 15:39:32 2014 : Debug: [ldap] performing search in ou=users,ou=radius,dc=es, with filter (&(radiusGroupName=students)(cn=student1)) Thu Feb 6 15:39:32 2014 : Debug: rlm_ldap::ldap_groupcmp: User found in group students Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Feb 6 15:39:32 2014 : Info: [files] users: Matched entry DEFAULT at line 11 Thu Feb 6 15:39:32 2014 : Info: [files] expand: %{User-Name}, you are comming as student. -> student1, you are comming as student. Thu Feb 6 15:39:32 2014 : Info: ++[files] = ok ... Sending Access-Challenge of id 76 to 10.241.16.254 port 49990 Tunnel-Private-Group-Id:0 = "22" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = "Good day student" Session-Timeout = 900 EAP-Message = 0x016200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x238f100423ed1d9a6b43b9eba1333de2 User-Name = "student1" NAS-Identifier = "es-student.wrt" Called-Station-Id = "92-F6-52-5B-AC-CF:USER_SSID" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = "DC-85-DE-25-92-98" Connect-Info = "CONNECT 54Mbps 802.11g" Framed-MTU = 1400 ... Thu Feb 6 15:39:32 2014 : Info: [ldap] performing user authorization for student1 Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Feb 6 15:39:32 2014 : Info: [ldap] ... expanding second conditional Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: %{User-Name} -> student1 Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=student1) Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: ou=users,ou=radius,dc=es -> ou=users,ou=radius,dc=es Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Feb 6 15:39:32 2014 : Debug: [ldap] performing search in ou=users,ou=radius,dc=es, with filter (cn=student1) Thu Feb 6 15:39:32 2014 : Debug: [ldap] performing search in cn=students,ou=profiles,ou=radius,dc=es, with filter (objectclass=radiusprofile) Thu Feb 6 15:39:32 2014 : Debug: [ldap] extracted attribute Called-Station-SSID from generic item Called-Station-SSID == "USER_SSID" Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "22" Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusReplyMessage -> Reply-Message = "Good day student" Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusSessionTimeout -> Session-Timeout = 900 Thu Feb 6 15:39:32 2014 : Info: [ldap] looking for check items in directory... Thu Feb 6 15:39:32 2014 : Debug: [ldap] userPassword -> Cleartext-Password == "student1" Thu Feb 6 15:39:32 2014 : Debug: [ldap] userPassword -> Password-With-Header == "student1" Thu Feb 6 15:39:32 2014 : Info: [ldap] looking for reply items in directory... Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Feb 6 15:39:32 2014 : Info: ++[ldap] = ok - - ---[ quotation end ]------------------------------------------- why "[ldap] looking for check items in directory..." doesn't contain anything concerning Called-Station-SSID? what need I to say, radiusd to know about this condition? - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlL0JZIACgkQr3jpPg/3oyo0vgCg7VQxA/0l7c3dr0LK1v1JmSeO BT8AnR6LrYLEKrzZFKc8RDm/0ub09qfa =4UoX -----END PGP SIGNATURE-----
participants (2)
-
Brian Julin -
Zeus Panchenko