Hi, Sorry if the questions have been asked. I have done a lot of searches, but could not find the answer. Normally, I proxy a PEAP request whenever the realm is unknown to us (i.e. using the DEFAULT realm without stripping user name). However, for some SSIDs, I want requests to be handled locally with ldap, independent of what the realm is (and with the user name stripped). What I did is to find those SSIDs in "Called-Station-ID" and set proxy-to-realm to a local realm. But the problem (I guess) is that when freeradius processes the realm file, the user name is not stripped. When later on processed by the local realm, the request fails because the user name still contains the domain. Any suggestions to solve it is appreciated. Thanks in advance. Best Regards, Lai Users ===== DEFAULT NAS-Port-Type == "Wireless-802.11", Called-Station-Id =~ "MY-SSID$", St rip-User-Name := Yes, Autz-Type := usePlainTextPwd, Proxy-to-realm := "hku.hk" DEFAULT NAS-Port-Type == "Wireless-802.11", Autz-Type := usePlainTextPwd Radiusd -X ========= rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136, length=152 NAS-Port-Id = "2098/1" Calling-Station-Id = "00-18-DE-83-3E-1B" Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap" Service-Type = Framed-User EAP-Message = 0x02010012017063637732406173642e636f6d User-Name = "pcw2@asd.com" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 17.18.28.26 Message-Authenticator = 0x46e6da4a3ad7d253157a9f21a110807b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: Looking up realm "asd.com" for User-Name = "pcw2@asd.com" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user pcw2 to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" modcall[authorize]: module "suffix" returns updated for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched entry DEFAULT at line 171 users: Matched entry DEFAULT at line 244 modcall[authorize]: module "files" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 Found Autz-Type usePlainTextPwd Processing the authorize section of radiusd.conf modcall: entering group usePlainTextPwd for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for pcw2@asd.com radius_xlat: '(&(uid=pcw2@asd.com)))' radius_xlat: 'ou=ldap,o=hku,c=hk' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.hku.hk:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=ldap,o=hku,c=hk, with filter (&(uid=pcw2@asd.com)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "withNTPwd" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group usePlainTextPwd (returns notfound) for request 0 WARNING: You set Proxy-To-Realm = hku.hk, but it is a LOCAL realm! Cancelling invalid proxy request. rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 WARNING: Cancelling proxy to Realm hku.hk, as the realm is local. Sending Access-Challenge of id 136 to 17.18.28.26 port 20002 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfd7f032f1c3ed7e8e39bf1872727e771 Finished request 0 Going to the next request
Lai Fu Keung wrote:
Normally, I proxy a PEAP request whenever the realm is unknown to us (i.e. using the DEFAULT realm without stripping user name). However, for some SSIDs, I want requests to be handled locally with ldap, independent of what the realm is (and with the user name stripped). What I did is to find those SSIDs in "Called-Station-ID" and set proxy-to-realm to a local realm.
OK...
But the problem (I guess) is that when freeradius processes the realm file, the user name is not stripped. When later on processed by the local realm, the request fails because the user name still contains the domain.
The problem is that the realms file *isn't* being processed. That's why the user names aren't stripped. You can always put the check for SSID *after* the check for the realms. In that case, the usernames will be stripped, and the SSID check can cancel any proxying, just like you do now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
The "Called-Station-Id" has the SSID included, in addition to the MAC address. Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap" Lai ________________________________ From: freeradius-users-bounces+lfk=cc.hku.hk@lists.freeradius.org [mailto:freeradius-users-bounces+lfk=cc.hku.hk@lists.freeradius.org] On Behalf Of Santiago Balaguer Garcia Sent: Wednesday, January 24, 2007 4:11 PM To: freeradius-users@lists.freeradius.org Subject: Re: Proxying based on SSID I think both are wrong because you must distinguish amog the different SSIDs that an AP broadcast. It sometimes happens the wireless MAC are the same for all SSIDs. Only some devices (such as Mikrotik) let change the MAC for each ESSID. Another thing is you have to differenciate the ESSID in your user manager. A solutions can be via VLAN's and your user manager chooses the ESSID by the VLAN adding a posible prefix to the username. I use Mikrotik device which distinguish the ESSID via MAC and I can add the prefix because each ESSID have its own login page. ________________________________ From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Proxying based on SSID Date: Wed, 24 Jan 2007 08:18:02 +0100 >Lai Fu Keung wrote: > > Normally, I proxy a PEAP request whenever the realm is unknown to us > > (i.e. using the DEFAULT realm without stripping user name). However, for > > some SSIDs, I want requests to be handled locally with ldap, independent > > of what the realm is (and with the user name stripped). What I did is to > > find those SSIDs in "Called-Station-ID" and > > set proxy-to-realm to a local realm. > > OK... > > > But the problem (I guess) is that when freeradius processes the realm > > file, the user name is not stripped. When later on processed by the > > local realm, the request fails because the user name still contains the > > domain. > > The problem is that the realms file *isn't* being processed. That's >why the user names aren't stripped. > > You can always put the check for SSID *after* the check for the >realms. In that case, the usernames will be stripped, and the SSID >check can cancel any proxying, just like you do now. > > Alan DeKok. >-- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ Recibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN Empleo. <http://g.msn.com/8HMBESES/2752??PS=47575>
You can always put the check for SSID *after* the check for the realms. In that case, the usernames will be stripped, and the SSID check can cancel any proxying, just like you do now.
Sorry Alan, I couldn't get you here. Currently, the process (with the problem) is: 1. Check the realm, which will set to DEFAULT, as the domain is unknown. The username is NOT stripped in the DEFAULT realm. 2. Then check the SSID inside FILE. Set the proxy-to-realm to local realm. The proxy is cancelled. But the username is still NOT stripped. Where should I put the "check for SSID *after* the check for the realms" as you suggest? Lai ________________________________ From: freeradius-users-bounces+lfk=cc.hku.hk@lists.freeradius.org on behalf of Alan DeKok Sent: Wed 1/24/2007 3:18 PM To: FreeRadius users mailing list Subject: Re: Proxying based on SSID Lai Fu Keung wrote:
Normally, I proxy a PEAP request whenever the realm is unknown to us (i.e. using the DEFAULT realm without stripping user name). However, for some SSIDs, I want requests to be handled locally with ldap, independent of what the realm is (and with the user name stripped). What I did is to find those SSIDs in "Called-Station-ID" and set proxy-to-realm to a local realm.
OK...
But the problem (I guess) is that when freeradius processes the realm file, the user name is not stripped. When later on processed by the local realm, the request fails because the user name still contains the domain.
The problem is that the realms file *isn't* being processed. That's why the user names aren't stripped. You can always put the check for SSID *after* the check for the realms. In that case, the usernames will be stripped, and the SSID check can cancel any proxying, just like you do now. Alan DeKok. -- http://deployingradius.com <http://deployingradius.com/> - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lai Fu Keung wrote:
1. Check the realm, which will set to DEFAULT, as the domain is unknown. The username is NOT stripped in the DEFAULT realm.
Then.... add a LOCAL realm of that domain. If that's impossible, use the "hints" file to match the user@domain by hand.
2. Then check the SSID inside FILE. Set the proxy-to-realm to local realm. The proxy is cancelled. But the username is still NOT stripped.
You can always add the Stripped-User-Name by hand, using the "hints" file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks, Alan. I got it worked now by creating my own version of "Stripped-User-Name" in hints. So now I know more about how freeradius is working :-) Thanks everyone for all the replies. They may not head to the solution directly; but they really stimulate my thinking. Lai
-----Original Message----- From: freeradius-users-bounces+lfk=cc.hku.hk@lists.freeradius.org [mailto:freeradius-users-bounces+lfk=cc.hku.hk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, January 24, 2007 8:43 PM To: FreeRadius users mailing list Subject: Re: Proxying based on SSID
Lai Fu Keung wrote:
1. Check the realm, which will set to DEFAULT, as the domain is unknown. The username is NOT stripped in the DEFAULT realm.
Then.... add a LOCAL realm of that domain. If that's impossible, use the "hints" file to match the user@domain by hand.
2. Then check the SSID inside FILE. Set the proxy-to-realm to local realm. The proxy is cancelled. But the username is still NOT stripped.
You can always add the Stripped-User-Name by hand, using the "hints" file.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Lai Fu Keung -
Santiago Balaguer García