How to deal with device self-registration best?
Hello everyone! I am quite new to freeradius and apologize if this has been answered before, I have searched - and a lot of it without finding a good answer. Please direct me if this is already answered. I have a setup of Extreme Wing wi-fi controller and want to implement a guest-user system with captive-portal and device registration/recognition in combination with the standard pre-defined users. I have a radius server going and everything is good as long as I have a user created in radius. Now my challenge is that for "device registration" I see in radius debugs a username sent in form of device mac-address (password is empty) and the expected access-reject as this user is not defined. How can I on the fly add non-existing users into radius database (we use mysql) and from there let accounting take over for session limitations etc? Preferably this would also match some sort of criteria, example a specific subnet. I greatly appreciate any help! Mvh Cristian Nilsson Systemingenjör IP - NMC Service Support Service Assurance Communication - NMC ELTEL Networks Infranet AB Postadress - Box 8914, 402 73 Göteborg Besöksadress - Säterigatan 20, 417 64 Göteborg Orgnr: 556555-1073 Säte: Stockholm cristian.nilsson@eltelnetworks.se<mailto:cristian.nilsson@eltelnetworks.se> Telefon +46(0)727 09 72 71 www.eltelnetworks.se CONFIDENTIALITY NOTICE This e-mail is confidential and may contain legally privileged information. If you have received it by mistake, please inform us by reply e-mail and then delete it (including any attachments) from your system; you should not copy it or in any other way disclose its content to anyone.
On Jan 28, 2020, at 5:16 PM, Nilsson, Cristian (Göteborg) <Cristian.Nilsson@eltelnetworks.se> wrote:
I have a setup of Extreme Wing wi-fi controller and want to implement a guest-user system with captive-portal and device registration/recognition in combination with the standard pre-defined users.
Generally speaking, registration is done by the captive portal. RADIUS doesn't really support that.
I have a radius server going and everything is good as long as I have a user created in radius.
Yes.
Now my challenge is that for "device registration" I see in radius debugs a username sent in form of device mac-address (password is empty) and the expected access-reject as this user is not defined.
Yes, because the user / device isn't known.
How can I on the fly add non-existing users into radius database (we use mysql) and from there let accounting take over for session limitations etc?
While it's possible to update the SQL tables dynamically, it's not recommended. FreeRADIUS doesn't typically have write permission to the "radcheck" and "radreply" tables, for security reasons. My $0.02 is to get the captive portal to update the SQL database. It's the common practice, and it's the best / simplest way to do it. Alan DeKok.
Hello, Thank you for such fast answer. While your way definitely seems like the best way I don't think we have that option with extreme wing controllers. Where would I start looking to modify the access-accept/reject function of freeradius? My idea is to do the normal check and if failed just insert into the database. Br, Cristian Skickat från min iPhone
29 jan. 2020 kl. 01:37 skrev Alan DeKok <aland@deployingradius.com>:
On Jan 28, 2020, at 5:16 PM, Nilsson, Cristian (Göteborg) <Cristian.Nilsson@eltelnetworks.se> wrote: I have a setup of Extreme Wing wi-fi controller and want to implement a guest-user system with captive-portal and device registration/recognition in combination with the standard pre-defined users.
Generally speaking, registration is done by the captive portal. RADIUS doesn't really support that.
I have a radius server going and everything is good as long as I have a user created in radius.
Yes.
Now my challenge is that for "device registration" I see in radius debugs a username sent in form of device mac-address (password is empty) and the expected access-reject as this user is not defined.
Yes, because the user / device isn't known.
How can I on the fly add non-existing users into radius database (we use mysql) and from there let accounting take over for session limitations etc?
While it's possible to update the SQL tables dynamically, it's not recommended. FreeRADIUS doesn't typically have write permission to the "radcheck" and "radreply" tables, for security reasons.
My $0.02 is to get the captive portal to update the SQL database. It's the common practice, and it's the best / simplest way to do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C836dcafa7fe0440b962908d7a4537050%7C9efbd86ae4b1487daab00eb074722602%7C0%7C0%7C637158550582067371&sdata=%2B9anJ7ZFcuUY%2FIm9ZPESk27EWdUFNIL3PIUJg%2ByNTmo%3D&reserved=0
On Jan 29, 2020, at 2:26 AM, Nilsson, Cristian (Göteborg) <Cristian.Nilsson@eltelnetworks.se> wrote:
While your way definitely seems like the best way I don't think we have that option with extreme wing controllers.
That makes it harder.
Where would I start looking to modify the access-accept/reject function of freeradius?
My idea is to do the normal check and if failed just insert into the database.
Since this is a specialized use-case, I would suggest creating a specialized table in SQL. There's no need to use the default schema, which is complicated. Just create a table of known MACs, and then run SQL queries from unlang: authorize { ... if ("%{sql:SELECT mac FROM table WHERE mac = '%{User-Name}}" != "") { # # Just run an SQL INSERT with some magic unlang so that it runs # update control { Tmp_String-0 := "%{sql:INSERT into table MAC = '%{User-Name}'}" } } ... } You will need to create the table, set the correct permissions, and fix the queries for your SQL server. But that's the basic idea. Alan DeKok.
Hello, Thank you for reply! I am however not really sure I completely understand how to bind this new table to also take into consideration accounting. I have created a new table inside "radius" db: MariaDB [radius]> describe macauth; +------------+-----------------+------+-----+-------------------+-----------------------------+ | Field | Type | Null | Key | Default | Extra | +------------+-----------------+------+-----+-------------------+-----------------------------+ | id | int(6) unsigned | NO | PRI | NULL | auto_increment | | macaddress | varchar(17) | NO | | NULL | | | usergroup | varchar(64) | NO | | NULL | | | reg_date | timestamp | NO | | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP | +------------+-----------------+------+-----+-------------------+-----------------------------+ 4 rows in set (0.00 sec) I have edited _sites-enabled/default_ "authorize {" section and added: if ("%{sql:SELECT COUNT(macaddress) FROM macauth WHERE macaddress = '%{User-Name}'}" != 0) { update control { Auth-Type := "Accept" } } else { %{sql:INSERT INTO macauth VALUES (0, '%{User-Name}', '5min', NULL)} } Now this does work, the user is allowed and I see an entry made in table macauth for each new device. I am not sure this is a good or a bad way to accept users thou... And I am now quite clueless as of how to bind this into accounting also... I need to give users some attributes to handle session timers etc. (they would in this case need to match group "5min"). If you could so kindly give me a direction here also I would much appreciate it! Br, Cristian -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+cristian.nilsson=eltelnetworks.se@lists.freeradius.org> On Behalf Of Alan DeKok Sent: den 29 januari 2020 15:15 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to deal with device self-registration best? On Jan 29, 2020, at 2:26 AM, Nilsson, Cristian (Göteborg) <Cristian.Nilsson@eltelnetworks.se> wrote:
While your way definitely seems like the best way I don't think we have that option with extreme wing controllers.
That makes it harder.
Where would I start looking to modify the access-accept/reject function of freeradius?
My idea is to do the normal check and if failed just insert into the database.
Since this is a specialized use-case, I would suggest creating a specialized table in SQL. There's no need to use the default schema, which is complicated. Just create a table of known MACs, and then run SQL queries from unlang: authorize { ... if ("%{sql:SELECT mac FROM table WHERE mac = '%{User-Name}}" != "") { # # Just run an SQL INSERT with some magic unlang so that it runs # update control { Tmp_String-0 := "%{sql:INSERT into table MAC = '%{User-Name}'}" } } ... } You will need to create the table, set the correct permissions, and fix the queries for your SQL server. But that's the basic idea. Alan DeKok. - List info/subscribe/unsubscribe? See https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C70df29cb73df43cf7d5c08d7a4c5a7d4%7C9efbd86ae4b1487daab00eb074722602%7C0%7C0%7C637159041140069045&sdata=i89NMVFbUp4HiNNAXvX4Qopof%2FSqb%2FilWr21BRY4BH4%3D&reserved=0
On Feb 3, 2020, at 8:18 AM, Nilsson, Cristian (Göteborg) <Cristian.Nilsson@eltelnetworks.se> wrote:
I am however not really sure I completely understand how to bind this new table to also take into consideration accounting.
Accounting is completely different from authentication.
I have created a new table inside "radius" db:
MariaDB [radius]> describe macauth; +------------+-----------------+------+-----+-------------------+-----------------------------+ | Field | Type | Null | Key | Default | Extra | +------------+-----------------+------+-----+-------------------+-----------------------------+ | id | int(6) unsigned | NO | PRI | NULL | auto_increment | | macaddress | varchar(17) | NO | | NULL | | | usergroup | varchar(64) | NO | | NULL | | | reg_date | timestamp | NO | | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP | +------------+-----------------+------+-----+-------------------+-----------------------------+
That's good..
I have edited _sites-enabled/default_ "authorize {" section and added:
if ("%{sql:SELECT COUNT(macaddress) FROM macauth WHERE macaddress = '%{User-Name}'}" != 0) { update control { Auth-Type := "Accept" } } else { %{sql:INSERT INTO macauth VALUES (0, '%{User-Name}', '5min', NULL)} }
That should work.
Now this does work, the user is allowed and I see an entry made in table macauth for each new device. I am not sure this is a good or a bad way to accept users thou...
If it works, it works/
And I am now quite clueless as of how to bind this into accounting also... I need to give users some attributes to handle session timers etc. (they would in this case need to match group "5min").
What "group" do you mean? You have to write more custom queries here. It's difficult to give you specific guidance, because it's a complex subject. The short answer is that if you're doing custom schemas, you have to write *all* of the queries yourself. If you use the default schema, everything "just works". But, the default schema may not do what you need. Alan DeKok.
participants (2)
-
Alan DeKok -
Nilsson, Cristian (Göteborg)