RE: (Solved) Re: MAC authorisation (but not authentication) via LDAP
this looks great for my purpose as well thanks very much for your help Alan, The problem for me was that when the ldapsearch failed to find the MAC address, freeradius didn't reject authorisation. The solution for me, ( I'm sure the big boys can point out how it's wrong ), was the following script.. -------snip------- #!/bin/sh if $( echo $MODULE_FAILURE_MESSAGE | grep "not found" > /dev/null ); then echo "Auth-Type := reject"; exit 0; fi -------snip------- and the following clause in radiusd.conf -------snip------- exec rejectOnNotFound { wait = yes program = "/usr/local/etc/raddb/rejectOnNotFound.sh" input_pairs = request output_pairs = config } -------snip------- which is used in the authorise section thus -------snip------- Autz-Type LdapMAC { ldapMAC rejectOnNotFound } -------snip------- As I said, works for me. Hope it helps.. Mart Alan Walters wrote:
we a trying to add mac authentication to our wireless aps radius request comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, length=95 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0B:6B:56:1D:48" User-Password = "" NAS-Identifier = "ballyvaughan_ap_1" NAS-IP-Address = 10.250.100.3
the mac address is in a field in the ldap so i created a second ldap.attrib.map and a new ldap autz-type. the problem is that the user-password that is sent i blank so i added this to the users file. like so.
DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == "", Simultaneous-Use := 1 Fall-Through = 0
great now the user with authorise and authenticate from files. but what i had hoped would happen was if they failure authorisation they would not continue, i can see this is not the default proceedure. how can i make this work this way.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type ldapMAC Processing the authorize section of radiusd.conf modcall: entering group ldapMAC for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' radius_xlat: 'o=clients,dc=radiowave,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxxxxxx to 127.0.0.1:389 radiustest:/etc/freeradius/config-clients# rlm_ldap: Bind was successful rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapmac1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group ldapMAC (returns notfound) for request 0
but when the authentication starts this stilll happens, below was an idea someone had in respect to this issue or a similar one but i have no idea how to deploy this look forward to your replys.
auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module "sql2" returns noop for request 0 modcall: leaving group redundant (returns noop) for request 0 modcall: leaving group session (returns noop) for request 0 Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) Sending Access-Accept of id 119 to 10.250.100.3 port 1038
On Sun, 2007-02-25 at 20:05 +0000, Martin Whinnery wrote:
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
regards markus
Thanks Markus,
the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute.
Mart
This was exactly the problem. What I've done is created an exec module, which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning non-zero if there's a match. So authorization *fails* rather than succeeds with 'not found'.
I think.
Anyway, it works.
Thanks for all your help.
Mart
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
participants (1)
-
Alan Walters