How to Restrict All Users from Certain APs
I'm running Freeradius 1.0.1 using MySQL as the database backend. I need to configure the server so that all users are restricted from using certain access points (i.e. guest network). It appears I need to use a DEFAULT user definition in the users file, but I can't find any examples to work from. Has someone else done this? If so, I'd give anything to see how you did it. Thanks. Joe White System Administrator @ Arvato Digital Services @ 108 Monticello Rd, Weaverville, NC 28787 @ 828-423-0269
On 25/01/2012 20:35, White III, Joe wrote:
I'm running Freeradius 1.0.1 using MySQL as the database backend.
I need to configure the server so that all users are restricted from using certain access points (i.e. guest network). It appears I need to use a DEFAULT user definition in the users file, but I can't find any examples to work from.
Has someone else done this? If so, I'd give anything to see how you did it.
Generally, you can only do this is if the requests from those "certain APs" have something which distinguishes them. Then you can match on this in the users file [using 'DEFAULT'] and set Auth-Type to Reject. Something like as documented!: https://github.com/alandekok/freeradius-server/blob/master/raddb/users If you are really still using 1.0.1 (Sept 2004!?), please do upgrade. Apart from the technical/security aspects, the current published documentation will apply ;) -James
Generally, you can only do this is if the requests from those "certain APs" have something which distinguishes them. Then you can match on this in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
If I have three access points I don't want users to access, can I do something like below? +-----+------------------+----------------+-------+-------+-----------+ | id | nasname | shortname | type | ports | secret | +-----+------------------+----------------+-------+-------+-----------+ | 136 | 172.18.100.8 | ap-2000-cd6 | other | NULL | letmelook | | 11 | 172.18.100.4 | ap2000-cd-2 | other | NULL | letmelook | | 10 | 172.18.100.5 | ap2000-cd-3 | other | NULL | letmelook | DEFAULT shortname == ap-2000-cd6, Auth-type := reject, Fall-Through = yes DEFAULT shortname == ap2000-cd-2, Auth-type := reject Fall-Through = yes DEFAULT shortname == ap2000-cd-3, Auth-type := reject Joe White ________________________________ System Administrator @ Arvato Digital Services @ 108 Monticello Rd, Weaverville, NC 28787 @ 828-423-0269
On Thu, Jan 26, 2012 at 4:37 AM, White III, Joe <Joe.White@arvatousa.com> wrote:
Generally, you can only do this is if the requests from those "certain APs" have something which distinguishes them. Then you can match on this in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
If I have three access points I don't want users to access, can I do something like below?
+-----+------------------+----------------+-------+-------+-----------+ | id | nasname | shortname | type | ports | secret | +-----+------------------+----------------+-------+-------+-----------+ | 136 | 172.18.100.8 | ap-2000-cd6 | other | NULL | letmelook | | 11 | 172.18.100.4 | ap2000-cd-2 | other | NULL | letmelook | | 10 | 172.18.100.5 | ap2000-cd-3 | other | NULL | letmelook |
DEFAULT shortname == ap-2000-cd6, Auth-type := reject, Fall-Through = yes
DEFAULT shortname == ap2000-cd-2, Auth-type := reject Fall-Through = yes
DEFAULT shortname == ap2000-cd-3, Auth-type := reject
Not sure. In FR-2.x you should be able to use DEFAULT Client-Shortname == ap-2000-cd6, Auth-type := reject, Fall-Through = yes ... or create some unlang policy using the variable "%{Client-Shortname}". But AFAIK unlang is 2.x, so I'm not sure whether the attribute is also filled in FR-1.x. I highly suggest you upgrade. Which OS/distro do you use? Most linux distros (even the "ancient" centos5 or ubuntu hardy) have a ready-to-use FR2 package. -- Fajar
Fajar wrote:
In FR-2.x you should be able to use
DEFAULT Client-Shortname == ap-2000-cd6, Auth-type := reject, Fall-Through = yes
Turns out the guest network is on a separate wireless VLAN, not on separate access points as first thought. Based on the debug output down below, could I do the following in the users file?: DEFAULT User-Password == "letmelook" Airespace-Wlan-Id = 4 Fall-Through = No rad_recv: Access-Request packet from host 172.18.17.152:32769, id=239, length=151 User-Name = "000b6b-b30fe2" Called-Station-Id = "00-1c-b1-06-bb-50:adisNet" Calling-Station-Id = "00-0b-6b-b3-0f-e2" NAS-Port = 1 NAS-IP-Address = 172.18.17.152 NAS-Identifier = "lkywcs02" --> Airespace-Wlan-Id = 4 <-- --> User-Password = "letmelook" <-- Service-Type = Call-Check Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 rlm_realm: No '@' in User-Name = "000b6b-b30fe2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 radius_xlat: '000b6b-b30fe2' rlm_sql (sql): sql_set_user escaped user --> '000b6b-b30fe2' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000b6b-b30fe2' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000b6b-b30fe2' ORDER BY id rlm_sql (sql): User 000b6b-b30fe2 not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000b6b-b30fe2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000b6b-b30fe2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000b6b-b30fe2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000b6b-b30fe2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type System rad_check_password: Found Auth-Type Accept Warning: Found 2 auth-types on request for user '000b6b-b30fe2' rad_check_password: Auth-Type = Accept, accepting the user Login OK: [000b6b-b30fe2] (from client louwcs02 port 1 cli 00-0b-6b-b3-0f-e2) Sending Access-Accept of id 239 to 172.18.17.152 port 32769 Finished request 2 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 237 with timestamp 4f26ad48 Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 238 with timestamp 4f26ad4d Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 239 with timestamp 4f26ad4e Nothing to do. Sleeping until we see a request.
White III, Joe wrote:
Based on the debug output down below, could I do the following in the users file?:
DEFAULT User-Password == "letmelook" Airespace-Wlan-Id = 4 Fall-Through = No
No. Put the Airespace attribute on the first line. See "man users" And use "Cleartext-Password := .." instead of User-Password. The server WILL tell you to do this when you run it in debugging mode. Alan DeKok.
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
James J J Hooper -
White III, Joe