Freeradius Restrict User Auth Request Based on VLAN
Scenario: We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only. Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B. Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only. Regards, JZ <http:///>
On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
Sure. You need to update your DB schema and queries tho. - put the NASes into groups (dealer-A, dealer-B, etc.) - ensure that the users are somehow associated with different dealers - on login, look up dealer of NAS (call this NAS-dealer) - on login, lookup dealer of user (call this User-Dealer) - if User-dealer != NAS-dealer, then reject More details can't be given, because your question is very high level. Alan DeKok.
What if we have only single NAS? All users are pppoe base and connects to single main NAS. ________________________________ From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Sent: Wednesday, January 17, 2018 2:15 PM To: FreeRadius users mailing list Subject: Re: Freeradius Restrict User Auth Request Based on VLAN On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
Sure. You need to update your DB schema and queries tho. - put the NASes into groups (dealer-A, dealer-B, etc.) - ensure that the users are somehow associated with different dealers - on login, look up dealer of NAS (call this NAS-dealer) - on login, lookup dealer of user (call this User-Dealer) - if User-dealer != NAS-dealer, then reject More details can't be given, because your question is very high level. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 17/01/2018, at 10:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
Sure. You need to update your DB schema and queries tho.
- put the NASes into groups (dealer-A, dealer-B, etc.) - ensure that the users are somehow associated with different dealers - on login, look up dealer of NAS (call this NAS-dealer) - on login, lookup dealer of user (call this User-Dealer) - if User-dealer != NAS-dealer, then reject
More details can't be given, because your question is very high level.
Been meaning to reply to this one. It sounds like the OP has NASes (or maybe just one NAS) shared across many dealers, with one VLAN per dealer. I agree though, it is not very clear. I would suggest looking at the NAS-Port-Id attribute and see if you can use that to figure out the VLAN interface that the subscriber comes in on - whether that works or not depends on your NAS, and I imagine the protocol - Mikrotik docs suggest that this would work for PPPoE and hotspot. You can also set “realm” per RADIUS client, and set a RADIUS client per PPPoE server. This will send the Mikrotik-Realm attribute. You can add checks for the correct “NAS-Port-Id” or “Mikrotik-Realm” in the radcheck table. -- Nathan Ward
Ok I added this in RADCHECK table. NAS-Port-Id == VLAN2 & it seems to be working fine. Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes) ------------------------ Example of one module I have that checks for Invalid MAC. checkval{ reject = 1 } if(reject){ ok update reply { Reply-Message := "Incorrect MAC!" Framed-Pool := "invalid-mac-address-pool" Mikrotik-Rate-Limit := "1k/1k" } } I want something similar for the Incorrect VLAN users. is it possible? ________________________________ From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com@lists.freeradius.org> on behalf of Nathan Ward <lists+freeradius@daork.net> Sent: Wednesday, January 17, 2018 2:26 PM To: FreeRadius users mailing list Subject: Re: Freeradius Restrict User Auth Request Based on VLAN
On 17/01/2018, at 10:15 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
Sure. You need to update your DB schema and queries tho.
- put the NASes into groups (dealer-A, dealer-B, etc.) - ensure that the users are somehow associated with different dealers - on login, look up dealer of NAS (call this NAS-dealer) - on login, lookup dealer of user (call this User-Dealer) - if User-dealer != NAS-dealer, then reject
More details can't be given, because your question is very high level.
Been meaning to reply to this one. It sounds like the OP has NASes (or maybe just one NAS) shared across many dealers, with one VLAN per dealer. I agree though, it is not very clear. I would suggest looking at the NAS-Port-Id attribute and see if you can use that to figure out the VLAN interface that the subscriber comes in on - whether that works or not depends on your NAS, and I imagine the protocol - Mikrotik docs suggest that this would work for PPPoE and hotspot. You can also set “realm” per RADIUS client, and set a RADIUS client per PPPoE server. This will send the Mikrotik-Realm attribute. You can add checks for the correct “NAS-Port-Id” or “Mikrotik-Realm” in the radcheck table. -- Nathan Ward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Support & Services<http://www.freeradius.org/list/users.html> www.freeradius.org The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.
Hi,
On 17/01/2018, at 11:58 PM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
Ok I added this in RADCHECK table.
NAS-Port-Id == VLAN2
& it seems to be working fine.
Awesome !
Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)
------------------------
Example of one module I have that checks for Invalid MAC.
checkval{ reject = 1 } if(reject){ ok update reply { Reply-Message := "Incorrect MAC!" Framed-Pool := "invalid-mac-address-pool" Mikrotik-Rate-Limit := "1k/1k" } }
I want something similar for the Incorrect VLAN users.
is it possible?
Not really, doing it the way you are now with radcheck - it doesn’t tell you which didn’t match, it tells you that there were no matches for all of the conditions. 2 options off the top of my head (others may have better ideas): 1) Use radcheck, if it rejects, use sql xlat to check if there is a user match but not a NAS-Port-Id match. 2) Instead of adding NAS-Port-Id to radcheck, if it is successful use sql xlat to check a different table which has a Username and NAS-Port-Id columns, and validate that the NAS-Port-Id matches that username, and then you know that username auth was successful but “dealer” auth was / was not. (1) is probably faster (1 query for successful auth), (2) is probably conceptually easier to understand for people in the future who have to debug this. -- Nathan Ward
Respected Nathan Ward, I just tested following & worked ok, if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") { update reply { Reply-Message = 'You are not allowed to connect from this VLAN' } update control { Auth-Type := "Reject" } } Any suggestions to improve this? is this approach OK? can I make module for it ? and based on return result , take action? in checkval/expiration modules? ________________________________ From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com@lists.freeradius.org> on behalf of Nathan Ward <lists+freeradius@daork.net> Sent: Wednesday, January 17, 2018 4:07 PM To: FreeRadius users mailing list Subject: Re: Freeradius Restrict User Auth Request Based on VLAN Hi,
On 17/01/2018, at 11:58 PM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
Ok I added this in RADCHECK table.
NAS-Port-Id == VLAN2
& it seems to be working fine.
Awesome !
Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)
------------------------
Example of one module I have that checks for Invalid MAC.
checkval{ reject = 1 } if(reject){ ok update reply { Reply-Message := "Incorrect MAC!" Framed-Pool := "invalid-mac-address-pool" Mikrotik-Rate-Limit := "1k/1k" } }
I want something similar for the Incorrect VLAN users.
is it possible?
Not really, doing it the way you are now with radcheck - it doesn’t tell you which didn’t match, it tells you that there were no matches for all of the conditions. 2 options off the top of my head (others may have better ideas): 1) Use radcheck, if it rejects, use sql xlat to check if there is a user match but not a NAS-Port-Id match. 2) Instead of adding NAS-Port-Id to radcheck, if it is successful use sql xlat to check a different table which has a Username and NAS-Port-Id columns, and validate that the NAS-Port-Id matches that username, and then you know that username auth was successful but “dealer” auth was / was not. (1) is probably faster (1 query for successful auth), (2) is probably conceptually easier to understand for people in the future who have to debug this. -- Nathan Ward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Support & Services<http://www.freeradius.org/list/users.html> www.freeradius.org The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.
On 18/01/2018, at 12:47 AM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
Respected Nathan Ward,
I just tested following & worked ok,
Awesome !
if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") { update reply { Reply-Message = 'You are not allowed to connect from this VLAN' } update control { Auth-Type := "Reject" } }
Any suggestions to improve this? is this approach OK?
Looks OK to me.
can I make module for it ? and based on return result , take action? in checkval/expiration modules?
What do you mean “make a module for it” - you can make modules for anything you want. Don’t use checkval: http://networkradius.com/doc/3.0.10/upgrading/deleted-modules.html <http://networkradius.com/doc/3.0.10/upgrading/deleted-modules.html> What do you want the expiration module to do here exactly? -- Nathan Ward
- For some reasons we are still on 2.x series version. Will add unlag query once upgrade to 3.x. - by module I mean to say that for vlan checking I have added sql query in the authorize section. I wanted to make a module like 'checkvlan_module' in ./modules folder & then call it from sites-enabled/default file, & based on the result returned by the 'checkvlan_module' i can take action. One Example: #totalbytecounter{ #reject = 1 #} #if(reject){ #ok #update reply { #Reply-Message := "Quota Limit Exceed!" #} <http:///> ________________________________ From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com@lists.freeradius.org> on behalf of Nathan Ward <lists+freeradius@daork.net> Sent: Thursday, January 18, 2018 4:48 AM To: FreeRadius users mailing list Subject: Re: Freeradius Restrict User Auth Request Based on VLAN
On 18/01/2018, at 12:47 AM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
Respected Nathan Ward,
I just tested following & worked ok,
Awesome !
if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") { update reply { Reply-Message = 'You are not allowed to connect from this VLAN' } update control { Auth-Type := "Reject" } }
Any suggestions to improve this? is this approach OK?
Looks OK to me.
can I make module for it ? and based on return result , take action? in checkval/expiration modules?
What do you mean “make a module for it” - you can make modules for anything you want. Don’t use checkval: http://networkradius.com/doc/3.0.10/upgrading/deleted-modules.html <http://networkradius.com/doc/3.0.10/upgrading/deleted-modules.html> What do you want the expiration module to do here exactly? -- Nathan Ward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
On 18/01/2018, at 4:54 PM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
- For some reasons we are still on 2.x series version. Will add unlag query once upgrade to 3.x.
The recommendation exists since 2.0. # As of 2.0, much of the functionality of this module is in "unlang". # You should probably investigate using that before trying to use # the "checkval" module.
- by module I mean to say that for vlan checking I have added sql query in the authorize section. I wanted to make a module like 'checkvlan_module' in ./modules folder & then call it from sites-enabled/default file, & based on the result returned by the 'checkvlan_module' i can take action.
One Example:
#totalbytecounter{ #reject = 1 #} #if(reject){ #ok #update reply { #Reply-Message := "Quota Limit Exceed!" #}
I think I see what you mean - you want to put the ugly looking sql and logic in another file? You want to put that in policy.conf. There are many examples in there of how to do this. I’m not sure what your `checkvlan_module’ file has in it, so I can’t really comment further as to whether it will do the same sort of thing. This is your file, that you have created, I can’t guess what is in it. -- Nathan Ward
yes you are right i want to move the 'ugly' looking sql statement in module file which is not yet created, i want to make one. but thank you, policy.conf have similar stuff. <http:///> ________________________________ From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com@lists.freeradius.org> on behalf of Nathan Ward <lists+freeradius@daork.net> Sent: Thursday, January 18, 2018 9:06 AM To: FreeRadius users mailing list Subject: Re: Freeradius Restrict User Auth Request Based on VLAN Hi,
On 18/01/2018, at 4:54 PM, JAHANZAIB SYED <aacable@hotmail.com> wrote:
- For some reasons we are still on 2.x series version. Will add unlag query once upgrade to 3.x.
The recommendation exists since 2.0. # As of 2.0, much of the functionality of this module is in "unlang". # You should probably investigate using that before trying to use # the "checkval" module.
- by module I mean to say that for vlan checking I have added sql query in the authorize section. I wanted to make a module like 'checkvlan_module' in ./modules folder & then call it from sites-enabled/default file, & based on the result returned by the 'checkvlan_module' i can take action.
One Example:
#totalbytecounter{ #reject = 1 #} #if(reject){ #ok #update reply { #Reply-Message := "Quota Limit Exceed!" #}
I think I see what you mean - you want to put the ugly looking sql and logic in another file? You want to put that in policy.conf. There are many examples in there of how to do this. I’m not sure what your `checkvlan_module’ file has in it, so I can’t really comment further as to whether it will do the same sort of thing. This is your file, that you have created, I can’t guess what is in it. -- Nathan Ward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
JAHANZAIB SYED -
Nathan Ward