Re: Freeradius-Users Digest, Vol 178, Issue 5
Greets - is there a way in unlang to test against attributes created after a 'files' module? Not sure if I'm asking that correctly, so here's what I'm trying to do: SSID: test1 -- EAP-TLS only with cert loaded on supplicant, no further auth (my usual setup) SSID: test2 -- EAP-TTLS with mac auth and user-name/pwd auth to restrict unauthorized Apple clients (like watches) SSID: test3 -- EAP-TTLS with only user-name/pwd for a guest access portal. clients associating with test1 only associate with test 1 (since they are the only ones with a cert pre-installed and choose eap-tls mode to make it work, thus no user/pwd/mac filtering needed), usernames from 'test2' shall be permitted to ONLY associate with test2, and usernames for test3 shall be permitted to ONLY associate with test3. IF a client attempts associating with test2 and has a valid username/pwd in eap-ttls mode, then its mac is checked against a separate file (auth_macs) for final permission. I've been testing this out with manually-typed entries in nested if/switch statements with success, however I would "like" to be able to set my own VSA in the users file (or authorize file, since this is FR3) and be able to test against it inside of my default virtual-server:
>eg "files/authorize" (assuming "My-Allowed-SSID is in the dictionary correctly):
myusername Cleartext-Password := "mypassword" My-Allowed-SSID = "test2"
>>>and in "mods-enabled/files" appending:
files authorized_macs { key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs }
>>>in "${confdir}/authorized_macs":
50-F0-D3-10-B5-CA Reply-Message = "Device authorized".
>>>and in "sites-enabled/default":
if (Eap-Message) { ... if (Cisco-AVPair[0] == "ssid=test2") { authorized_macs if (ok) { <<< some method of calling files and testing if UserName matches Password and returning value of My-Allowed-SSID, and testing against = test2 >>> if (<<<ok and My-Allowed-SSID == "test2">>>) { eap } } } ... } I will eventually roll this over to a postgres db, but want to "make it work in the simple mode first". So far I have not been able to figure out how I would reference an attribute after calling a lookup from "files" or similar; the docs I am reading (network... and wiki.free....) point to module responses being mostly enumerated responses, not something that can contain dynamic responses and later parsed... Realizing this is a hugely complex question, and certainly not the only way to go about getting to the goal, this is also half-learn-more-about-FR than just a task for the office. Is there a way of having a separate "users" file (or files/authorize) that is queried after eap but does double-duty of the authorized_macs and username/pwd? The pwd for an account that has a restricted mac filter will be one-to-one (one mac, one u/p, one SSID combination). Regards, Ted.
On Feb 3, 2020, at 1:41 PM, Ted Hyde (RSI) <thyde@rndstudio.com> wrote:
Greets - is there a way in unlang to test against attributes created after a 'files' module? Not sure if I'm asking that correctly, so here's what I'm trying to do:
The attributes are just in one of the lists. "control" for attributes like Cleartext-Password, or "reply" for attributes added in the reply.
I've been testing this out with manually-typed entries in nested if/switch statements with success, however I would "like" to be able to set my own VSA in the users file (or authorize file, since this is FR3) and be able to test against it inside of my default virtual-server:
Sure
>> eg "files/authorize" (assuming "My-Allowed-SSID is in the dictionary correctly):
myusername Cleartext-Password := "mypassword" My-Allowed-SSID = "test2"
Then do: authorize { ... files ... if (&reply:My-Allowed-SSID == "test2") { ... } ... } The power of FreeRADIUS is that the modules are entirely independent. Once a module is finished, the attributes it added are available to any other module, or to unlang.
Is there a way of having a separate "users" file (or files/authorize) that is queried after eap but does double-duty of the authorized_macs and username/pwd? The pwd for an account that has a restricted mac filter will be one-to-one (one mac, one u/p, one SSID combination).
The "files" module matches on User-Name. So you can just set up one style of entry for MACs, and another for actual users. myusername Cleartext-Password := "mypassword" My-Allowed-SSID = "test2" ... 00:01:02:03:04:04 Cleartext-Password := "00:01:02:03:04:04" ... Alan DeKok.
participants (2)
-
Alan DeKok -
Ted Hyde (RSI)