Hi, We use the freeradius to assigne users in the vlan. The default settings rejects users in case of a request from an unidentified user. Instead of this we would like assign him to a specific vlan. I don't find information about how to do this. Any pointer or information are wellcome. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group
On 15/09/10 10:02, Fabien COMBERNOUS wrote:
Hi,
We use the freeradius to assigne users in the vlan. The default settings rejects users in case of a request from an unidentified user. Instead of this we would like assign him to a specific vlan. I don't find information about how to do this. Any pointer or information are wellcome.
Are you using 802.1x or macauth? If you are sending an access-reject, you can't assign a vlan. Reject means "give no service". You either need to send an accept with a vlan, or look for a "reject vlan" feature on your switch. If you are using 802.1x, you probably can't send an accept for an unknown user, because you won't be able to complete the EAP session properly.
Thank you Phil for your answer. On 15/09/2010 11:09, Phil Mayers wrote:
Are you using 802.1x or macauth?
If you are sending an access-reject, you can't assign a vlan. Reject means "give no service". You either need to send an accept with a vlan, or look for a "reject vlan" feature on your switch.
I'm using macauth. But how to assign a vlan on devices unidentified ? -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group
On 15/09/10 12:30, Fabien COMBERNOUS wrote:
Thank you Phil for your answer.
On 15/09/2010 11:09, Phil Mayers wrote:
Are you using 802.1x or macauth?
If you are sending an access-reject, you can't assign a vlan. Reject means "give no service". You either need to send an accept with a vlan, or look for a "reject vlan" feature on your switch.
I'm using macauth. But how to assign a vlan on devices unidentified ?
That's a bit easier, but will depend on how you're looking up vlans. For example, we used to do this: authorize { update control { Tmp-String-0 := "%{sql:select vlan ...}" } if (control:Tmp-String-0) { update reply { Tunnel-Private-Group-Id = "%{control:Tmp-String-0}" } } else { # mac address is unknown - use fallback vlan update reply { Tunnel-Private-Group-Id = 1234 } } } If you were using rlm_passwd you could do something like: modules { passwd macvlan { # this file should contain: m:a:c:a:d:r,vlan filename = ${confdir}/macvlan.txt format = "*Calling-Station-Id:=Tunnel-Private-Group-Id" delimiter = "," } } authorize { mac2vlan if (notfound) { update reply { Tunnel-Private-Group-Id = 1234 } } } ...and so on.
My sql module (we use an sql backend return notfound. I tried to add the following at the end of the authorize section. On 15/09/2010 16:30, Phil Mayers wrote:
if (notfound) { update reply { Tunnel-Private-Group-Id = 1234 } }
But the radius log says : ? Evaluating (notfound) FALSE ... Failed to authenticate the user What am i misunderstanding ? -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group
We use a sql backend. Just after my sql module (in the authorise section) i added the following bloc.
if (notfound) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-ID := 42
} } When a user is unknown, the sql module returns notfound and this block is evaluated as TRUE. But the return value is not the VLAN as expected : ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound
Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group
On 15/09/10 16:13, Fabien COMBERNOUS wrote:
We use a sql backend. Just after my sql module (in the authorise section) i added the following bloc.
if (notfound) { update reply { Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-ID := 42
} } When a user is unknown, the sql module returns notfound and this block is evaluated as TRUE.
Yes.
But the return value is not the VLAN as expected :
What do you mean by "return value" here?
? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound
You've trimmed the debugging output so we can't help you. Please post the full debugging output. Have you tested this? With radclient/radtest? It should work, from what I can see.
On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
+- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.2.2.230 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++- entering group redundant_sql {...} [sql1] expand: %{User-Name} -> 08-00-0f-44-c7-42 [sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42' rlm_sql (sql1): Reserving sql socket id: 1 [sql1] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' [sql1] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY prior rlm_sql (sql1): Released sql socket id: 1 [sql1] User 08-00-0f-44-c7-42 not found +++[sql1] returns notfound ++- group redundant_sql returns notfound ++? if (notfound) ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "08-00-0f-44-c7-42" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 08-00-0f-44-c7-42 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds
Have you tested this? With radclient/radtest? It should work, from what I can see.
no. I didn't tested. Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group
On 15/09/10 16:49, Fabien COMBERNOUS wrote:
On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
Sigh. This is not the full debugging output. You're making it hard to help you.
+- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP'
This is not macauth. This is CHAP. You can't authenticate unknown CHAP users, because you need their password (which you don't have if they are unknown)
++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.2.2.230 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++- entering group redundant_sql {...} [sql1] expand: %{User-Name} -> 08-00-0f-44-c7-42 [sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42' rlm_sql (sql1): Reserving sql socket id: 1 [sql1] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' [sql1] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY prior rlm_sql (sql1): Released sql socket id: 1 [sql1] User 08-00-0f-44-c7-42 not found +++[sql1] returns notfound ++- group redundant_sql returns notfound ++? if (notfound) ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
See?
++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "08-00-0f-44-c7-42" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 08-00-0f-44-c7-42 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated
This filter will remove the VLAN, because auth failed (and it wouldn't work anyway)
participants (2)
-
Fabien COMBERNOUS -
Phil Mayers