Matching Airespace-Wlan-Id in users files or radgroupcheck database
I'm trying to get FreeRadius working with a Cisco WLC. I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs. I can't seem to deny access using this attribute. Is there a trick to this? Thanks, -adam
Adam Wien wrote:
I'm trying to get FreeRadius working with a Cisco WLC.
I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs.
I can't seem to deny access using this attribute.
"I tried stuff and it didn't work".
Is there a trick to this?
Describe what you did (text copied from the configuration files), and what happened (text copied from debug output) Alan DeKok.
Here's my database setup. mysql> select * from radcheck where username='adam@cpanel.net'; +------+-----------------+--------------------+----+----------+ | id | username | attribute | op | value | +------+-----------------+--------------------+----+----------+ | 1072 | adam@cpanel.net | Cleartext-Password | := | BLANK | +------+-----------------+--------------------+----+----------+ 1 row in set (0.00 sec) mysql> mysql> select * from radgroupcheck; +------+-----------+-------------------+----+-------+ | id | groupname | attribute | op | value | +------+-----------+-------------------+----+-------+ | 1072 | Sysadmin | Airespace-Wlan-Id | == | 9 | +------+-----------+-------------------+----+-------+ 1 row in set (0.02 sec) mysql> mysql> select * from radusergroup; +-----------------+-----------+----------+ | username | groupname | priority | +-----------------+-----------+----------+ | adam@cpanel.net | Sysadmin | 1 | +-----------------+-----------+----------+ 1 row in set (0.02 sec) mysql> Here's my radiiusd -X output rad_recv: Access-Request packet from host 208.74.121.102 port 24716, id=18, length=201 User-Name = "adam@cpanel.net" Calling-Station-Id = "f8-1e-df-f4-c3-36" Called-Station-Id = "00-26-cb-a0-cf-a0:SecWifiTesting0" NAS-Port = 1 NAS-IP-Address = 172.31.2.250 NAS-Identifier = "WLC1.3131" Airespace-Wlan-Id = 8 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "200" EAP-Message = 0x02010014016164616d406370616e656c2e6e6574 Message-Authenticator = 0x194b1cc6aba2fdf6fe796d58e57f5e04 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} -> adam@cpanel.net rlm_sql (sql): sql_set_user escaped user --> 'adam@cpanel.net' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'adam@cpanel.net' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'adam@cpanel.net' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'adam@cpanel.net' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Sysadmin' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 18 to 208.74.121.102 port 24716 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a1490ae6a168516e9c153b1a670f7e8 Finished request 2. Going to the next request I set the 'Airespace-Wlan-Id == 9' and I'm connecting to 'Airespace-Wlan-Id == 8' and it's still allowing me to connect. On Feb 17, 2010, at 12:56 AM, Alan DeKok wrote:
Adam Wien wrote:
I'm trying to get FreeRadius working with a Cisco WLC.
I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs.
I can't seem to deny access using this attribute.
"I tried stuff and it didn't work".
Is there a trick to this?
Describe what you did (text copied from the configuration files), and what happened (text copied from debug output)
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Wien wrote:
Here's my database setup.
Please read doc/rlm_sql.
mysql> select * from radcheck where username='adam@cpanel.net'; +------+-----------------+--------------------+----+----------+ | id | username | attribute | op | value | +------+-----------------+--------------------+----+----------+ | 1072 | adam@cpanel.net | Cleartext-Password | := | BLANK | +------+-----------------+--------------------+----+----------+
Defines a password...
mysql> select * from radgroupcheck; +------+-----------+-------------------+----+-------+ | id | groupname | attribute | op | value | +------+-----------+-------------------+----+-------+ | 1072 | Sysadmin | Airespace-Wlan-Id | == | 9 | +------+-----------+-------------------+----+-------+
Says "group sysadmin checks if the airespace attribute matches"
mysql> select * from radusergroup; +-----------------+-----------+----------+ | username | groupname | priority | +-----------------+-----------+----------+ | adam@cpanel.net | Sysadmin | 1 | +-----------------+-----------+----------+
Says "user adam... is in group sysadmin". Where did you configure it do *do* something, like reject the user? This configuration does *not* deny users access by matching Airespace-Wlan-Id. That should be clear: there is no "deny" rule! Alan DeKok.
On Feb 17, 2010, at 10:54 AM, Alan DeKok wrote:
Adam Wien wrote:
Here's my database setup.
Please read doc/rlm_sql.
mysql> select * from radcheck where username='adam@cpanel.net'; +------+-----------------+--------------------+----+----------+ | id | username | attribute | op | value | +------+-----------------+--------------------+----+----------+ | 1072 | adam@cpanel.net | Cleartext-Password | := | BLANK | +------+-----------------+--------------------+----+----------+
Defines a password...
mysql> select * from radgroupcheck; +------+-----------+-------------------+----+-------+ | id | groupname | attribute | op | value | +------+-----------+-------------------+----+-------+ | 1072 | Sysadmin | Airespace-Wlan-Id | == | 9 | +------+-----------+-------------------+----+-------+
Says "group sysadmin checks if the airespace attribute matches"
mysql> select * from radusergroup; +-----------------+-----------+----------+ | username | groupname | priority | +-----------------+-----------+----------+ | adam@cpanel.net | Sysadmin | 1 | +-----------------+-----------+----------+
Says "user adam... is in group sysadmin".
Where did you configure it do *do* something, like reject the user?
I guess that's my real question. What database does that belong in? I've tried adding it to 'radgroupreply' and also 'radgroupcheck' with a higher ID(although the latter doesn't seem correct).
This configuration does *not* deny users access by matching Airespace-Wlan-Id. That should be clear: there is no "deny" rule!
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Feb 18, 2010 at 12:26 AM, Adam Wien <adam.wien@gmail.com> wrote:
I guess that's my real question. What database does that belong in?
try radcheck first. Make sure it works on per-user basis.
I've tried adding it to 'radgroupreply' and also 'radgroupcheck' with a higher ID(although the latter doesn't seem correct).
ID shouldn't really matter. Did you read doc/rlm_sql like Alan mentioned? I think you're missing Fall-Through. -- Fajar
On Feb 17, 2010, at 3:55 PM, Fajar A. Nugraha wrote:
On Thu, Feb 18, 2010 at 12:26 AM, Adam Wien <adam.wien@gmail.com> wrote:
I guess that's my real question. What database does that belong in?
try radcheck first. Make sure it works on per-user basis.
I've tried adding it to 'radgroupreply' and also 'radgroupcheck' with a higher ID(although the latter doesn't seem correct).
ID shouldn't really matter. Did you read doc/rlm_sql like Alan mentioned? I think you're missing
I did. I'm actually taking a different approach now which sounds more complicated but is easier. Dynamic VLANs I have this so far in my users file and it's working. adam Cleartext-Password := "testing" Airespace-Wlan-Id = 8, Airespace-Interface-Name = SecWifiTesting0, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 4 Now I just need to translate that into SQL.
Fall-Through.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adam Wien wrote:
I have this so far in my users file and it's working.
adam Cleartext-Password := "testing"
radcheck
Airespace-Wlan-Id = 8, Airespace-Interface-Name = SecWifiTesting0, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 4
radreply (with the user name column)
Now I just need to translate that into SQL.
It should be easy. Read doc/rlm_sql. Alan DeKok.
participants (3)
-
Adam Wien -
Alan DeKok -
Fajar A. Nugraha