I have FreeRADIUS Version 1.1.0 I want to disallow login to access points for every hosts that are not in my network. So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts... DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>" but it is about 2300 chars in one line and my freeradius says: /usr/local/etc/raddb/users[330]: Parse error (check) for entry DEFAULT: Expected end of line or comma Errors reading /usr/local/etc/raddb/users radiusd.conf[1050]: files: Module instantiation failed. radiusd.conf[1796] Unknown module "files". radiusd.conf[1730] Failed to parse authorize section. how long can be regular expression and is there any other way to solve this problem? Norboro
Norbert Grochal wrote:
I have FreeRADIUS Version 1.1.0
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts...
DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>"
Is there any reason you shouldn't have a separate stanza accepting each valid MAC address, then implicitly reject all other MAC addresses? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
I have FreeRADIUS Version 1.1.0
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts...
DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>"
Is there any reason you shouldn't have a separate stanza accepting each valid MAC address, then implicitly reject all other MAC addresses?
I accepts users using eap-peap + mysql. Logins are not the Identity but are extracted from eap messages, so I cant use users file for auth (?). In users file there are visible User-Name attrs that I do not use (they are not the same as they from eap-message). My wireless cards have 3 fields: Identity, eap login, eap password. My users can use everything in identity, but must use correct login and password. So users file is kind of "filter". If my host try to access network from 'incorrect' access point there is a REJECT. If accessed ap is 'correct' there is no reject and eap-peap + mysql works for me... Norboro
Norbert Grochal wrote:
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts...
DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>"
Don't do that. It's ugly. Use rlm_passwd. See "man rlm_passwd". That lets you list all of the MACs in one flat text file, which is a LOT easier to manage by a script than the "users" file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts...
DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>"
Don't do that. It's ugly. Use rlm_passwd. See "man rlm_passwd".
That lets you list all of the MACs in one flat text file, which is a LOT easier to manage by a script than the "users" file.
I still haven't idea how to do it, may you show me any example? Is it possible to 'mark' good request and then at the end of users file write DEFAULT Auth-Type := REJECT, REQUEST_NOT_MARKED ?? Norboro
Norbert Grochal wrote:
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts... DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>" Don't do that. It's ugly. Use rlm_passwd. See "man rlm_passwd".
That lets you list all of the MACs in one flat text file, which is a LOT easier to manage by a script than the "users" file.
I still haven't idea how to do it, may you show me any example?
The man page is pretty clear Do something like: modules { passwd mac2ok { filename = /etc/raddb/mac2ok format = "*Calling-Station-Id:~My-Local-String" hashsize = 100 } # other modules } authorize { preprocess mac2ok files # other modules } Make "/etc/raddb/mac2ok" read: 008012323244:ok 002938475473:ok ...then in "users" put: DEFAULT My-Local-String != "ok", Auth-Type := Reject Reply-Message = "calling station id not allowed", Fall-Through = No # Other config items Depending on the version of the server, you might need the following in /etc/raddb/dictionary: ATTRIBUTE My-Local-String 3000 string ...where 3000 can be any number between 3000 and 4000 and My-Local-String is an arbitrary name you can use for a local config attribute.
Is it possible to 'mark' good request and then at the end of users file write
DEFAULT Auth-Type := REJECT, REQUEST_NOT_MARKED
??
Norboro
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do something like:
modules { passwd mac2ok { filename = /etc/raddb/mac2ok format = "*Calling-Station-Id:~My-Local-String" hashsize = 100 }
# other modules }
authorize { preprocess mac2ok files # other modules }
Make "/etc/raddb/mac2ok" read:
008012323244:ok 002938475473:ok
...then in "users" put:
DEFAULT My-Local-String != "ok", Auth-Type := Reject Reply-Message = "calling station id not allowed", Fall-Through = No
# Other config items
Depending on the version of the server, you might need the following in /etc/raddb/dictionary:
ATTRIBUTE My-Local-String 3000 string
OK, It almost works fine, but if there is no mac in my mac2ok file then users file doesn't put REJECT into Auth-Type. I have added that line at the begining of users file: DEFAULT Auth-Type := REJECT, My-Local-String !* "a" and if there is no mac in mac2ok file then user cannot login into network. but if there is mac in mac2ok file (so My-Local-String exist) I have always: rlm_eap_peap: Had sent TLV failure, rejecting. My freeradius version is 1.1.0 If I remove the first line from users file all is ok. Users can login only from specified access points. The first line in users file works fine, if there is no mac in mac2ok file... Can I add at the begining or at the end (?) of mac2ok file something like *:bad and everything will be 'bad' but ok will be overwritten by 'good' ?? Norbert
Norbert Grochal wrote:
OK, It almost works fine, but if there is no mac in my mac2ok file then users file doesn't put REJECT into Auth-Type. I have added that line at the begining of users file:
DEFAULT Auth-Type := REJECT, My-Local-String !* "a"
and if there is no mac in mac2ok file then user cannot login into network.
but if there is mac in mac2ok file (so My-Local-String exist) I have always:
rlm_eap_peap: Had sent TLV failure, rejecting.
Just showing that one line is useless. You need to post the entire debug output of "radiusd -X" so we can see the entire EAP conversation to determine the problem.
My freeradius version is 1.1.0
If I remove the first line from users file all is ok. Users can login only from specified access points.
The first line in users file works fine, if there is no mac in mac2ok file...
I'm sorry, I don't really understand. Could you try re-phrasing the problem. You could maybe try something like this in "users". DEFAULT My-Local-String == "ok" Fall-Through = No DEFAULT Auth-Type := Reject
Can I add at the begining or at the end (?) of mac2ok file something like *:bad and everything will be 'bad' but ok will be overwritten by 'good' ??
No. You would use appropriately-ordered "users" file entries for that kind of logic
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Norbert Grochal Sent: Saturday, 25 November 2006 00:13 To: FreeRadius users mailing list Subject: Re: very long regular expression...
Do something like:
modules { passwd mac2ok { filename = /etc/raddb/mac2ok format = "*Calling-Station-Id:~My-Local-String" hashsize = 100 }
# other modules }
authorize { preprocess mac2ok files # other modules }
Make "/etc/raddb/mac2ok" read:
008012323244:ok 002938475473:ok
...then in "users" put:
DEFAULT My-Local-String != "ok", Auth-Type := Reject Reply-Message = "calling station id not allowed", Fall-Through = No
# Other config items
Depending on the version of the server, you might need the following in /etc/raddb/dictionary:
ATTRIBUTE My-Local-String 3000 string
OK, It almost works fine, but if there is no mac in my mac2ok file then users file doesn't put REJECT into Auth-Type. I have added that line at the begining of users file:
DEFAULT Auth-Type := REJECT, My-Local-String !* "a"
Try: DEFAULT My-Local-String !* "a", Auth-Type := REJECT Reply-Message = "No calling station id provided" If the first part is false, the second part does not get tested, which means Auth-Type doesn't get set. When tests have side effects (like assignment) testing order matters. Also, why not test positive instead of negative: DEFAULT My-Local-String == "ok", Auth-Type := ACCEPT Reply-Message = "%u logged on", Other-Attribute = "somevalue" # other reasons for allowing access DEFAULT foo == "bar" ... # reject all others DEFAULT Auth-Type := REJECT Reply-Message = "Access denied"
Do something like:
modules { passwd mac2ok { filename = /etc/raddb/mac2ok format = "*Calling-Station-Id:~My-Local-String" hashsize = 100 }
# other modules }
authorize { preprocess mac2ok files # other modules }
Make "/etc/raddb/mac2ok" read:
008012323244:ok 002938475473:ok
...then in "users" put:
DEFAULT My-Local-String != "ok", Auth-Type := Reject Reply-Message = "calling station id not allowed", Fall-Through = No
# Other config items
Depending on the version of the server, you might need the following in /etc/raddb/dictionary:
ATTRIBUTE My-Local-String 3000 string
OK, It almost works fine, but if there is no mac in my mac2ok file then users file doesn't put REJECT into Auth-Type. I have added that line at the begining of users file:
DEFAULT Auth-Type := REJECT, My-Local-String !* "a"
OK. I have noticed that one request is 'processed' twice. First time there is calling station it etc and mac2ok put 'good' into request. And then login is encapsulated from eap-message and freeradius process the request again, but there is no My-Local-String etc. So reject from users file cause eap-peap failure. I have added at the end of users file: # for first process of request DEFAULT My-Local-String == "good" Fall-Through = No # for second process of request (login is known from eap-message...) DEFAULT NAS-IP-Address == "127.0.0.1" Fall-Through = No DEFAULT Auth-Type := Reject Thanks!!! Norbert
Ranner, Frank MR wrote:
DEFAULT My-Local-String == "ok", Auth-Type := ACCEPT Reply-Message = "%u logged on", Other-Attribute = "somevalue"
Don't do that. Auth-Type := ACCEPT will break EAP, MS-CHAP, and any other challenge-response or multi-round-trip exchange. Set Fall-Through=No on the reply items to stop processing
participants (5)
-
Alan DeKok -
James Wakefield -
Norbert Grochal -
Phil Mayers -
Ranner, Frank MR