MAC authorisation (but not authentication) via LDAP
Hi. Probly just me not understanding... What I want is for our switches to only allow access to MAC addresses in our LDAP database. I don't want to store passwords on our LDAP host entries. I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value. The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs. Is there a way to make the Authorisation part final and authoritative? As I say, probly just being stoopid. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf: authenticate { ... Auth-Type LdapMAC { ok } ... } the Auth-Type is set in users file depending on huntgroups: DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-) regards markus +-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+ ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. The correct way to do this is to reject unknown, not blindly accept known. Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid: groupmembership_filter = "(| (&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) )" Then in "ldap": dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb Then in the "users" file: DEFAULT Ldap-Group == "GoodMacs" Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "your mac is unknown" There are lots of variations of this scheme.
Zitat von Phil Mayers <p.mayers@imperial.ac.uk>:
Markus Krause wrote:
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
Sorry, but it's an awful suggestion. Don't do it, and certainly don't recommend others do it. There's no need to go setting Auth-Type to random values. no need to say sorry, and i did not meant this as a suggestion but just show how i did it, along with the "warning" that it is not a good solution. and i am really open for any suggestions/corrections!
The correct way to do this is to reject unknown, not blindly accept known. hmm, maybe i should have been more precisely on what i am doing, at least i am not thinking to blindly accept known. let me describe the scenario and what i am doing: we have a radius server which is contacted by a vpn-concentrator, a wlan-router and several switches which have dynamic ports (with vlan based on mac) and 802.1x ports (vlan based on users). depending on the huntgroup (chosen via nas-ip-address) i am setting auth-type and autz-type. i read on several places that this is commonly a very bad idea but i could not think of another way to solve it and it works for me (at least it seems so). again, i am open for any suggestions/corrections! the users for vpn and wlan are authenticated/authorized via ldap user entries (&(uid=..)(objectclass=posixaccount)), some accounts for wlan are also stored in sql (for guests, only valid for a fixed amount of days after first usage). the vlans for users and devices are stored in radiusprofiles. then finally the mac addresses are stored in a way a dhcpd server can understand also, so i do not have redundant entries (easier to maintain), all known mac addreses are therefor accepted, unknown are rejected (i am using an ldap query 'filter = "(dhcpHWAddress=ethernet %{Stripped-User-Name:-%{User-Name}})"' and base 'base_filter = "(|(objectClass=dhcpHost)(objectClass=ipNetwork))"' to verify in the autz section). and here again: any suggestions/corrections are really appreciated!
since now (just in testing, not yet fully in production) this solution does what it should, but there are certainly better ways to do this!
Example - you could modify the ldap group membership query to find groups based on both the username and callingstationid:
groupmembership_filter = "(| (&(objectClass=GroupOfMacaddrs)(member=%{Calling-Station-Id})) (&(objectClass=GroupOfNames)(member=%{Ldap-UserDn})) )"
Then in "ldap":
dn: cn=GoodMacs,dc=example,dc=com objectClass: top objectClass: GroupOfMacadds member: 00:11:22:33:44:55 member: 66:77:88:99:aa:bb
Then in the "users" file:
DEFAULT Ldap-Group == "GoodMacs" Fall-Through = No
DEFAULT Auth-Type := Reject Reply-Message = "your mac is unknown"
There are lots of variations of this scheme.
i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of "requests") ... but i would really like to know ;-) with best regards markus +-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+ ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of "requests") ... but i would really like to know ;-)
Hmm. Without more details it's difficult to say, but what you need does not sound excessively difficult. At most, Autz-Type should suffice. Why are you finding you need to set Auth-Type? The ldap module can be peculiar in this regard - are you authenticating the users by doing simple bind, or are you extracting the passwords from ldap and using rlm_pap and such?
Zitat von Phil Mayers <p.mayers@imperial.ac.uk>:
Markus Krause wrote:
i am not sure if your approach could really fullfill my needs (no redundancy, serving different types of "requests") ... but i would really like to know ;-)
Hmm.
Without more details it's difficult to say, but what you need does not sound excessively difficult. At most, Autz-Type should suffice. Why are you finding you need to set Auth-Type? i thought this is necessary as i use redundant sections. in users i have something like:
DEFAULT Huntgroup-Name == vpn, Autz-Type := LdapUser, Auth-Type := LdapUser some parts of my radiusd.conf: ----- radiusd.conf parts modules { ... ldap LdapUser1 { .... ldapserv1 } ldap LdapUser2 { .... ldapserv2 } ... } authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... } ----- it seems that if the authorization is successfully done by LdapUser1 the Auth-Type is set LdapUser1. if i do not set it to LdapUser in the file users i get the error message "No authenticate method (Auth-Type) configuration found for the request: Rejecting the user". if i set Auth-Type to LdapUser in users it works. it also works without setting this if i do not use redundant settings (just call the module LdapUser).
The ldap module can be peculiar in this regard - are you authenticating the users by doing simple bind, or are you extracting the passwords from ldap and using rlm_pap and such? i am just authenticating by doing simple bind.
if i should post more details please let me know! with best regards markus ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
modules { ... ldap LdapUser1 { .... ldapserv1 }
ldap LdapUser2 { .... ldapserv2 } ... }
authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... }
authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... }
You should be able to replace this last bit with: authenticate { Auth-Type LdapUser1 { LdapUser1 } Auth-Type LdapUser2 { LdapUser2 } } ...and set the "set_auth_type = yes" on each LDAP module. The general idea is that MODULES should set Auth-Type (to themselves) indicating that they will handle the authenticate phase. Note that the above is still redundant - if the ldap module answered during the authorize phase, there's clearly only a miniscule chance it will have failed by the time authenticate runs. And in fact, if ldap1 succeeds during authorize but fails during authenticate, arguably passing it to ldap2 is an error - example, the user might have just changed their password so ldap1 fails, but ldap2 is still replicating so thinks the old password is valid.
Zitat von Phil Mayers <p.mayers@imperial.ac.uk>:
Markus Krause wrote:
modules { ... ldap LdapUser1 { .... ldapserv1 }
ldap LdapUser2 { .... ldapserv2 } ... }
authorize { ... Autz-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... }
authenticate { ... Auth-Type LdapUser { redundant { LdapUser1 LdapUser2 } } ... }
You should be able to replace this last bit with:
authenticate { Auth-Type LdapUser1 { LdapUser1 } Auth-Type LdapUser2 { LdapUser2 } }
...and set the "set_auth_type = yes" on each LDAP module.
The general idea is that MODULES should set Auth-Type (to themselves) indicating that they will handle the authenticate phase.
Note that the above is still redundant - if the ldap module answered during the authorize phase, there's clearly only a miniscule chance it will have failed by the time authenticate runs.
And in fact, if ldap1 succeeds during authorize but fails during authenticate, arguably passing it to ldap2 is an error - example, the user might have just changed their password so ldap1 fails, but ldap2 is still replicating so thinks the old password is valid. ok, i agree with you, "enough" redundancy can be achieved by this also. (the ldap servers used here are both consumers of the same provider, all with very low load so it seems quite unlikely that they run out of sync, but one never know...)
but what if the Auth-Type is not set, for example in a perl module (btw. how can i set the auth-type? that would solve my problem here!). example: we (will) have a wlan which can be used by all our users known in ldap and we have additional accounts saved in sql, which can be given to guests by our departments and research groups, these accounts are then valid for a fixed (preset) number of days since their first usage. to check this i wrote a small perl script which works. so for authorization i use in radiusd.conf: ----- part of radiusd.conf authorization { Autz-Type WLAN { group { mpi-sta { ok = return } redundant { LdapUser1 LdapUser2 } } } } authentication { Auth-Type WLAN { mpi-sta { notfound = 1 } redundant { LdapUser1 LdapUser2 } } } ---- the Auth-Type is set in users according to the huntgroup of the wlan-switch as the perl skript does not set auth-type (because i did not find any documentation on how to set it) so i had to force auth-type to WLAN, now it works. ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
but what if the Auth-Type is not set, for example in a perl module (btw. how can i set the auth-type? that would solve my problem here!). example: we (will) have a wlan which can be used by all our users known in ldap and we have additional accounts saved in sql, which can be given to guests by our departments and research groups, these accounts are then valid for a fixed (preset) number of days since their first usage. to check this i wrote a small perl script which works. so for authorization i use in radiusd.conf:
I'm obviously not understanding what you're trying to do. Auth-Type is meant solely to be a key that indicates to the server which module to call in the "authenticate" section to execute the authentication *algorithm*. The reason setting Auth-Type is so bad is that it breaks the ability for the server to correctly detect the algorithm and people don't understand why. Disabling an account is not part of the authentication algorithm, and should happen in the authorize section (ideally by setting the Expiration attribute built into FreeRadius, but there are cases where that's not applicable) I assume you're using the "mpi-sta" module to do something like: if not USERNAME in firstseen: firstseen[USERNAME] = now else: if now - firstseen[USERNAME] > VALIDTIME: return reject In which case they'll just get rejected during authorize and the mpi-sta module doesn't need to (and SHOULD NOT) appear in the authenticate section.
----- part of radiusd.conf authorization { Autz-Type WLAN { group { mpi-sta { ok = return } redundant { LdapUser1 LdapUser2 } } } }
authentication { Auth-Type WLAN { mpi-sta { notfound = 1 } redundant { LdapUser1 LdapUser2 } } } ----
the Auth-Type is set in users according to the huntgroup of the wlan-switch as the perl skript does not set auth-type (because i did not find any documentation on how to set it) so i had to force auth-type to WLAN, now it works.
It seems a very complicated way of doing something very simple - I assume I am misunderstanding you.
Markus Krause wrote:
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
regards markus
Thanks Markus, the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Thanks Markus,
the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute.
Mart
Hi Mart, ugh, you are of course right, i forgot on important detail, sorry! (has been quite a time since i set this up and it is getting quite late in the night now ...) directly after the ldap entry in authorize a call a small perl script which checks for "$RAD_REQUEST{'Module-Failure-Message'}", and if it is set then return with "RLM_MODULE_REJECT", so 'notfound' is replaced by 'reject'. i must admit that this actually is a very dirty solution ... i should really overthink it (altough it works ...) regards markus +-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+ ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
regards markus
Thanks Markus,
the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute.
Mart
This was exactly the problem. What I've done is created an exec module, which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning non-zero if there's a match. So authorization *fails* rather than succeeds with 'not found'. I think. Anyway, it works. Thanks for all your help. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
we a trying to add mac authentication to our wireless aps radius request comes in like so. rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119, length=95 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0B:6B:56:1D:48" User-Password = "" NAS-Identifier = "ballyvaughan_ap_1" NAS-IP-Address = 10.250.100.3 the mac address is in a field in the ldap so i created a second ldap.attrib.map and a new ldap autz-type. the problem is that the user-password that is sent i blank so i added this to the users file. like so. DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password == "", Simultaneous-Use := 1 Fall-Through = 0 great now the user with authorise and authenticate from files. but what i had hoped would happen was if they failure authorisation they would not continue, i can see this is not the default proceedure. how can i make this work this way. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type ldapMAC Processing the authorize section of radiusd.conf modcall: entering group ldapMAC for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48 radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)' radius_xlat: 'o=clients,dc=radiowave,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxxxxxx to 127.0.0.1:389 radiustest:/etc/freeradius/config-clients# rlm_ldap: Bind was successful rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapmac1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: leaving group ldapMAC (returns notfound) for request 0 but when the authentication starts this stilll happens, below was an idea someone had in respect to this issue or a similar one but i have no idea how to deploy this look forward to your replys. auth: type Local auth: user supplied User-Password matches local User-Password Processing the session section of radiusd.conf modcall: entering group session for request 0 modcall: entering group redundant for request 0 modcall[session]: module "sql2" returns noop for request 0 modcall: leaving group redundant (returns noop) for request 0 modcall: leaving group session (returns noop) for request 0 Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0) Sending Access-Accept of id 119 to 10.250.100.3 port 1038 On Sun, 2007-02-25 at 20:05 +0000, Martin Whinnery wrote:
Martin Whinnery wrote:
Markus Krause wrote:
Zitat von Martin Whinnery <martin.whinnery@sbc.ac.uk>:
Hi.
Probly just me not understanding...
What I want is for our switches to only allow access to MAC addresses in our LDAP database.
I don't want to store passwords on our LDAP host entries.
I'm set up to check LDAP during authorisation, and it correctly returns authorised / not authorised depending on whether the appropriate attribute contains the right value.
The trouble comes with authentication - either I set Auth-Type := Accept, in which case and failed authorisation is overridden, or I allow authentication to carry on against LDAP ( or System, or whatever ), in which case it fails always and access is denied, even for authorised MACs.
Is there a way to make the Authorisation part final and authoritative?
As I say, probly just being stoopid.
Mart
don't no if it is a good solution, but i just do this by setting the following in radiusd.conf:
authenticate { ... Auth-Type LdapMAC { ok } ... }
the Auth-Type is set in users file depending on huntgroups:
DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
i assume there are better/smarter sollutions as one can read "don't set Auth-Type" on many places but it works here ;-)
regards markus
Thanks Markus,
the problem seems to be that the authorisation pass returns "notfound", whereas I want it to "reject", as if it found an entry in LDAP without the appropriate attribute.
Mart
This was exactly the problem. What I've done is created an exec module, which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning non-zero if there's a match. So authorization *fails* rather than succeeds with 'not found'.
I think.
Anyway, it works.
Thanks for all your help.
Mart
participants (4)
-
Alan Walters -
Markus Krause -
Martin Whinnery -
Phil Mayers