Storing user MAC address after first auth
Greetings ! I have the following situation here that I'd like to ask for some assistance with, if possible: My client has a RADIUS server installed (running freeRADIUS 2.0.5), and routers working as hotspots that users can connect to. Users can authorize against the RADIUS server using a name/password combination, which is stored in a MySQL database (using the rlm_sql module and the Cleartext-Password attribute in the radcheck table). This part works correctly. Now, my client wants an extra check to be added which would allow each user to login only from a specific MAC address, which can be different for each user, and which is obtained when the user logs in for the first time. Checking the MAC address is easy, as the hotspot is sending the MAC address in the Calling-Station-Id attribute that I could easily store in the radcheck table as well - but the problem is that this MAC address is not known when the name/password pair is being added to the radcheck table, and I am to make it so that when the user is successfully authorized for the first time, there is no MAC check, but the user's current MAC address is remembered on the server, and further logins are only permitted from that MAC address. So, I am thinking that the best solution would be to have the RADIUS server add a new "(username), 'Calling-Station-Id', '=', (user's MAC)" entry to the radcheck table, right after a successful SQL auth step, if such an entry isn't yet in the table. And my question is - is there a way to accomplish this with existing FreeRADIUS modules, or do I need to implement my own module to do this ? Thank you ! / Tomas
On 7/5/09 10:18, Tomas Mecir wrote:
Greetings !
I have the following situation here that I'd like to ask for some assistance with, if possible:
My client has a RADIUS server installed (running freeRADIUS 2.0.5), and routers working as hotspots that users can connect to. Users can authorize against the RADIUS server using a name/password combination, which is stored in a MySQL database (using the rlm_sql module and the Cleartext-Password attribute in the radcheck table). This part works correctly.
Now, my client wants an extra check to be added which would allow each user to login only from a specific MAC address, which can be different for each user, and which is obtained when the user logs in for the first time. Checking the MAC address is easy, as the hotspot is sending the MAC address in the Calling-Station-Id attribute that I could easily store in the radcheck table as well - but the problem is that this MAC address is not known when the name/password pair is being added to the radcheck table, and I am to make it so that when the user is successfully authorized for the first time, there is no MAC check, but the user's current MAC address is remembered on the server, and further logins are only permitted from that MAC address.
So, I am thinking that the best solution would be to have the RADIUS server add a new "(username), 'Calling-Station-Id', '=', (user's MAC)" entry to the radcheck table, right after a successful SQL auth step, if such an entry isn't yet in the table.
And my question is - is there a way to accomplish this with existing FreeRADIUS modules, or do I need to implement my own module to do this ?
You can do it with the policy language. But you'll need to upgrade to the latest version of the server. I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'. Regards, Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
You can do it with the policy language. But you'll need to upgrade to the latest version of the server.
I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'.
Sorry take that first ! out, and ignore the duplicate reply. Low coffee day. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
2009/5/7 Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>:
You can do it with the policy language. But you'll need to upgrade to the latest version of the server.
I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'.
Excellent, thank you, works like a charm ! Didn't even have to upgrade the radius server, it works on the existing 2.0.5 installation with no problems. Many thanks for your help ! / Tomas
On 7/5/09 15:33, Tomas Mecir wrote:
2009/5/7 Arran Cudbard-Bell<A.Cudbard-Bell@sussex.ac.uk>:
You can do it with the policy language. But you'll need to upgrade to the latest version of the server.
I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'.
Excellent, thank you, works like a charm ! Didn't even have to upgrade the radius server, it works on the existing 2.0.5 installation with no problems.
Many thanks for your help !
Yeah I had a feeling the INSERT statements would still work even though the server complained about them not being valid. The return code for that section of "unlang" code won't be correct until you update the server, but if you don't care then that's fine :) Glad it worked. Regards, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
On 7/5/09 10:18, Tomas Mecir wrote:
Greetings !
I have the following situation here that I'd like to ask for some assistance with, if possible:
My client has a RADIUS server installed (running freeRADIUS 2.0.5), and routers working as hotspots that users can connect to. Users can authorize against the RADIUS server using a name/password combination, which is stored in a MySQL database (using the rlm_sql module and the Cleartext-Password attribute in the radcheck table). This part works correctly.
Now, my client wants an extra check to be added which would allow each user to login only from a specific MAC address, which can be different for each user, and which is obtained when the user logs in for the first time. Checking the MAC address is easy, as the hotspot is sending the MAC address in the Calling-Station-Id attribute that I could easily store in the radcheck table as well - but the problem is that this MAC address is not known when the name/password pair is being added to the radcheck table, and I am to make it so that when the user is successfully authorized for the first time, there is no MAC check, but the user's current MAC address is remembered on the server, and further logins are only permitted from that MAC address.
So, I am thinking that the best solution would be to have the RADIUS server add a new "(username), 'Calling-Station-Id', '=', (user's MAC)" entry to the radcheck table, right after a successful SQL auth step, if such an entry isn't yet in the table.
And my question is - is there a way to accomplish this with existing FreeRADIUS modules, or do I need to implement my own module to do this ?
Nope that's trivial, but you'll need to upgrade to the latest version of FR. As your using MySQL you can use a bit of MySQL specific syntax.
Thank you !
/ Tomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
participants (2)
-
Arran Cudbard-Bell -
Tomas Mecir