Allowing Access based on Group Membership
After a bit of effort I have managed to get Wireless with WPA encryption working with FreeRadius and an eDirectory LDAP Backend (using Universal password). My last task is to allow Wireless authentication only to members of a given LDAP Group. I seem to be having some issues though. Here is my ldap config in /etc/raddb/radiusd.conf: ldap { server = "ldap.pbu.edu" identity = "cn=admin,o=PBU" password = "password" basedn = "o=PBU" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = yes tls_cacertfile = /etc/raddb/certs/rootder.b64 access_attr = "cn" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword edir_account_policy_check=yes groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } If I empty out /etc/raddb/users completely, authentication works. If I put the following in users: DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept Fall-Through = No DEFAULT Auth-Type := Reject and start freeradius with "radiusd -X -A" I get: rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=PBU' radius_xlat: '(uid=jlee)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PBU, with filter (uid=jlee) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectCla ss=GroupOfUniqueNames)(uniquemember=cn=jlee,o=PBU)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PBU, with filter (&(cn=Wireless)(|(&(objectClas s=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectClass=GroupOfUniqueNames)(uniquem ember=cn=jlee,o=PBU)))) rlm_ldap::ldap_groupcmp: User found in group Wireless rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jlee radius_xlat: '(uid=jlee)' radius_xlat: 'o=PBU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PBU, with filter (uid=jlee) rlm_ldap: checking if remote access for jlee is allowed by cn rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jlee authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: ldap_release_conn: Release Id: 0 modcall[post-auth]: module "ldap" returns ok for request 1 modcall: group post-auth returns ok for request 1 Sending Access-Accept of id 194 to 10.1.1.44:32769 Finished request 1 However, the wireless client never quite seems to finish associating. Any ideas what I'm doing wrong here? What should the users file look like to allow anyone who is a member of the Wireless LDAP group and deny everyone else? Jay Lee -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
"Jay Lee" <jlee@pbu.edu> wrote:
My last task is to allow Wireless authentication only to members of a given LDAP Group.
... i.e. to reject wireless for everyone else.
If I empty out /etc/raddb/users completely, authentication works. If I put the following in users:
DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept
Then people in the wireless group don't have their passwords checked.
DEFAULT Auth-Type := Reject
And everyone else gets rejected.
However, the wireless client never quite seems to finish associating. Any ideas what I'm doing wrong here? What should the users file look like to allow anyone who is a member of the Wireless LDAP group and deny everyone else?
DEFAULT LDAP-Group != "Wireless", Auth-Type := Reject That rejects everyone who isn't in wireless. As for the wireless people, their passwords should be checked using the normal process. You shouldn't have to do anything special there. Alan DeKok.
On Wed, February 15, 2006 1:15 pm, Alan DeKok wrote:
"Jay Lee" <jlee@pbu.edu> wrote:
My last task is to allow Wireless authentication only to members of a given LDAP Group. ... i.e. to reject wireless for everyone else.
So the glass is half empty? :-)
If I empty out /etc/raddb/users completely, authentication works. If I put the following in users: DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept Then people in the wireless group don't have their passwords checked.
Yeah, guess that's not what I want, I thought the group check was taking place after the password check.
DEFAULT Auth-Type := Reject And everyone else gets rejected. However, the wireless client never quite seems to finish associating. Any ideas what I'm doing wrong here? What should the users file look like to allow anyone who is a member of the Wireless LDAP group and deny everyone else?
DEFAULT LDAP-Group != "Wireless", Auth-Type := Reject
That rejects everyone who isn't in wireless. As for the wireless people, their passwords should be checked using the normal process. You shouldn't have to do anything special there.
That works perfectly, thanks! Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
participants (2)
-
Alan DeKok -
Jay Lee