I have read all the man pages and /docs and am having a difficult time understanding the authorization. I keep wanting to write "if...elseif...else" stuff but I'm pretty sure that doesn't apply to FreeRADIUS config files. In the radiusd.conf there is documentation on how to use checkval to compare against caller-id. That's exactly what I want to do, but I can't figure out how to *use* it. Let's say I have 2 groups: students and faculty. I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:StudentWLAN$/" I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:FacultyWLAN$/" All my users are authenticated against LDAP. If the user enters the correct username/password (as accepted by LDAP), the user should be able to associate to the WLAN, but only to the WLAN of which he/she is allowed. Students can connect to the StudentWLAN; Faculty can connect to the FacultyWLAN. How would I configure the checkval module? Is it even necessary to use the checkval module? How would I conifgure the users file? Is the users file even necessary? Just to show what I've got config'd at the moment... Using the config below, I am able to successfully allow users to join the WLAN using WPA and EAP-PEAP from Windows XP SP2. But again, the user should not be able to join just any ol' LAN. If anyone has any experience with using checkval or doing caller-id type activities, I'd love to read how you did it! P.S. I don't know who to direct compliments to, but the FreeRADIUS code is probably the most beautifully structured source code I have ever read. It is SO easy to read and extremely consistent! It's phenomenal! And no, I can't answer my question myself just cuz I read the code... ;) But it's helped me to get this far!! authorize { # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2 preprocess eap files ldap checkval } authenticate { # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2 Auth-Type MS-CHAP { mschap } eap } modules { mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } ldap { <snip> } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = <snip> private_key_file = /etc/1x/server.pem certificate_file = /etc/1x/server.pem CA_file = /etc/1x/root.pem dh_file = /etc/1x/DH random_file = /etc/1x/random include_length = yes } peap { default_eap_type = mschapv2 } mschapv2 { } } } I have NOTHING in users at this moment.
Let's say I have 2 groups: students and faculty. I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:StudentWLAN$/" I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:FacultyWLAN$/"
You left out your ldap part? Anyway it should look something like this. groupname_attribute = cn groupmembership_filter = "(&(objectclass=GroupOfNames)(member=%{Ldap-UserDN}))" Of course you'll have to change that to fit with how your directory is structured. Once you've got that part down, then in the users file you could do something like this. DEFAULT Called-Station-ID =~ "/:StudentWLAN$/", Ldap-Group == "students" DEFAULT Called-Station-ID =~ "/:FacultyWLAN$/", Ldap-Group == "faculty" DEFAULT Auth-Type := Reject That would look to see if Called-Station-ID matches that regex. If so, it would look to see if they are in the Ldap-Group of students. Your groupmembership filter and groupname_attribute should look for a group named cn=students and then see if the DN of the user is in it. If not, it would fall through to the Reject statement. Now, there are other things going on outside of ldap that I don't really know about, so a copy/paste of what I wrote might not work. But, it should help lead you in the right direction. I'd give it a shot running in debug mode (radiusd -X) and then you can see the exact queries that are taking place and what is happening. You can then go back and modify those ldap group statements and the users file to fit what you need. Once you've got it started if you need more help, please post debug output and what you would expect vs what you got and we can probably help sort it out.
Stefan Adams <stefan@borgia.com> wrote:
I have read all the man pages and /docs and am having a difficult time understanding the authorization. I keep wanting to write "if...elseif...else" stuff but I'm pretty sure that doesn't apply to FreeRADIUS config files.
Unfortunately, yes.
How would I configure the checkval module? Is it even necessary to use the checkval module? How would I conifgure the users file? Is the users file even necessary?
I wouldn't configure the checkval module. Just the "users" module, something like: DEFAULT LDAP-Group == faculty, Called-Station-Id != "faculty", Auth-Type := Reject DEFAULT LDAP-Group == students, Called-Station-Id != "students", Auth-Type := Reject
P.S. I don't know who to direct compliments to, but the FreeRADIUS code is probably the most beautifully structured source code I have ever read. It is SO easy to read and extremely consistent! It's phenomenal!
You can thank everyone who contributed so far. :) Alan DeKok.
participants (3)
-
Alan DeKok -
Dusty Doris -
Stefan Adams