Re: Howto Authenticate Undefined Users
Ivan Kalik wrote:
That sounds nice. But he still needs some attributes and the NAS has to think that he is authenticated...
Then you should have a NAS with fascility to place unauthenticated users into a guest VLAN. And you don't need a captive portal.
I explain a little bit more what I like to do ... I have a Cisco LNS which terminates L2TP Tunnels. This cisco makes the Radius request to my freeradius. Normal Users get authenticated normaly, get Static or dynamic ip's and so on. User not in the sql database should get assigned a vrf group and a ip pool for assigning ip's (I know how to do that with Cisco-AVPairs). This vrf has a default route to a linux box doing some magic stuff with iptables and apache (not done jet). Hope that clears up some things. Regards Matthias -- Matthias Cramer / mc322-ripe Senior Network & Security Engineer iWay AG Phone +41 43 500 1111 Josefstrasse 225 Fax +41 44 271 3535 CH-8005 Zürich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
On Wed, Sep 09, 2009 at 05:10:46PM +0200, Matthias Cramer wrote: [..]
Normal Users get authenticated normaly, get Static or dynamic ip's and so on. User not in the sql database should get assigned a vrf group and a ip pool for assigning ip's (I know how to do that with Cisco-AVPairs).
I'm not sure this is the right way of doing it (and I'd love to see the right one) but something like this worked for me: (in authenticate section, assuming you're doing CHAP): Auth-Type CHAP { chap { ok = return reject = 1 } if (reject) { update reply { Filter-Id := "somefilter" Filter-Id += "someotherfilter" ... } ok } } -- szymon roczniak simon@dischaos.com
On Wed, Sep 09, 2009 at 05:10:46PM +0200, Matthias Cramer wrote: [..]
Normal Users get authenticated normaly, get Static or dynamic ip's and so on. User not in the sql database should get assigned a vrf group and a ip pool for assigning ip's (I know how to do that with Cisco-AVPairs).
I'm not sure this is the right way of doing it (and I'd love to see the right one) but something like this worked for me:
(in authenticate section, assuming you're doing CHAP):
Auth-Type CHAP { chap { ok = return reject = 1 }
if (reject) { update reply { Filter-Id := "somefilter" Filter-Id += "someotherfilter" ... } ok } }
That's not going to work. 1. Server will respond with Access-Reject. 2. Attribute filter in Post-Auth-Type Reject will strip these attributes. This will (for PAP and not much else): in authorize after sql put this unlang section: if(notfound) { update control { Auth-Type := "Accept" } update reply { whatever } } But ... breaking radius server in order to send Access-Accept for unknown/bad users is a *very* bad idea. Freeradius is designed to protect you from such users as they can be malicious. If you do this you are opening your network to DoS attack. If you want to let unauthenticated users onto your network - don't break radius server in order to do that. Use the thing that is designed for it - network access server (NAS). If your NAS doesn't support this, use captive portal. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Ivan Kalik -
Matthias Cramer -
Szymon Roczniak