I would like to authenticate WiFi users with EAP and assign an IP address based on their username. I realize this is a two step process: first, the user must be authenticated with EAP. Once this is done, the user will request an IP address via DHCP. But there is no connection between the EAP username, and the client's MAC address which EAP uses. With EAP, the MAC address is the Calling-Station-ID for the Anonymous identity. The tunneled identity has no ID. Is it possible to use the post-auth section to log both username and MAC, so the DHCP module can look up the username from MAC address, and assign the address from the right pool? By default the post-auth module writes two records to the radpostauth table: one, from the anonymous identity with the Calling-Station-ID set to the MAC address, and another, for the tunneled identity, with an empty calling ID. Thanks, Hernan
OK, It's 3 AM but I've found a way to store the inner auth id (username) and the outer request's MAC: post-auth { if (!request:Calling-Station-Id ) { update request { Calling-Station-Id = "%{outer.request:Calling-Station-Id}" } sql } } What this does is: if Calling-Station-Id is missing (at least with my NAS it is), then copy it from the outer request. Then log to SQL database. This also avoids logging anonymous requests (otherwise for each auth request two records are generated). Now I would like to know if this looks like it will work. Thanks, Hernan On Sun, Sep 27, 2015 at 2:15 AM, Hernán Freschi <hjf@hjf.com.ar> wrote:
I would like to authenticate WiFi users with EAP and assign an IP address based on their username. I realize this is a two step process: first, the user must be authenticated with EAP. Once this is done, the user will request an IP address via DHCP. But there is no connection between the EAP username, and the client's MAC address which EAP uses.
With EAP, the MAC address is the Calling-Station-ID for the Anonymous identity. The tunneled identity has no ID.
Is it possible to use the post-auth section to log both username and MAC, so the DHCP module can look up the username from MAC address, and assign the address from the right pool? By default the post-auth module writes two records to the radpostauth table: one, from the anonymous identity with the Calling-Station-ID set to the MAC address, and another, for the tunneled identity, with an empty calling ID.
Thanks, Hernan
On Sep 27, 2015, at 2:00 AM, Hernán Freschi <hjf@hjf.com.ar> wrote:
OK, It's 3 AM but I've found a way to store the inner auth id (username) and the outer request's MAC:
post-auth { if (!request:Calling-Station-Id ) { update request { Calling-Station-Id = "%{outer.request:Calling-Station-Id}" } sql } }
Yes, that will work. Alan DeKok.
On Sep 27, 2015, at 1:15 AM, Hernán Freschi <hjf@hjf.com.ar> wrote:
I would like to authenticate WiFi users with EAP and assign an IP address based on their username. I realize this is a two step process: first, the user must be authenticated with EAP. Once this is done, the user will request an IP address via DHCP. But there is no connection between the EAP username, and the client's MAC address which EAP uses.
With EAP, the MAC address is the Calling-Station-ID for the Anonymous identity. The tunneled identity has no ID.
Sure. Just write the inner ID and the outer Calling-Station-Id to SQL. You may need to create a custom table for this. You should probably also write the login time, too.
Is it possible to use the post-auth section to log both username and MAC, so the DHCP module can look up the username from MAC address, and assign the address from the right pool?
Yes.
By default the post-auth module writes two records to the radpostauth table: one, from the anonymous identity with the Calling-Station-ID set to the MAC address, and another, for the tunneled identity, with an empty calling ID.
You can fix that by editing the configuration files. That's why they're text. Alan DeKok.
On Sun, Sep 27, 2015 at 11:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
By default the post-auth module writes two records to the radpostauth table: one, from the anonymous identity with the Calling-Station-ID set to the MAC address, and another, for the tunneled identity, with an empty calling ID.
You can fix that by editing the configuration files. That's why they're text.
Right now the rule I'm using is " if (!request:Calling-Station-Id ) " which seems to work for my AP, but is there a better attribute i should be matching on? Some sort of "This-Is-An-Internal-Tunnel-EAP-Request==Yes" ? Or better yet: how can I dump the attributes in a request when debugging?
On 27 Sep 2015, at 11:16, Hernán Freschi <hjf@hjf.com.ar> wrote:
On Sun, Sep 27, 2015 at 11:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
By default the post-auth module writes two records to the radpostauth table: one, from the anonymous identity with the Calling-Station-ID set to the MAC address, and another, for the tunneled identity, with an empty calling ID.
You can fix that by editing the configuration files. That's why they're text.
Right now the rule I'm using is " if (!request:Calling-Station-Id ) " which seems to work for my AP, but is there a better attribute i should be matching on? Some sort of "This-Is-An-Internal-Tunnel-EAP-Request==Yes" ?
Or better yet: how can I dump the attributes in a request when debugging?
"%{debug_attr:request:}" In >= v3.0.x It's not possible in v2. Also if you're using v3 you can use the cache module to store various attributes and share them between the two protocols (assuming you're using FreeRADIUS for DHCP). If this is on a local network without you may want to look at use v3.1.x. v3.1.x now works correctly with broadcast DHCP packets with no additional configuration. The previous versions (2.2.x, v3.0.x) required you to specify the src_ipaddr of the server in the listen section, or specify it at runtime using various attributes. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
"%{debug_attr:request:}"
In >= v3.0.x
It's not possible in v2.
Also if you're using v3 you can use the cache module to store various attributes and share them between the two protocols (assuming you're using FreeRADIUS for DHCP).
If this is on a local network without you may want to look at use v3.1.x.
v3.1.x now works correctly with broadcast DHCP packets with no additional configuration. The previous versions (2.2.x, v3.0.x) required you to specify the src_ipaddr of the server in the listen section, or specify it at runtime using various attributes.
I am using 2.2.5 from Debian. There is no oficial package for 3 con debian, not even in unstable. I guess I should build from source.
On 27 Sep 2015, at 12:23, Hernán Freschi <hjf@hjf.com.ar> wrote:
"%{debug_attr:request:}"
In >= v3.0.x
It's not possible in v2.
Also if you're using v3 you can use the cache module to store various attributes and share them between the two protocols (assuming you're using FreeRADIUS for DHCP).
If this is on a local network without you may want to look at use v3.1.x.
v3.1.x now works correctly with broadcast DHCP packets with no additional configuration. The previous versions (2.2.x, v3.0.x) required you to specify the src_ipaddr of the server in the listen section, or specify it at runtime using various attributes.
I am using 2.2.5 from Debian. There is no oficial package for 3 con debian, not even in unstable.
I guess I should build from source.
make deb Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Sep 27, 2015, at 11:16 AM, Hernán Freschi <hjf@hjf.com.ar> wrote:
Right now the rule I'm using is " if (!request:Calling-Station-Id ) " which seems to work for my AP, but is there a better attribute i should be matching on? Some sort of "This-Is-An-Internal-Tunnel-EAP-Request==Yes" ?
If (outer.EAP-Message) { ... Which should work. Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Hernán Freschi