Freeradius-Users Digest, Vol 8, Issue 82

Stefan Adams stefan at borgia.com
Mon Dec 19 19:44:02 CET 2005 

Hey, guys!  Thanks for the great replies!!  I like what you suggested
better than what I've come up with in the mean time.  I think what I
came up with will work, it just seems messy/wrong/inefficient.  What
do you think?

modules {
        ldap {
                :
                filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Called-Station-ID}))"
                :
        }
        attr_rewrite getssid {
                attribute = Called-Station-Id
                searchin = packet
                searchfor = ".................:"
                replacewith = ""
                ignore_case = yes
                new_attribute = no
        }
}

authorize {
        # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
        preprocess
        eap
        getssid
        ldap
}

This cuts off the first 17 bytes and then a colon of the
Called-Station-ID (My AP transmits a dash separated MAC followed by a
colon and then the SSID).  Then it uses this rewritten
Called-Station-ID and uses that as a filter in the LDAP search. 
Therefore, if the SSID a user tries to connect to is not listed as an
attribute of the user's LDAP object, the user is denied.

Does that make sense?

But I am definitely going to try implementing the suggestions from
Dusty and Alan (below).

Thanks, guys!!

Stefan

> Date: Mon, 19 Dec 2005 11:02:33 -0500 (EST)
> From: Dusty Doris <freeradius at mail.doris.cc>
> Subject: Re: Authorization
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <20051219104900.T19542 at mail.doris.name>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> > Let's say I have 2 groups: students and faculty.
> > I want to authorize authenticated members of the LDAP group
> > cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~
> > "/:StudentWLAN$/"
> > I want to authorize authenticated members of the LDAP group
> > cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~
> > "/:FacultyWLAN$/"
>
>
> You left out your ldap part?  Anyway it should look something like this.
>
> groupname_attribute = cn
> groupmembership_filter = "(&(objectclass=GroupOfNames)(member=%{Ldap-UserDN}))"
>
> Of course you'll have to change that to fit with how your directory is
> structured.  Once you've got that part down, then in the users file you
> could do something like this.
>
> DEFAULT Called-Station-ID =~ "/:StudentWLAN$/", Ldap-Group == "students"
>
> DEFAULT Called-Station-ID =~ "/:FacultyWLAN$/", Ldap-Group == "faculty"
>
> DEFAULT Auth-Type := Reject
>
> That would look to see if Called-Station-ID matches that regex.  If so, it
> would look to see if they are in the Ldap-Group of students.  Your
> groupmembership filter and groupname_attribute should look for a group
> named cn=students and then see if the DN of the user is in it.
>
> If not, it would fall through to the Reject statement.  Now, there are
> other things going on outside of ldap that I don't really know about, so a
> copy/paste of what I wrote might not work.  But, it should help lead you
> in the right direction.
>
> I'd give it a shot running in debug mode (radiusd -X) and then you can see
> the exact queries that are taking place and what is happening.  You can
> then go back and modify those ldap group statements and the users file to
> fit what you need.
>
> Once you've got it started if you need more help, please post debug output
> and what you would expect vs what you got and we can probably help sort it
> out.
>
> ------------------
>
> Message: 6
> Date: Mon, 19 Dec 2005 11:47:24 -0500
> From: "Alan DeKok" <aland at ox.org>
> Subject: Re: Authorization
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <20051219164724.55C0717115 at mail.nitros9.org>
>
> Stefan Adams <stefan at borgia.com> wrote:
> > I have read all the man pages and /docs and am having a difficult time
> > understanding the authorization.  I keep wanting to write
> > "if...elseif...else" stuff but I'm pretty sure that doesn't apply to
> > FreeRADIUS config files.
>
>   Unfortunately, yes.
>
> > How would I configure the checkval module?  Is it even necessary to use the
> > checkval module?  How would I conifgure the users file?  Is the users file
> > even necessary?
>
>   I wouldn't configure the checkval module.  Just the "users" module,
> something like:
>
> DEFAULT  LDAP-Group == faculty, Called-Station-Id != "faculty", Auth-Type := Reject
>
> DEFAULT  LDAP-Group == students, Called-Station-Id != "students", Auth-Type := Reject
>
> > P.S.  I don't know who to direct compliments to, but the FreeRADIUS code is
> > probably the most beautifully structured source code I have ever read.  It
> > is SO easy to read and extremely consistent!  It's phenomenal!
>
>   You can thank everyone who contributed so far. :)
>
>   Alan DeKok.

More information about the Freeradius-Users mailing list