(Solved) Re: MAC authorisation (but not authentication) via LDAP
Alan Walters
alan at radiowave.ie
Wed Apr 11 09:13:00 CEST 2007
we a trying to add mac authentication to our wireless aps radius request
comes in like so.
rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
length=95
Service-Type = Framed-User
NAS-Port-Id = "wlan1"
User-Name = "00:0B:6B:56:1D:48"
User-Password = ""
NAS-Identifier = "ballyvaughan_ap_1"
NAS-IP-Address = 10.250.100.3
the mac address is in a field in the ldap so i created a second
ldap.attrib.map and a new ldap autz-type. the problem is that the
user-password that is sent i blank so i added this to the users file.
like so.
DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
"", Simultaneous-Use := 1
Fall-Through = 0
great now the user with authorise and authenticate from files. but what
i had hoped would happen was if they failure authorisation they would
not continue, i can see this is not the default proceedure. how can i
make this work this way.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
users: Matched entry DEFAULT at line 4
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Found Autz-Type ldapMAC
Processing the authorize section of radiusd.conf
modcall: entering group ldapMAC for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
radius_xlat: '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
radius_xlat: 'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxxxxxx to 127.0.0.1:389
radiustest:/etc/freeradius/config-clients#
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldapmac1" returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall: leaving group ldapMAC (returns notfound) for request 0
but when the authentication starts this stilll happens, below was an
idea someone had in respect to this issue or a similar one but i have no
idea how to deploy this look forward to your replys.
auth: type Local
auth: user supplied User-Password matches local User-Password
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module "sql2" returns noop for request 0
modcall: leaving group redundant (returns noop) for request 0
modcall: leaving group session (returns noop) for request 0
Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
Sending Access-Accept of id 119 to 10.250.100.3 port 1038
On Sun, 2007-02-25 at 20:05 +0000, Martin Whinnery wrote:
> Martin Whinnery wrote:
> > Markus Krause wrote:
> >
> >> Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:
> >>
> >>
> >>
> >>> Hi.
> >>>
> >>> Probly just me not understanding...
> >>>
> >>> What I want is for our switches to only allow access to MAC addresses in
> >>> our LDAP database.
> >>>
> >>> I don't want to store passwords on our LDAP host entries.
> >>>
> >>> I'm set up to check LDAP during authorisation, and it correctly returns
> >>> authorised / not authorised depending on whether the appropriate
> >>> attribute contains the right value.
> >>>
> >>> The trouble comes with authentication - either I set Auth-Type :=
> >>> Accept, in which case and failed authorisation is overridden, or I allow
> >>> authentication to carry on against LDAP ( or System, or whatever ), in
> >>> which case it fails always and access is denied, even for authorised MACs.
> >>>
> >>> Is there a way to make the Authorisation part final and authoritative?
> >>>
> >>>
> >>> As I say, probly just being stoopid.
> >>>
> >>>
> >>> Mart
> >>>
> >>>
> >>>
> >>>
> >> don't no if it is a good solution, but i just do this by setting the
> >> following in radiusd.conf:
> >>
> >> authenticate {
> >> ...
> >> Auth-Type LdapMAC {
> >> ok
> >> }
> >> ...
> >> }
> >>
> >> the Auth-Type is set in users file depending on huntgroups:
> >>
> >> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
> >>
> >> i assume there are better/smarter sollutions as one can read "don't
> >> set Auth-Type" on many places but it works here ;-)
> >>
> >> regards
> >> markus
> >>
> >>
> >>
> > Thanks Markus,
> >
> > the problem seems to be that the authorisation pass returns "notfound",
> > whereas I want it to "reject", as if it found an entry in LDAP without
> > the appropriate attribute.
> >
> > Mart
> >
> >
> This was exactly the problem. What I've done is created an exec module,
> which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning
> non-zero if there's a match. So authorization *fails* rather than
> succeeds with 'not found'.
>
> I think.
>
> Anyway, it works.
>
> Thanks for all your help.
>
> Mart
>
More information about the Freeradius-Users
mailing list