(Solved) Re: MAC authorisation (but not authentication) via LDAP

Alan Walters alan at radiowave.ie
Wed Apr 11 09:13:00 CEST 2007 

we a trying to add mac authentication to our wireless aps radius request
comes in like so.

rad_recv: Access-Request packet from host 10.250.100.3:1038, id=119,
length=95
        Service-Type = Framed-User
        NAS-Port-Id = "wlan1"
        User-Name = "00:0B:6B:56:1D:48"
        User-Password = ""
        NAS-Identifier = "ballyvaughan_ap_1"
        NAS-IP-Address = 10.250.100.3


the mac address is in a field in the ldap so i created a second
ldap.attrib.map and a new ldap autz-type. the problem is that the
user-password that is sent i blank so i added this to the users file.
like so.

DEFAULT Huntgroup-Name == test, Autz-Type := ldapMAC, User-Password ==
"", Simultaneous-Use := 1
       Fall-Through = 0

great now the user with authorise and authenticate from files. but what
i had hoped would happen was if they failure authorisation they would
not continue, i can see this is not the default proceedure. how can i
make this work this way.

  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    users: Matched entry DEFAULT at line 4
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  Found Autz-Type ldapMAC
  Processing the authorize section of radiusd.conf
modcall: entering group ldapMAC for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0B:6B:56:1D:48
radius_xlat:  '(rdwaveuserWirelessMac=00:0B:6B:56:1D:48)'
radius_xlat:  'o=clients,dc=radiowave,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=admin,dc=radiowave,dc=net/xxxxxxx to 127.0.0.1:389
radiustest:/etc/freeradius/config-clients#
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=clients,dc=radiowave,dc=net, with
filter (rdwaveuserWirelessMac=00:0B:6B:56:1D:48)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldapmac1" returns notfound for request 0
modcall: leaving group redundant  (returns notfound) for request 0
modcall: leaving group ldapMAC (returns notfound) for request 0


but when the authentication starts this stilll happens, below was an
idea someone had in respect to this issue or a similar one but i have no
idea how to deploy this look forward to your replys.

auth: type Local
auth: user supplied User-Password matches local User-Password
  Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant  for request 0
  modcall[session]: module "sql2" returns noop for request 0
modcall: leaving group redundant  (returns noop) for request 0
modcall: leaving group session (returns noop) for request 0
Login OK: [00:0B:6B:56:1D:48/] (from client ballyvaughan port 0)
Sending Access-Accept of id 119 to 10.250.100.3 port 1038


On Sun, 2007-02-25 at 20:05 +0000, Martin Whinnery wrote:
> Martin Whinnery wrote:
> > Markus Krause wrote:
> >   
> >> Zitat von Martin Whinnery <martin.whinnery at sbc.ac.uk>:
> >>
> >>   
> >>     
> >>> Hi.
> >>>
> >>> Probly just me not understanding...
> >>>
> >>> What I want is for our switches to only allow access to MAC addresses in
> >>> our LDAP database.
> >>>
> >>> I don't want to store passwords on our LDAP host entries.
> >>>
> >>> I'm set up to check LDAP during authorisation, and it correctly returns
> >>> authorised / not authorised depending on whether the appropriate
> >>> attribute contains the right value.
> >>>
> >>> The trouble comes with authentication - either I set Auth-Type :=
> >>> Accept, in which case and failed authorisation is overridden, or I allow
> >>> authentication to carry on against LDAP ( or System, or whatever ), in
> >>> which case it fails always and access is denied, even for authorised MACs.
> >>>
> >>> Is there a way to make the Authorisation part final and authoritative?
> >>>
> >>>
> >>> As I say, probly just being stoopid.
> >>>
> >>>
> >>> Mart
> >>>
> >>>
> >>>     
> >>>       
> >> don't no if it is a good solution, but i just do this by setting the  
> >> following in radiusd.conf:
> >>
> >> authenticate {
> >>      ...
> >>      Auth-Type LdapMAC {
> >>         ok
> >>      }
> >>      ...
> >> }
> >>
> >> the Auth-Type is set in users file depending on huntgroups:
> >>
> >> DEFAULT  Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC
> >>
> >> i assume there are better/smarter sollutions as one can read "don't  
> >> set Auth-Type" on many places but it works here ;-)
> >>
> >> regards
> >>    markus
> >>
> >>   
> >>     
> > Thanks Markus,
> >
> > the problem seems to be that the authorisation pass returns "notfound", 
> > whereas I want it to "reject", as if it found an entry in LDAP without 
> > the appropriate attribute.
> >
> > Mart
> >
> >   
> This was exactly the problem. What I've done is created an exec module, 
> which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning 
> non-zero if there's a match. So authorization *fails* rather than 
> succeeds with 'not found'.
> 
> I think.
> 
> Anyway, it works.
> 
> Thanks for all your help.
> 
> Mart
>

More information about the Freeradius-Users mailing list