Reject authentication attempts based on "cli" value?
tnt at kalik.co.yu
tnt at kalik.co.yu
Thu Mar 15 22:39:30 CET 2007
That will be Calling-Station-ID attribute:
DEFAULT Calling-Station-ID =~ ^192.168.100 , Auth-Type := Reject
Reply-Message = "Let them know what's going on."
you probably don't need to escape the dots with backslashes. Not sure if
you need " before and after regexp.
Ivan Kalik
Kalik Informatika ISP
Dana 15/3/2007, "Sam Schultz" <segfault90 at hushmail.com> piše:
>I'm not sure what that "cli" value is. Have you checked the radius
>attributes page to see if it is standard? If you have any way to
>pull that information to the radius server external of freeradius,
>I suppose you could use the exec module. I doubt it would be
>efficient at all, though.
>
>Looks like your best bet is to pour through your radius debugging
>logs, and see if you can find a radius attribute that has what you
>need in it. If you do happen to find one, my previous suggestion
>would be easy enough to modify to accommodate.
>
>On Thu, 15 Mar 2007 13:09:06 -0500 "Capelle, Mark (PCMC-GB)"
><Mark.Capelle at pcmc.com> wrote:
>>Actually, I don't think this will help since the wireless
>>controller IP
>>that freeradius "sees" is *not* in the 192.168.100.* range. This
>>controller uses LWAPP, so the IP ranges that the wireless networks
>>use
>>are totally contained within the wireless infrastructure, which
>>means
>>that the NAS IP is actually the LAN IP address of the controller.
>>
>>Again, it appears the only way for my to determine that the client
>>request is coming from the wrong subnet is via the "cli" value.
>>If
>>Cisco would just fix the guest wireless implementation to only
>>look at
>>the internal database or give you an option to specify this, all
>>would
>>be well. But... since they don't, I have to figure out how to
>>break
>>RADIUS for one subnet and yet allow it to function for the rest.
>>
>>-----Original Message-----
>>From: Sam Schultz [mailto:segfault90 at hushmail.com]
>>Sent: Thursday, March 15, 2007 12:46 PM
>>To: freeradius-users at lists.freeradius.org; Capelle, Mark (PCMC-GB)
>>Subject: Re: Reject authentication attempts based on "cli" value?
>>
>>An entry like this in your 'users' file should work:
>>
>>DEFAULT NASIPAddress =~ "192.168.100.*"
>> Auth-Type := Reject
>>
>>I'm not sure '*' is the appropriate regular expression character
>>for freeradius, but you should be able to verify that pretty
>>quickly
>>from the documentation. Operator information itself can be found
>>on:
>>
>>http://wiki.freeradius.org/Operators
>>
>>On Thu, 15 Mar 2007 11:23:23 -0500 markcapelle at pcmc.com wrote:
>>>It is a Cisco WLAN 4402. For reference, here is a log entry from
>>
>>>a user
>>>connecting from the Guest network:
>>>
>>> Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from
>>>client
>>>PCMCWLANCTRLR1 port 0 cli 192.168.100.101)
>>>
>>>And here is a log entry from someone connecting via 802.1x on
>>>another
>>>network:
>>>
>>> Thu Mar 15 07:26:36 2007 : Auth: Login OK: [DOMAIN\\guestuser]
>>
>>>(from
>>>client PCMCWLANCTRLR1 port 1 cli 00-12-F0-19-6E-B3)
>>>
>>>As you can see the only way I have to differentiate these two
>>auth
>>>attempts
>>>is via the "cli" value. 192.168.100.x is the subnet range of my
>>>Guest
>>>network. I want all auth attempts from 192.168.100.x to be
>>>rejected.
>>>
>>>Hope someone can help me out with this.
>>>
>>>Thanks.
>>>
>>>>Date: Thu, 15 Mar 2007 10:55:55 -0400
>>>>From: "King, Michael" <MKing at bridgew.edu>
>>>>Subject: RE:
>>>>To: "FreeRadius users mailing list"
>>>> <freeradius-users at lists.freeradius.org>
>>>>Message-ID:
>>>>
>>><6641F169E241EA40B29DE7BFAD24674DA7A43B at EXCH2.campus.bridgew.edu>
>>>>Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>>What manufacturer makes the NAS (the wireless controller?)
>>>>
>>>>I would look to the Called-Station field. Usually (Based on
>>>Cisco AP's)
>>>this is the MAC of the AP, followed by the SSID they connected
>>to.
>>>>
>>>>> -----Original Message-----
>>>>> From:
>>>>> freeradius-users-bounces+mking=bridgew.edu at lists.freeradius.or
>>>>> g
>>>>> [mailto:freeradius-users-bounces+mking=bridgew.edu at lists.freer
>>>>> adius.org] On Behalf Of markcapelle at pcmc.com
>>>>> Sent: Thursday, March 15, 2007 10:48 AM
>>>>> To: freeradius-users at lists.freeradius.org
>>>>> Subject:
>>>>>
>>>>> I have a situation where I have a wireless controller that
>>>services
>>>>> multiple wireless networks (vlans).? When the controller
>>>contacts the
>>>>> RADIUS server with an authentication request, it does so with
>>>the IP
>>>>> address of the controller as the client address.? The problem
>>>is I
>>>>> have a guest network that has lower security than my other
>>>wireless
>>>>> networks.? The guest network has it's own user/password
>>>database
>>>>> stored in the controller, but the way authentication occurs is
>>
>>>that it
>>>>> checks RADIUS for the user first and assumes it will fail,
>>then
>>>will
>>>>> use the internal database.? The issue with this is that if one
>>
>>>of my
>>>>> users jumps on the guest network, they are authenticated which
>>
>>>is not
>>>>> what I want to happen.? Looking at the logs, I noticed that
>>all
>>>the
>>>>> guest network users have the IP address of the client in the
>>>"cli"
>>>>> field.? My guest network is a totally different VLAN and IP
>>>subnet.
>>>>>
>>>>> Is there a way to key off of the "cli" field and then make it
>>>so that
>>>>> all requests from clients with a specific subnet in this field
>>
>>>are not
>>>>> authenticated?? This would stop my internal users from
>>>connecting, but
>>>>> allow the correct users (those in the internal DB) to still
>>get
>>>>> connected.
>>>>>
>>>>> Thanks.
>>>>> CONFIDENTIALITY NOTICE: This e-mail may contain trade
>>secrets
>>>or
>>>>> privileged, undisclosed or otherwise confidential information.
>>
>>>If you
>>>>> have received this e-mail in error, you are hereby notified
>>>that any
>>>>> review, copying or distribution of this message in whole or in
>>
>>>part is
>>>>> strictly prohibited.
>>>>> Please inform the sender immediately and destroy the original
>>>>> transmittal. Thank you for your cooperation.
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>> CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets
>>or
>>>privileged, undisclosed or otherwise confidential information. If
>>
>>>you have
>>>received this e-mail in error, you are hereby notified that any
>>>review,
>>>copying or distribution of this message in whole or in part is
>>>strictly
>>>prohibited. Please inform the sender immediately and destroy the
>>>original
>>>transmittal. Thank you for your cooperation.
>>>
>>>-
>>>List info/subscribe/unsubscribe? See
>>>http://www.freeradius.org/list/users.html
>>
>>--
>>Click here for free information on nursing jobs, up to $150/hour
>>http://tagline.hushmail.com/fc/CAaCXv1Rz1rlcvSEadQx6HQWGb8Bu3X2/
>
>--
>Click for free info on online masters degrees and make $150K/ year
>http://tagline.hushmail.com/fc/CAaCXv1S74n6Yp0DOeHM036F5MyaEXtW/
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list