Matching Airespace-Wlan-Id in users files or radgroupcheck database

Adam Wien adam.wien at gmail.com
Wed Feb 17 17:40:01 CET 2010 

Here's my database setup.

mysql> select * from radcheck where username='adam at cpanel.net';
+------+-----------------+--------------------+----+----------+
| id   | username        | attribute          | op | value    |
+------+-----------------+--------------------+----+----------+
| 1072 | adam at cpanel.net | Cleartext-Password | := | BLANK | 
+------+-----------------+--------------------+----+----------+
1 row in set (0.00 sec)

mysql> 

mysql> select * from radgroupcheck;
+------+-----------+-------------------+----+-------+
| id   | groupname | attribute         | op | value |
+------+-----------+-------------------+----+-------+
| 1072 | Sysadmin  | Airespace-Wlan-Id | == | 9     | 
+------+-----------+-------------------+----+-------+
1 row in set (0.02 sec)

mysql> 

mysql> select * from radusergroup;
+-----------------+-----------+----------+
| username        | groupname | priority |
+-----------------+-----------+----------+
| adam at cpanel.net | Sysadmin  |        1 | 
+-----------------+-----------+----------+
1 row in set (0.02 sec)

mysql> 

Here's my radiiusd -X output

rad_recv: Access-Request packet from host 208.74.121.102 port 24716, id=18, length=201
	User-Name = "adam at cpanel.net"
	Calling-Station-Id = "f8-1e-df-f4-c3-36"
	Called-Station-Id = "00-26-cb-a0-cf-a0:SecWifiTesting0"
	NAS-Port = 1
	NAS-IP-Address = 172.31.2.250
	NAS-Identifier = "WLC1.3131"
	Airespace-Wlan-Id = 8
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "200"
	EAP-Message = 0x02010014016164616d406370616e656c2e6e6574
	Message-Authenticator = 0x194b1cc6aba2fdf6fe796d58e57f5e04
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 1 length 20
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
	expand: %{User-Name} -> adam at cpanel.net
rlm_sql (sql): sql_set_user escaped user --> 'adam at cpanel.net'
rlm_sql (sql): Reserving sql socket id: 2
	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'adam at cpanel.net'           ORDER BY id
rlm_sql (sql): User found in radcheck table
	expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'adam at cpanel.net'           ORDER BY id
	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'adam at cpanel.net'           ORDER BY priority
	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'Sysadmin'           ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 18 to 208.74.121.102 port 24716
	EAP-Message = 0x010200061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6a1490ae6a168516e9c153b1a670f7e8
Finished request 2.
Going to the next request


I set the 'Airespace-Wlan-Id == 9' and I'm connecting to 'Airespace-Wlan-Id == 8' and it's still allowing me to connect.


On Feb 17, 2010, at 12:56 AM, Alan DeKok wrote:

> Adam Wien wrote:
>> I'm trying to get FreeRadius working with a Cisco WLC.
>> 
>> I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs.
>> 
>> I can't seem to deny access using this attribute.
> 
>  "I tried stuff and it didn't work".
> 
>> Is there a trick to this?
> 
>  Describe what you did (text copied from the configuration files), and
> what happened (text copied from debug output)
> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list