Authentication probation for VLAN
joaocdc at gmail.com
joaocdc at gmail.com
Thu Aug 25 15:31:01 CEST 2011
Hello,
I am using freeradius to authenticate to multiple databases, some in other
LDAP in SQL. I am doing authentication and wireless networks, where I have
multiple SSIDs for wireless networks, and each one logs in a database. All
these databases are in the same Radius server, which differentiate based
authentication used by the users of the Realm, running as follows:
authorize {
...
if (Realm == "fpti") {
ldap_fpti
}
if ( Realm == "pti") {
ldap_pti
}
if ( Realm == "visitantes") {
sql_visitantes
}
...
}
This model is funcionaç, however have a problem (very serious), Radius does
not know from which SSID the client is trying to authenticate, or whether it
decides the basis solely of the Realm authentication of the client. I need
to make the Radius check the VLAN that is associated with the request for
user authentication. Check through the debug radius that an Access-Request
packet has the following information:
...
rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204,
length=184
User-Name = "joao at fpti"
Calling-Station-Id = "68-a3-c4-85-c5-89"
Called-Station-Id = "00-26-cb-94-65-60:FPTI"
NAS-Port = 29
NAS-IP-Address = 192.168.254.48
NAS-Identifier = "WLC-PTI"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
* Tunnel-Private-Group-Id:0 = "5"*
EAP-Message = 0x020500061500
State = 0xfd87ee8cfe82fb655b300470157cca59
Message-Authenticator = 0xb9a2c29a193593e8f1165dc71ab487c1
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
...
Once the session authorization, I tried to check the VLAN required before
releasing the basis for authorization, did it as follows:
authorize {
...
if (Tunnel-Private-Group-Id:0 == 5){
# Base de dados LDAP da FPTI
if (Realm == "fpti") {
ldap_fpti
}
}
if (Tunnel-Private-Group-Id:0 == 30){
# Todos os Hbitantes do PTI atraves do numero do cracha
if ( Realm == "pti") {
ldap_pti
}
# Base de dados SQL de Visitantes
if ( Realm == "visitantes") {
sql_visitantes
}
}
...
}
But unfortunately this is not working (as shown in the log below):
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++? if (Tunnel-Private-Group-Id:0 == 5)
? Evaluating (Tunnel-Private-Group-Id:0 == 5) -> FALSE
++? if (Tunnel-Private-Group-Id:0 == 5) -> FALSE
++? if (Tunnel-Private-Group-Id:0 == 30)
? Evaluating (Tunnel-Private-Group-Id:0 == 30) -> FALSE
++? if (Tunnel-Private-Group-Id:0 == 30) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: joao at fpti
[mschap] Told to do MS-CHAPv2 for joao at fpti with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [joao at fpti] (from client controladora-wlan-1 port 0 via TLS
tunnel)
Note that all conditional "IF" fails.
Also said that if I try to use the Tunnel-Private-Group-Id without the ":0"
at the end, appears in the logs that the attribute was not found, I
mention this
because in several instances I saw on the internet was used only "Tunnel-
Private -Group-Id" (with :0 at the end)
I ask, how can I make this check?
Thank you for listening;
--
João Paulo de Lima Barbosa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110825/b5b3c4ed/attachment.html>
More information about the Freeradius-Users
mailing list