Special WIFI Router MAC check for the user's first connection. (Tom)

2394263740 2394263740 at qq.com
Thu Sep 1 15:40:54 CEST 2011


Phil,
  
 Thanks a lot for your great help.
  
 I understand the scripts you wrote. But I don't know where I should put it in.
  
 Can you please kindly advise which file I should edit?
  
 /usr/local/etc/raddb/sites-available/default?
  
 Where I should put the scripts you wrote previously? The context?
  
 Thanks!
  
 Tom
   
  
  ------------------ Original ------------------
  From:  "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
 Date:  Thu, Sep 1, 2011 02:51 AM
 To:  "freeradius-users"<freeradius-users at lists.freeradius.org>; 
 
 Subject:  Freeradius-Users Digest, Vol 76, Issue 108

  
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
      server (Phil Mayers)
   2. Re: Special WIFI Router MAC check for the user?s first
      connection. (Phil Mayers)
   3. Using rlm_passwd as a substitute for hunt groups
      (Jan.Weiss at t-systems.com)
   4. problem with LDAP backend (Frank Bonnet)
   5. Re: problem with chillispot (Alan DeKok)
   6. Re: problem with LDAP backend (Alan DeKok)
   7. Rating usage (Shreya Shah)
   8. Re: problem with chillispot (Goke M Aruna)


----------------------------------------------------------------------

Message: 1
Date: Wed, 31 Aug 2011 14:48:00 +0100
From: Phil Mayers <p.mayers at imperial.ac.uk>
Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
server
To: freeradius-users at lists.freeradius.org
Message-ID: <4E5E3B90.2020109 at imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 30/08/11 21:12, Glenn Machin wrote:
> Phil - thanks for the feedback.
>
> I just ended up proxying out to the IAS server usernames starting with
> "DOMAIN\".

Ok. Obviously that will fail if enters their wireless credentials 
without a domain.

>
> I configured the freeradius server to not support mschapv2 but will
> support PEAP/GTC EAP/TLS.
>
>
> It seems to be working fine with the Macs, iPads and Linux systems while
> the windows systems are happy to talk to the IAS server.
>
>
> It still bugs that ntlm_auth would not authenticate to the domain
> controllers the challenge and nt-response.

I repeat: if you send debug info, people may be able to help.

>
>
> I assume no one else is having any issues using ntlm_auth to W2008
> servers? It may be some Windows GPO at our site for all I know.

Exactly which version of windows (2008 or 2008R2?) and at which 
functional level is your domain?

Did you try increasing the debug level for winbind using "smbcontrol" 
and then examining the debug logs after a failed auth?

For what it's worth, we have no problems with Windows 2008R2 domain 
controllers and the "samba3x" package available under RHEL5 (samba 
version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) 
versions after we'd upgraded to 2008R2 and upgraded functional level.


------------------------------

Message: 2
Date: Wed, 31 Aug 2011 14:55:35 +0100
From: Phil Mayers <p.mayers at imperial.ac.uk>
Subject: Re: Special WIFI Router MAC check for the user?s first
connection.
To: freeradius-users at lists.freeradius.org
Message-ID: <4E5E3D57.2000903 at imperial.ac.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 31/08/11 12:38, 2394263740 wrote:

> For example, WIFI AP 26, has the MAC address MAC26. I need ensure one
> WIFI user, say user 58, must connect to WIFI AP 26 for the first time.
> After the first connection, user 58 can connect to any WIFI AP in the
> network.
> Can someone give some advice on how to do it?

  1. Create a whitelist of users who can authenticate to any AP using 
files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki

  2. If they are *not* found in the whitelist, check the 
"Called-Station-Id" attribute, which usually contains the MAC address of 
the AP. If your equipment uses a different attribute, check that.

  3. If the AP MAC is the correct one, add the user to the whitelist, 
else reject

For example:

authorize {

  ...
  update control {
    Tmp-String-0 := "%{sql:select 1 from whitelist where 
username='%{User-Name}'}"
  }
  if (control:Tmp-String-0 == 1) {
    # user is in whitelist
  }
  elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {
    # user is connecting to the "whitelist" AP
    update control {
      Tmp-String-0 = "%{sql:insert into whitelist (username) values 
('%{User-Name}')}"
    }
  }
  else {
   reject
  }
  ...

}


------------------------------

Message: 3
Date: Wed, 31 Aug 2011 16:11:48 +0200
From: Jan.Weiss at t-systems.com
Subject: Using rlm_passwd as a substitute for hunt groups
To: <freeradius-users at lists.freeradius.org>
Message-ID:
<3DD77603D0726248A46541D5119607CE27DFC71606 at HE111524.emea1.cds.t-internal.com>

Content-Type: text/plain; charset="us-ascii"

>Did you remember to actually define 'My-Device-Group' as an attribute?
>
>-Arran
>
>Arran Cudbard-Bell
>a.cudbardb at freeradius.org
>
>RADIUS - Half the complexity of Diameter


Dictionary:
ATTRIBUTE       My-Device-Group         3000    string


------------------------------

Message: 4
Date: Wed, 31 Aug 2011 17:02:32 +0200
From: Frank Bonnet <f.bonnet at esiee.fr>
Subject: problem with LDAP backend
To: freeradius-users at lists.freeradius.org
Message-ID: <4E5E4D08.5060109 at esiee.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hello

Still trying to use freeradius with chillispot I still have problems

I'm trying to use mixed authentication

MAC addresses for some video devices in the "users" file
as follows :

00-06-F4-0D-08-66       Auth-Type := Local, User-Password == "xxxxxxxx"
                         Framed-IP-Address = 192.168.182.213,
                         Fall-Through = Yes

LDAP backend for "real" users at the end of the "users" file I have this 
statement

DEFAULT    Auth-Type = LDAP
     Fall-Through = 1

This configuration were working well on a very old debian machine which 
died suddenly

When I try to access the the chilli portal it ask radius for authentication
but it dows not work. See below the debug trace of radius daemon.
Help greatly appreciated, thank you.


Wed Aug 31 16:52:39 2011 : Debug:   Processing the authorize section of 
radiusd.conf
Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for 
request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
eap (rlm_eap) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "eap" 
returns noop for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling files 
(rlm_files) for request 15
Wed Aug 31 16:52:39 2011 : Debug:     users: Matched entry DEFAULT at 
line 398
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
files (rlm_files) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "files" 
returns ok for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling ldap 
(rlm_ldap) for request 15
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user 
authorization for xxxxxxxx
Wed Aug 31 16:52:39 2011 : Debug: radius_xlat:  '(uid=xxx)'
Wed Aug 31 16:52:39 2011 : Debug: radius_xlat:  'ou=Users,dc=esiee,dc=fr'
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in 
ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access 
for xxxxxxxx is allowed by uid
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in 
directory...
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in 
directory...
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to 
use remote access
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
ldap (rlm_ldap) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "ldap" 
returns ok for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling pap 
(rlm_pap) for request 15
Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" 
password found for the user.  Authentication may fail because of this.
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
pap (rlm_pap) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "pap" 
returns noop for request 15
Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize 
(returns ok) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   rad_check_password:  Found Auth-Type 
LDAP
Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"
Wed Aug 31 16:52:39 2011 : Debug:   Processing the authenticate section 
of radiusd.conf
Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate 
for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authenticate]: calling 
ldap (rlm_ldap) for request 15
Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate
Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is 
required for authentication. Cannot use "CHAP-Password".
Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authenticate]: returned 
from ldap (rlm_ldap) for request 15
Wed Aug 31 16:52:39 2011 : Debug:   modcall[authenticate]: module "ldap" 
returns invalid for request 15
Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate 
(returns invalid) for request 15
Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.
Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds
Wed Aug 31 16:52:39 2011 : Debug: Finished request 15
Wed Aug 31 16:52:39 2011 : Debug: Going to the next request
Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---



------------------------------

Message: 5
Date: Wed, 31 Aug 2011 12:27:36 -0400
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: problem with chillispot
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4E5E60F8.8070409 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Goke M Aruna wrote:
> Is it bug on freeradius v2?

  No.

> I got the chillispot working with freeradius 1.7 then and still tested
> same recently but v2 of radius give same error while v1 work
> seamlessly. I compiled this on centos 5.6.

  You mistyped the shared secret.

  Alan DeKok.


------------------------------

Message: 6
Date: Wed, 31 Aug 2011 12:30:45 -0400
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: problem with LDAP backend
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4E5E61B5.2000601 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Frank Bonnet wrote:
> MAC addresses for some video devices in the "users" file
> as follows :
> 
> 00-06-F4-0D-08-66       Auth-Type := Local, User-Password == "xxxxxxxx"

  That's wrong.  See the debug output for reasons why.  See the FAQ for
correct examples.

> LDAP backend for "real" users at the end of the "users" file I have this
> statement
> 
> DEFAULT    Auth-Type = LDAP
>     Fall-Through = 1

  That's not needed.

> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is
> required for authentication. Cannot use "CHAP-Password".

  That's pretty clear.  The NAS is sending a CHAP request.  You can't do
that with "Auth-Type LDAP"

  Instead, list "ldap" in the "authorize" section.

  Don't set Auth-Type.  It's almost always wrong.

  Alan DeKok.


------------------------------

Message: 7
Date: Wed, 31 Aug 2011 13:23:20 -0400
From: Shreya Shah <shreya.nshah at gmail.com>
Subject: Rating usage
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Is it possible to rate users based on their data usage and reject
authentication to those users exceeding the limit ?

I think I can achieve rating using counter.conf and reading the usage from
radacct but not sure how to reject this user from authenticating when he
exceeds this usage limit ?

Thanks,
Shreya.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html>

------------------------------

Message: 8
Date: Wed, 31 Aug 2011 19:51:20 +0100
From: Goke M Aruna <goksie at gmail.com>
Subject: Re: problem with chillispot
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Hi Allan,
Mistyped shared-secret? How can I confirm that?

Thank you.

On 8/31/11, Alan DeKok <aland at deployingradius.com> wrote:
> Goke M Aruna wrote:
>> Is it bug on freeradius v2?
>
>   No.
>
>> I got the chillispot working with freeradius 1.7 then and still tested
>> same recently but v2 of radius give same error while v1 work
>> seamlessly. I compiled this on centos 5.6.
>
>   You mistyped the shared secret.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-- 
Sent from my mobile device


------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 76, Issue 108
*************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/93e6ef09/attachment.html>


More information about the Freeradius-Users mailing list