Special WIFI Router MAC check for the user's first connection. (Tom)
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Sep 1 15:48:18 CEST 2011
On 1 Sep 2011, at 15:40, 2394263740 wrote:
> Phil,
>
> Thanks a lot for your great help.
>
> I understand the scripts you wrote. But I don't know where I should put it in.
>
> Can you please kindly advise which file I should edit?
>
> /usr/local/etc/raddb/sites-available/default?
Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :)
-Arran
>
>
>
> ------------------ Original ------------------
> From: "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
> Date: Thu, Sep 1, 2011 02:51 AM
> To: "freeradius-users"<freeradius-users at lists.freeradius.org>;
> Subject: Freeradius-Users Digest, Vol 76, Issue 108
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
> server (Phil Mayers)
> 2. Re: Special WIFI Router MAC check for the user?s first
> connection. (Phil Mayers)
> 3. Using rlm_passwd as a substitute for hunt groups
> (Jan.Weiss at t-systems.com)
> 4. problem with LDAP backend (Frank Bonnet)
> 5. Re: problem with chillispot (Alan DeKok)
> 6. Re: problem with LDAP backend (Alan DeKok)
> 7. Rating usage (Shreya Shah)
> 8. Re: problem with chillispot (Goke M Aruna)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 31 Aug 2011 14:48:00 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
> server
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E5E3B90.2020109 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 30/08/11 21:12, Glenn Machin wrote:
> > Phil - thanks for the feedback.
> >
> > I just ended up proxying out to the IAS server usernames starting with
> > "DOMAIN\".
>
> Ok. Obviously that will fail if enters their wireless credentials
> without a domain.
>
> >
> > I configured the freeradius server to not support mschapv2 but will
> > support PEAP/GTC EAP/TLS.
> >
> >
> > It seems to be working fine with the Macs, iPads and Linux systems while
> > the windows systems are happy to talk to the IAS server.
> >
> >
> > It still bugs that ntlm_auth would not authenticate to the domain
> > controllers the challenge and nt-response.
>
> I repeat: if you send debug info, people may be able to help.
>
> >
> >
> > I assume no one else is having any issues using ntlm_auth to W2008
> > servers? It may be some Windows GPO at our site for all I know.
>
> Exactly which version of windows (2008 or 2008R2?) and at which
> functional level is your domain?
>
> Did you try increasing the debug level for winbind using "smbcontrol"
> and then examining the debug logs after a failed auth?
>
> For what it's worth, we have no problems with Windows 2008R2 domain
> controllers and the "samba3x" package available under RHEL5 (samba
> version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3)
> versions after we'd upgraded to 2008R2 and upgraded functional level.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 31 Aug 2011 14:55:35 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: Special WIFI Router MAC check for the user?s first
> connection.
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E5E3D57.2000903 at imperial.ac.uk>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 31/08/11 12:38, 2394263740 wrote:
>
> > For example, WIFI AP 26, has the MAC address MAC26. I need ensure one
> > WIFI user, say user 58, must connect to WIFI AP 26 for the first time.
> > After the first connection, user 58 can connect to any WIFI AP in the
> > network.
> > Can someone give some advice on how to do it?
>
> 1. Create a whitelist of users who can authenticate to any AP using
> files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki
>
> 2. If they are *not* found in the whitelist, check the
> "Called-Station-Id" attribute, which usually contains the MAC address of
> the AP. If your equipment uses a different attribute, check that.
>
> 3. If the AP MAC is the correct one, add the user to the whitelist,
> else reject
>
> For example:
>
> authorize {
>
> ...
> update control {
> Tmp-String-0 := "%{sql:select 1 from whitelist where
> username='%{User-Name}'}"
> }
> if (control:Tmp-String-0 == 1) {
> # user is in whitelist
> }
> elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {
> # user is connecting to the "whitelist" AP
> update control {
> Tmp-String-0 = "%{sql:insert into whitelist (username) values
> ('%{User-Name}')}"
> }
> }
> else {
> reject
> }
> ...
>
> }
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 31 Aug 2011 16:11:48 +0200
> From: Jan.Weiss at t-systems.com
> Subject: Using rlm_passwd as a substitute for hunt groups
> To: <freeradius-users at lists.freeradius.org>
> Message-ID:
> <3DD77603D0726248A46541D5119607CE27DFC71606 at HE111524.emea1.cds.t-internal.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> >Did you remember to actually define 'My-Device-Group' as an attribute?
> >
> >-Arran
> >
> >Arran Cudbard-Bell
> >a.cudbardb at freeradius.org
> >
> >RADIUS - Half the complexity of Diameter
>
>
> Dictionary:
> ATTRIBUTE My-Device-Group 3000 string
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 31 Aug 2011 17:02:32 +0200
> From: Frank Bonnet <f.bonnet at esiee.fr>
> Subject: problem with LDAP backend
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E5E4D08.5060109 at esiee.fr>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hello
>
> Still trying to use freeradius with chillispot I still have problems
>
> I'm trying to use mixed authentication
>
> MAC addresses for some video devices in the "users" file
> as follows :
>
> 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"
> Framed-IP-Address = 192.168.182.213,
> Fall-Through = Yes
>
> LDAP backend for "real" users at the end of the "users" file I have this
> statement
>
> DEFAULT Auth-Type = LDAP
> Fall-Through = 1
>
> This configuration were working well on a very old debian machine which
> died suddenly
>
> When I try to access the the chilli portal it ask radius for authentication
> but it dows not work. See below the debug trace of radius daemon.
> Help greatly appreciated, thank you.
>
>
> Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of
> radiusd.conf
> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for
> request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module
> "preprocess" returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap
> (rlm_eap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from
> eap (rlm_eap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap"
> returns noop for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files
> (rlm_files) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at
> line 398
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from
> files (rlm_files) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files"
> returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap
> (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user
> authorization for xxxxxxxx
> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)'
> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr'
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in
> ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access
> for xxxxxxxx is allowed by uid
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in
> directory...
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in
> directory...
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to
> use remote access
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from
> ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap"
> returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap
> (rlm_pap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good"
> password found for the user. Authentication may fail because of this.
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from
> pap (rlm_pap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap"
> returns noop for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize
> (returns ok) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type
> LDAP
> Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"
> Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section
> of radiusd.conf
> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate
> for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling
> ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate
> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is
> required for authentication. Cannot use "CHAP-Password".
> Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned
> from ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap"
> returns invalid for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate
> (returns invalid) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.
> Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds
> Wed Aug 31 16:52:39 2011 : Debug: Finished request 15
> Wed Aug 31 16:52:39 2011 : Debug: Going to the next request
> Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 31 Aug 2011 12:27:36 -0400
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: problem with chillispot
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4E5E60F8.8070409 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Goke M Aruna wrote:
> > Is it bug on freeradius v2?
>
> No.
>
> > I got the chillispot working with freeradius 1.7 then and still tested
> > same recently but v2 of radius give same error while v1 work
> > seamlessly. I compiled this on centos 5.6.
>
> You mistyped the shared secret.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 31 Aug 2011 12:30:45 -0400
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: problem with LDAP backend
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4E5E61B5.2000601 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Frank Bonnet wrote:
> > MAC addresses for some video devices in the "users" file
> > as follows :
> >
> > 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"
>
> That's wrong. See the debug output for reasons why. See the FAQ for
> correct examples.
>
> > LDAP backend for "real" users at the end of the "users" file I have this
> > statement
> >
> > DEFAULT Auth-Type = LDAP
> > Fall-Through = 1
>
> That's not needed.
>
> > Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is
> > required for authentication. Cannot use "CHAP-Password".
>
> That's pretty clear. The NAS is sending a CHAP request. You can't do
> that with "Auth-Type LDAP"
>
> Instead, list "ldap" in the "authorize" section.
>
> Don't set Auth-Type. It's almost always wrong.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 31 Aug 2011 13:23:20 -0400
> From: Shreya Shah <shreya.nshah at gmail.com>
> Subject: Rating usage
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Is it possible to rate users based on their data usage and reject
> authentication to those users exceeding the limit ?
>
> I think I can achieve rating using counter.conf and reading the usage from
> radacct but not sure how to reject this user from authenticating when he
> exceeds this usage limit ?
>
> Thanks,
> Shreya.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 31 Aug 2011 19:51:20 +0100
> From: Goke M Aruna <goksie at gmail.com>
> Subject: Re: problem with chillispot
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi Allan,
> Mistyped shared-secret? How can I confirm that?
>
> Thank you.
>
> On 8/31/11, Alan DeKok <aland at deployingradius.com> wrote:
> > Goke M Aruna wrote:
> >> Is it bug on freeradius v2?
> >
> > No.
> >
> >> I got the chillispot working with freeradius 1.7 then and still tested
> >> same recently but v2 of radius give same error while v1 work
> >> seamlessly. I compiled this on centos 5.6.
> >
> > You mistyped the shared secret.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> --
> Sent from my mobile device
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 76, Issue 108
> *************************************************
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Half the complexity of Diameter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/83b490af/attachment.html>
More information about the Freeradius-Users
mailing list