Special WIFI Router MAC check for the user's first connection. (Tom)

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Sep 1 15:48:18 CEST 2011


On 1 Sep 2011, at 15:40, 2394263740 wrote:

> Phil,
>  
> Thanks a lot for your great help.
>  
> I understand the scripts you wrote. But I don't know where I should put it in.
>  
> Can you please kindly advise which file I should edit?
>  
> /usr/local/etc/raddb/sites-available/default?

Yes in the authorize section, thats why the script is encapsulated within and authorize {} stanza :)

-Arran

> 
>  
>  
> ------------------ Original ------------------
> From:  "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
> Date:  Thu, Sep 1, 2011 02:51 AM
> To:  "freeradius-users"<freeradius-users at lists.freeradius.org>;
> Subject:  Freeradius-Users Digest, Vol 76, Issue 108
>  
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
>       server (Phil Mayers)
>    2. Re: Special WIFI Router MAC check for the user?s first
>       connection. (Phil Mayers)
>    3. Using rlm_passwd as a substitute for hunt groups
>       (Jan.Weiss at t-systems.com)
>    4. problem with LDAP backend (Frank Bonnet)
>    5. Re: problem with chillispot (Alan DeKok)
>    6. Re: problem with LDAP backend (Alan DeKok)
>    7. Rating usage (Shreya Shah)
>    8. Re: problem with chillispot (Goke M Aruna)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 31 Aug 2011 14:48:00 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS
> server
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E5E3B90.2020109 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> On 30/08/11 21:12, Glenn Machin wrote:
> > Phil - thanks for the feedback.
> >
> > I just ended up proxying out to the IAS server usernames starting with
> > "DOMAIN\".
> 
> Ok. Obviously that will fail if enters their wireless credentials 
> without a domain.
> 
> >
> > I configured the freeradius server to not support mschapv2 but will
> > support PEAP/GTC EAP/TLS.
> >
> >
> > It seems to be working fine with the Macs, iPads and Linux systems while
> > the windows systems are happy to talk to the IAS server.
> >
> >
> > It still bugs that ntlm_auth would not authenticate to the domain
> > controllers the challenge and nt-response.
> 
> I repeat: if you send debug info, people may be able to help.
> 
> >
> >
> > I assume no one else is having any issues using ntlm_auth to W2008
> > servers? It may be some Windows GPO at our site for all I know.
> 
> Exactly which version of windows (2008 or 2008R2?) and at which 
> functional level is your domain?
> 
> Did you try increasing the debug level for winbind using "smbcontrol" 
> and then examining the debug logs after a failed auth?
> 
> For what it's worth, we have no problems with Windows 2008R2 domain 
> controllers and the "samba3x" package available under RHEL5 (samba 
> version 3.5.4-0.70.el5). We did have problems with earlier (Samba 3.3) 
> versions after we'd upgraded to 2008R2 and upgraded functional level.
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 31 Aug 2011 14:55:35 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: Special WIFI Router MAC check for the user?s first
> connection.
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E5E3D57.2000903 at imperial.ac.uk>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> On 31/08/11 12:38, 2394263740 wrote:
> 
> > For example, WIFI AP 26, has the MAC address MAC26. I need ensure one
> > WIFI user, say user 58, must connect to WIFI AP 26 for the first time.
> > After the first connection, user 58 can connect to any WIFI AP in the
> > network.
> > Can someone give some advice on how to do it?
> 
>   1. Create a whitelist of users who can authenticate to any AP using 
> files, rlm_passwd or ideally SQL - see the FreeRADIUS wiki
> 
>   2. If they are *not* found in the whitelist, check the 
> "Called-Station-Id" attribute, which usually contains the MAC address of 
> the AP. If your equipment uses a different attribute, check that.
> 
>   3. If the AP MAC is the correct one, add the user to the whitelist, 
> else reject
> 
> For example:
> 
> authorize {
> 
>   ...
>   update control {
>     Tmp-String-0 := "%{sql:select 1 from whitelist where 
> username='%{User-Name}'}"
>   }
>   if (control:Tmp-String-0 == 1) {
>     # user is in whitelist
>   }
>   elsif (Called-Station-Id == "aa-bb-cc-dd-ee-ff") {
>     # user is connecting to the "whitelist" AP
>     update control {
>       Tmp-String-0 = "%{sql:insert into whitelist (username) values 
> ('%{User-Name}')}"
>     }
>   }
>   else {
>    reject
>   }
>   ...
> 
> }
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 31 Aug 2011 16:11:48 +0200
> From: Jan.Weiss at t-systems.com
> Subject: Using rlm_passwd as a substitute for hunt groups
> To: <freeradius-users at lists.freeradius.org>
> Message-ID:
> <3DD77603D0726248A46541D5119607CE27DFC71606 at HE111524.emea1.cds.t-internal.com>
> 
> Content-Type: text/plain; charset="us-ascii"
> 
> >Did you remember to actually define 'My-Device-Group' as an attribute?
> >
> >-Arran
> >
> >Arran Cudbard-Bell
> >a.cudbardb at freeradius.org
> >
> >RADIUS - Half the complexity of Diameter
> 
> 
> Dictionary:
> ATTRIBUTE       My-Device-Group         3000    string
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 31 Aug 2011 17:02:32 +0200
> From: Frank Bonnet <f.bonnet at esiee.fr>
> Subject: problem with LDAP backend
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4E5E4D08.5060109 at esiee.fr>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hello
> 
> Still trying to use freeradius with chillispot I still have problems
> 
> I'm trying to use mixed authentication
> 
> MAC addresses for some video devices in the "users" file
> as follows :
> 
> 00-06-F4-0D-08-66       Auth-Type := Local, User-Password == "xxxxxxxx"
>                          Framed-IP-Address = 192.168.182.213,
>                          Fall-Through = Yes
> 
> LDAP backend for "real" users at the end of the "users" file I have this 
> statement
> 
> DEFAULT    Auth-Type = LDAP
>      Fall-Through = 1
> 
> This configuration were working well on a very old debian machine which 
> died suddenly
> 
> When I try to access the the chilli portal it ask radius for authentication
> but it dows not work. See below the debug trace of radius daemon.
> Help greatly appreciated, thank you.
> 
> 
> Wed Aug 31 16:52:39 2011 : Debug:   Processing the authorize section of 
> radiusd.conf
> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for 
> request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling 
> preprocess (rlm_preprocess) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
> preprocess (rlm_preprocess) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module 
> "preprocess" returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling eap 
> (rlm_eap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   rlm_eap: No EAP-Message, not doing EAP
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
> eap (rlm_eap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "eap" 
> returns noop for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling files 
> (rlm_files) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:     users: Matched entry DEFAULT at 
> line 398
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
> files (rlm_files) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "files" 
> returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling ldap 
> (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user 
> authorization for xxxxxxxx
> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat:  '(uid=xxx)'
> Wed Aug 31 16:52:39 2011 : Debug: radius_xlat:  'ou=Users,dc=esiee,dc=fr'
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in 
> ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira)
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access 
> for xxxxxxxx is allowed by uid
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in 
> directory...
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in 
> directory...
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to 
> use remote access
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
> ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "ldap" 
> returns ok for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: calling pap 
> (rlm_pap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" 
> password found for the user.  Authentication may fail because of this.
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authorize]: returned from 
> pap (rlm_pap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authorize]: module "pap" 
> returns noop for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize 
> (returns ok) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   rad_check_password:  Found Auth-Type 
> LDAP
> Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP"
> Wed Aug 31 16:52:39 2011 : Debug:   Processing the authenticate section 
> of radiusd.conf
> Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate 
> for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authenticate]: calling 
> ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate
> Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is 
> required for authentication. Cannot use "CHAP-Password".
> Wed Aug 31 16:52:39 2011 : Debug:   modsingle[authenticate]: returned 
> from ldap (rlm_ldap) for request 15
> Wed Aug 31 16:52:39 2011 : Debug:   modcall[authenticate]: module "ldap" 
> returns invalid for request 15
> Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate 
> (returns invalid) for request 15
> Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user.
> Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds
> Wed Aug 31 16:52:39 2011 : Debug: Finished request 15
> Wed Aug 31 16:52:39 2011 : Debug: Going to the next request
> Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Wed, 31 Aug 2011 12:27:36 -0400
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: problem with chillispot
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4E5E60F8.8070409 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Goke M Aruna wrote:
> > Is it bug on freeradius v2?
> 
>   No.
> 
> > I got the chillispot working with freeradius 1.7 then and still tested
> > same recently but v2 of radius give same error while v1 work
> > seamlessly. I compiled this on centos 5.6.
> 
>   You mistyped the shared secret.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Wed, 31 Aug 2011 12:30:45 -0400
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: problem with LDAP backend
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4E5E61B5.2000601 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Frank Bonnet wrote:
> > MAC addresses for some video devices in the "users" file
> > as follows :
> > 
> > 00-06-F4-0D-08-66       Auth-Type := Local, User-Password == "xxxxxxxx"
> 
>   That's wrong.  See the debug output for reasons why.  See the FAQ for
> correct examples.
> 
> > LDAP backend for "real" users at the end of the "users" file I have this
> > statement
> > 
> > DEFAULT    Auth-Type = LDAP
> >     Fall-Through = 1
> 
>   That's not needed.
> 
> > Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is
> > required for authentication. Cannot use "CHAP-Password".
> 
>   That's pretty clear.  The NAS is sending a CHAP request.  You can't do
> that with "Auth-Type LDAP"
> 
>   Instead, list "ldap" in the "authorize" section.
> 
>   Don't set Auth-Type.  It's almost always wrong.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Wed, 31 Aug 2011 13:23:20 -0400
> From: Shreya Shah <shreya.nshah at gmail.com>
> Subject: Rating usage
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <CANN_Z9KOKD0HfM+s_wVmZTyobN=8qcLxbfdQBBrX+KBPUBo-2w at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Is it possible to rate users based on their data usage and reject
> authentication to those users exceeding the limit ?
> 
> I think I can achieve rating using counter.conf and reading the usage from
> radacct but not sure how to reject this user from authenticating when he
> exceeds this usage limit ?
> 
> Thanks,
> Shreya.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110831/ad586a05/attachment.html>
> 
> ------------------------------
> 
> Message: 8
> Date: Wed, 31 Aug 2011 19:51:20 +0100
> From: Goke M Aruna <goksie at gmail.com>
> Subject: Re: problem with chillispot
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <CAE=DitpQoroJHxQA7u+BtCuXhEh0_1V-TahmuW1ntgiO9_e69Q at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Hi Allan,
> Mistyped shared-secret? How can I confirm that?
> 
> Thank you.
> 
> On 8/31/11, Alan DeKok <aland at deployingradius.com> wrote:
> > Goke M Aruna wrote:
> >> Is it bug on freeradius v2?
> >
> >   No.
> >
> >> I got the chillispot working with freeradius 1.7 then and still tested
> >> same recently but v2 of radius give same error while v1 work
> >> seamlessly. I compiled this on centos 5.6.
> >
> >   You mistyped the shared secret.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> 
> -- 
> Sent from my mobile device
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> End of Freeradius-Users Digest, Vol 76, Issue 108
> *************************************************
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/83b490af/attachment.html>


More information about the Freeradius-Users mailing list