Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept

Michael Gorven michael at gorven.za.net
Tue Jun 12 22:32:30 CEST 2012


Hi

I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu
10.04.4 with an OpenLDAP backend, and can successfully authenticate
using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and
using eapol_test). I am now trying to restrict access to specific SSIDs
based on the LDAP groups which users belong to.

From what I can gather, I need to add appropriate rules to
/etc/freeradius/users which matches the SSID/group combinations, and
rejects everything else. The problem I'm having is with the default
reject, not the SSID/group matching.

My first attempt was this:

DEFAULT Ldap-Group == "employees"
DEFAULT Auth-Type := Reject

But this immediately rejects the Access-Request in the outer tunnel,
because the "anonymous" user is not in the "employees" group. I then
modified it to this so that it only matches inner tunnel requests:

DEFAULT Ldap-Group == "employees"
DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
        Auth-Type := Reject, Reply-Message = "User does not belong to
any groups which may access this SSID."

The inner tunnel Access-Request is now sent and members of the
"employees" group are accepted, but non-members are not actually
rejected. I see the users entry being matched, and the Reply-Message is
even set, but the server responds with Access-Accept and eapol_test
reports SUCCESS.

Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not
a member.
Info: [files] users: Matched entry DEFAULT at line 209
Info: ++[files] returns ok
...
Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01
via TLS tunnel)
Info:   WARNING: Empty section.  Using default return values.
...
Info: [peap] Got tunneled reply code 2
        Auth-Type := Reject
        Reply-Message = "User does not belong to any groups which may
access this SSID."
...
Info: [peap] Got tunneled reply RADIUS code 2
        Auth-Type := Reject
        Reply-Message = "User does not belong to any groups which may
access this SSID."
...
Info: [peap] Tunneled authentication was successful.
Info: [peap] SUCCESS
Info: [peap] Saving tunneled attributes for later
...
Sending Access-Accept of id 11 to 172.16.2.44 port 60746
        Reply-Message = "User does not belong to any groups which may
access this SSID."
        User-Name = "mgorven"

eapol_test receives an Access-Accept with the Reply-Message set.

RADIUS message: code=2 (Access-Accept) identifier=11 length=233
   Attribute 18 (Reply-Message) length=64
      Value: 'User does not belong to any groups which may access this
SSID.'
   Attribute 1 (User-Name) length=9
      Value: 'mgorven'
...
SUCCESS

Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting
copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and
TTLS sections, but this didn't make a difference. How do I actually
reject an inner tunnel request?

Michael

-- 
http://michael.gorven.za.net
PGP Key ID 1E016BE8

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120612/b932c66b/attachment.pgp>


More information about the Freeradius-Users mailing list