Authorize mac addresses with dbm only

Christoph Litauer litauer at uni-koblenz.de
Tue Mar 6 16:07:19 CET 2012 

Dear freeradius users,

maybe you can help me with a - probably simple - problem in authorizing wlan users. I am using freeradius 1.1.7 (on SLES 10sp4).

My working configuration is able to authorize users with modules dbm and ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication. For some reason I need to reduce the number of requests our ldap server(s) gets. The actual configuration checks a mac address against dbm at first and then against ldap. I want mac-addresses exclusively checked against dbm.

I can detect mac-authentication requests using the following hint:
DEFAULT Colubris-AVPair == "ssid=tsunami"
        Hint = "DBM"

Also I inserted a new DEFAULT entry in users:
DEFAULT Hint == DBM
	Fall-Through = 0

Sending the following Radius-Request:
User-Name = 001e52c90573
User-Password = 001e52c90573
Colubris-AVPair = "ssid=tsunami"

results in the attached debug output. As you can see, rlm_dbm is used first (with success) but after that, rlm_ldap is used, too. Is it possible to configure radius so that mac-address authorizations are checked against dbm only (whether successful or not)?

--
Kind regards
Christoph

rad_recv: Access-Request packet from host 141.26.71.252:42454, id=114, length=72
        User-Name = "001e52c90573"
        User-Password = "001e52c90573"
        Colubris-AVPair = "ssid=tsunami"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  hints: Matched DEFAULT at 36
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "001e52c90573", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "001e52c90573"
    rlm_realm: Proxying request from user 001e52c90573 to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 3
    users: Matched entry DEFAULT at line 149
    users: Matched entry DEFAULT at line 160
  modcall[authorize]: module "files" returns ok for request 3
rlm_dbm: try open database file: /etc/raddb/wlan 
rlm_dbm: Call parse_user: 
sm_parse_user.c: check for loops
Add 001e52c90573 to user list
sm_parse_user: start parsing: user: 001e52c90573
parse buffer: <<Auth-Type := Local, User-Password == "001e52c90573">> 
rlm_dbm: recod parsed 
process pattern
rlm_dbm: Pattern matched, look for request
parse buffer: <<Service-Type = Login-User>> 
rlm_dbm: recod parsed 
rlm_dbm: Reply found
Remove 001e52c90573 from user list
  modcall[authorize]: module "dbm" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 001e52c90573
radius_xlat:  '(uid=001e52c90573)'
radius_xlat:  'dc=uni-koblenz,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uni-koblenz,dc=de, with filter (uid=001e52c90573)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 3
modcall: leaving group authorize (returns ok) for request 3
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [001e52c90573] (from client test port 0)



_________________________________________
Christoph Litauer
Uni Koblenz, Computing Centre, Office A 022    
Postfach 201602, 56016 Koblenz     
Fon: +49 261 287-1311, Fax: -100 1311

More information about the Freeradius-Users mailing list