how to set User-Profile by Called-Station-SSID via LDAP? (was split Called-Station-Id)

Zeus Panchenko zeus at ibs.dn.ua
Fri Feb 7 01:15:15 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> Brian Julin <BJulin at clarku.edu> writes:
> ...I do not see why radiusCheckItem would report that it is using the
> operator ":=" instead of "==".  This might be usual behavior but that

it was my mistake, it was wrong peace of the debug info, sorry

now I do can successfully split original Called-Station-Id on
Called-Station-Id and Called-Station-SSID, but now I wonder, how to use
them to assign User-Profile according to Called-Station-SSID ... and is
it possible at all ...

so, I changed:

1. [ quotation start raddb/policy.conf ]-------------------------
rewrite.called_station_id {
...
         # SSID component?
         if ("%{8}") {
                 update request {
                        Called-Station-Id := "%{Called-Station-Id}"
                        Called-Station-SSID := "%{8}"
                 }
         }
         updated
...
}
- - ---[ quotation end   ]-------------------------------------------


2. [ quotation start raddb/dictionary ]--------------------------
...
 #ATTRIBUTE     My-Local-String         3000    string
 #ATTRIBUTE     My-Local-IPAddr         3001    ipaddr
 #ATTRIBUTE     My-Local-Integer        3002    integer

# The SSID the supplicant/user device connected to
ATTRIBUTE      Called-Station-SSID        3010                string
- - ---[ quotation end   ]-------------------------------------------


3. [ quotation start raddb/sites-available/default ]-------------
authorize {
...
 rewrite.called_station_id

 if ("%{Called-Station-SSID}" == "REJECTME") {
    reject
 }
...
}

preacct {
...
 rewrite.called_station_id
}
- - ---[ quotation end   ]-------------------------------------------


and in the debug I have this:

- - ---[ quotation start ]-------------------------------------------
Thu Feb  6 15:39:32 2014 : Info: ++policy rewrite.called_station_id {
Thu Feb  6 15:39:32 2014 : Info: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i)
Thu Feb  6 15:39:32 2014 : Info: ?? Evaluating (Called-Station-Id) -> TRUE
Thu Feb  6 15:39:32 2014 : Info:        expand: policy.mac-addr -> policy.mac-addr
Thu Feb  6 15:39:32 2014 : Info:        expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$
Thu Feb  6 15:39:32 2014 : Info: ? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Thu Feb  6 15:39:32 2014 : Info: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Thu Feb  6 15:39:32 2014 : Info: +++if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
Thu Feb  6 15:39:32 2014 : Info: ++++update request {
Thu Feb  6 15:39:32 2014 : Info:        expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 92-F6-52-5B-AC-CF
Thu Feb  6 15:39:32 2014 : Info:        expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 92-f6-52-5b-ac-cf
Thu Feb  6 15:39:32 2014 : Info: ++++} # update request = noop
Thu Feb  6 15:39:32 2014 : Info: ++++? if ("%{8}")
Thu Feb  6 15:39:32 2014 : Info:        expand: %{8} -> USER_SSID
Thu Feb  6 15:39:32 2014 : Info: ? Evaluating ("%{8}") -> TRUE
Thu Feb  6 15:39:32 2014 : Info: ++++? if ("%{8}") -> TRUE
Thu Feb  6 15:39:32 2014 : Info: ++++if ("%{8}") {
Thu Feb  6 15:39:32 2014 : Info: +++++update request {
Thu Feb  6 15:39:32 2014 : Info:        expand: %{Called-Station-Id} -> 92-f6-52-5b-ac-cf
Thu Feb  6 15:39:32 2014 : Info:        expand: %{8} -> USER_SSID
Thu Feb  6 15:39:32 2014 : Info: +++++} # update request = noop
Thu Feb  6 15:39:32 2014 : Info: ++++} # if ("%{8}") = noop
Thu Feb  6 15:39:32 2014 : Info: ++++[updated] = updated
Thu Feb  6 15:39:32 2014 : Info: +++} # if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) = updated
Thu Feb  6 15:39:32 2014 : Info: +++ ... skipping else for request 0: Preceding "if" was taken
Thu Feb  6 15:39:32 2014 : Info: ++} # policy rewrite.called_station_id = updated
Thu Feb  6 15:39:32 2014 : Info: ++? if ("%{Called-Station-SSID}" == "REJECTME")
Thu Feb  6 15:39:32 2014 : Info:        expand: %{Called-Station-SSID} -> USER_SSID
Thu Feb  6 15:39:32 2014 : Info: ? Evaluating ("%{Called-Station-SSID}" == "REJECTME") -> FALSE
Thu Feb  6 15:39:32 2014 : Info: ++? if ("%{Called-Station-SSID}" == "REJECTME") -> FALSE
- - ---[ quotation end   ]-------------------------------------------


so, how can I use Called-Station-SSID value to assign User-Profile to
user coming with definite Called-Station-SSID?

can I do that via ldap attribute radiusCheckItem at all?

group object:

- - ---[ quotation start ]-------------------------------------------
dn: cn=students,ou=profiles,ou=radius,dc=es
cn: students
objectclass: radiusprofile
objectclass: person
radiuscheckitem: Called-Station-SSID == "USER_SSID"
radiusreplymessage: "Good day student"
radiussessiontimeout: 900
radiustunnelmediumtype: 6
radiustunnelprivategroupid: 22
radiustunneltype: 13
sn: students
- - ---[ quotation end   ]-------------------------------------------

what I hoped for here, is: when coming user Called-Station-SSID is
"USER_SSID" then the profile "students" is applied, if
Called-Station-SSID differs, than this profile is not applied

but while processing user data, radiusd assigns this profile and show no
any activity upon this AVP ...

- - ---[ quotation start ]-------------------------------------------
...
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] performing search in ou=users,ou=radius,dc=es, with filter (&(radiusGroupName=students)(cn=student1))
Thu Feb  6 15:39:32 2014 : Debug: rlm_ldap::ldap_groupcmp: User found in group students
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Thu Feb  6 15:39:32 2014 : Info: [files] users: Matched entry DEFAULT at line 11
Thu Feb  6 15:39:32 2014 : Info: [files]        expand: %{User-Name}, you are comming as student. -> student1, you are comming as student.
Thu Feb  6 15:39:32 2014 : Info: ++[files] = ok
...
Sending Access-Challenge of id 76 to 10.241.16.254 port 49990
        Tunnel-Private-Group-Id:0 = "22"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        Reply-Message = "Good day student"
        Session-Timeout = 900
        EAP-Message = 0x016200060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x238f100423ed1d9a6b43b9eba1333de2
        User-Name = "student1"
        NAS-Identifier = "es-student.wrt"
        Called-Station-Id = "92-F6-52-5B-AC-CF:USER_SSID"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "DC-85-DE-25-92-98"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Framed-MTU = 1400
...
Thu Feb  6 15:39:32 2014 : Info: [ldap] performing user authorization for student1
Thu Feb  6 15:39:32 2014 : Info: [ldap]         expand: %{Stripped-User-Name} -> 
Thu Feb  6 15:39:32 2014 : Info: [ldap]         ... expanding second conditional
Thu Feb  6 15:39:32 2014 : Info: [ldap]         expand: %{User-Name} -> student1
Thu Feb  6 15:39:32 2014 : Info: [ldap]         expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=student1)
Thu Feb  6 15:39:32 2014 : Info: [ldap]         expand: ou=users,ou=radius,dc=es -> ou=users,ou=radius,dc=es
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] performing search in ou=users,ou=radius,dc=es, with filter (cn=student1)
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] performing search in cn=students,ou=profiles,ou=radius,dc=es, with filter (objectclass=radiusprofile)
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] extracted attribute Called-Station-SSID from generic item Called-Station-SSID == "USER_SSID"
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "22"
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] radiusReplyMessage -> Reply-Message = "Good day student"
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] radiusSessionTimeout -> Session-Timeout = 900
Thu Feb  6 15:39:32 2014 : Info: [ldap] looking for check items in directory...
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] userPassword -> Cleartext-Password == "student1"
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] userPassword -> Password-With-Header == "student1"
Thu Feb  6 15:39:32 2014 : Info: [ldap] looking for reply items in directory...
Thu Feb  6 15:39:32 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Thu Feb  6 15:39:32 2014 : Info: ++[ldap] = ok
- - ---[ quotation end   ]-------------------------------------------

why "[ldap] looking for check items in directory..." doesn't contain
anything concerning Called-Station-SSID?
 
what need I to say, radiusd to know about this condition?

- -- 
Zeus V. Panchenko				jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlL0JZIACgkQr3jpPg/3oyo0vgCg7VQxA/0l7c3dr0LK1v1JmSeO
BT8AnR6LrYLEKrzZFKc8RDm/0ub09qfa
=4UoX
-----END PGP SIGNATURE-----


More information about the Freeradius-Users mailing list