how to set User-Profile by Called-Station-SSID via LDAP? (was split Called-Station-Id)
Zeus Panchenko
zeus at ibs.dn.ua
Fri Feb 7 01:15:15 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> Brian Julin <BJulin at clarku.edu> writes:
> ...I do not see why radiusCheckItem would report that it is using the
> operator ":=" instead of "==". This might be usual behavior but that
it was my mistake, it was wrong peace of the debug info, sorry
now I do can successfully split original Called-Station-Id on
Called-Station-Id and Called-Station-SSID, but now I wonder, how to use
them to assign User-Profile according to Called-Station-SSID ... and is
it possible at all ...
so, I changed:
1. [ quotation start raddb/policy.conf ]-------------------------
rewrite.called_station_id {
...
# SSID component?
if ("%{8}") {
update request {
Called-Station-Id := "%{Called-Station-Id}"
Called-Station-SSID := "%{8}"
}
}
updated
...
}
- - ---[ quotation end ]-------------------------------------------
2. [ quotation start raddb/dictionary ]--------------------------
...
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer
# The SSID the supplicant/user device connected to
ATTRIBUTE Called-Station-SSID 3010 string
- - ---[ quotation end ]-------------------------------------------
3. [ quotation start raddb/sites-available/default ]-------------
authorize {
...
rewrite.called_station_id
if ("%{Called-Station-SSID}" == "REJECTME") {
reject
}
...
}
preacct {
...
rewrite.called_station_id
}
- - ---[ quotation end ]-------------------------------------------
and in the debug I have this:
- - ---[ quotation start ]-------------------------------------------
Thu Feb 6 15:39:32 2014 : Info: ++policy rewrite.called_station_id {
Thu Feb 6 15:39:32 2014 : Info: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i)
Thu Feb 6 15:39:32 2014 : Info: ?? Evaluating (Called-Station-Id) -> TRUE
Thu Feb 6 15:39:32 2014 : Info: expand: policy.mac-addr -> policy.mac-addr
Thu Feb 6 15:39:32 2014 : Info: expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$
Thu Feb 6 15:39:32 2014 : Info: ? Evaluating ("%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Thu Feb 6 15:39:32 2014 : Info: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Thu Feb 6 15:39:32 2014 : Info: +++if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
Thu Feb 6 15:39:32 2014 : Info: ++++update request {
Thu Feb 6 15:39:32 2014 : Info: expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 92-F6-52-5B-AC-CF
Thu Feb 6 15:39:32 2014 : Info: expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 92-f6-52-5b-ac-cf
Thu Feb 6 15:39:32 2014 : Info: ++++} # update request = noop
Thu Feb 6 15:39:32 2014 : Info: ++++? if ("%{8}")
Thu Feb 6 15:39:32 2014 : Info: expand: %{8} -> USER_SSID
Thu Feb 6 15:39:32 2014 : Info: ? Evaluating ("%{8}") -> TRUE
Thu Feb 6 15:39:32 2014 : Info: ++++? if ("%{8}") -> TRUE
Thu Feb 6 15:39:32 2014 : Info: ++++if ("%{8}") {
Thu Feb 6 15:39:32 2014 : Info: +++++update request {
Thu Feb 6 15:39:32 2014 : Info: expand: %{Called-Station-Id} -> 92-f6-52-5b-ac-cf
Thu Feb 6 15:39:32 2014 : Info: expand: %{8} -> USER_SSID
Thu Feb 6 15:39:32 2014 : Info: +++++} # update request = noop
Thu Feb 6 15:39:32 2014 : Info: ++++} # if ("%{8}") = noop
Thu Feb 6 15:39:32 2014 : Info: ++++[updated] = updated
Thu Feb 6 15:39:32 2014 : Info: +++} # if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) = updated
Thu Feb 6 15:39:32 2014 : Info: +++ ... skipping else for request 0: Preceding "if" was taken
Thu Feb 6 15:39:32 2014 : Info: ++} # policy rewrite.called_station_id = updated
Thu Feb 6 15:39:32 2014 : Info: ++? if ("%{Called-Station-SSID}" == "REJECTME")
Thu Feb 6 15:39:32 2014 : Info: expand: %{Called-Station-SSID} -> USER_SSID
Thu Feb 6 15:39:32 2014 : Info: ? Evaluating ("%{Called-Station-SSID}" == "REJECTME") -> FALSE
Thu Feb 6 15:39:32 2014 : Info: ++? if ("%{Called-Station-SSID}" == "REJECTME") -> FALSE
- - ---[ quotation end ]-------------------------------------------
so, how can I use Called-Station-SSID value to assign User-Profile to
user coming with definite Called-Station-SSID?
can I do that via ldap attribute radiusCheckItem at all?
group object:
- - ---[ quotation start ]-------------------------------------------
dn: cn=students,ou=profiles,ou=radius,dc=es
cn: students
objectclass: radiusprofile
objectclass: person
radiuscheckitem: Called-Station-SSID == "USER_SSID"
radiusreplymessage: "Good day student"
radiussessiontimeout: 900
radiustunnelmediumtype: 6
radiustunnelprivategroupid: 22
radiustunneltype: 13
sn: students
- - ---[ quotation end ]-------------------------------------------
what I hoped for here, is: when coming user Called-Station-SSID is
"USER_SSID" then the profile "students" is applied, if
Called-Station-SSID differs, than this profile is not applied
but while processing user data, radiusd assigns this profile and show no
any activity upon this AVP ...
- - ---[ quotation start ]-------------------------------------------
...
Thu Feb 6 15:39:32 2014 : Debug: [ldap] performing search in ou=users,ou=radius,dc=es, with filter (&(radiusGroupName=students)(cn=student1))
Thu Feb 6 15:39:32 2014 : Debug: rlm_ldap::ldap_groupcmp: User found in group students
Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Feb 6 15:39:32 2014 : Info: [files] users: Matched entry DEFAULT at line 11
Thu Feb 6 15:39:32 2014 : Info: [files] expand: %{User-Name}, you are comming as student. -> student1, you are comming as student.
Thu Feb 6 15:39:32 2014 : Info: ++[files] = ok
...
Sending Access-Challenge of id 76 to 10.241.16.254 port 49990
Tunnel-Private-Group-Id:0 = "22"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Reply-Message = "Good day student"
Session-Timeout = 900
EAP-Message = 0x016200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x238f100423ed1d9a6b43b9eba1333de2
User-Name = "student1"
NAS-Identifier = "es-student.wrt"
Called-Station-Id = "92-F6-52-5B-AC-CF:USER_SSID"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = "DC-85-DE-25-92-98"
Connect-Info = "CONNECT 54Mbps 802.11g"
Framed-MTU = 1400
...
Thu Feb 6 15:39:32 2014 : Info: [ldap] performing user authorization for student1
Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: %{Stripped-User-Name} ->
Thu Feb 6 15:39:32 2014 : Info: [ldap] ... expanding second conditional
Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: %{User-Name} -> student1
Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=student1)
Thu Feb 6 15:39:32 2014 : Info: [ldap] expand: ou=users,ou=radius,dc=es -> ou=users,ou=radius,dc=es
Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0
Thu Feb 6 15:39:32 2014 : Debug: [ldap] performing search in ou=users,ou=radius,dc=es, with filter (cn=student1)
Thu Feb 6 15:39:32 2014 : Debug: [ldap] performing search in cn=students,ou=profiles,ou=radius,dc=es, with filter (objectclass=radiusprofile)
Thu Feb 6 15:39:32 2014 : Debug: [ldap] extracted attribute Called-Station-SSID from generic item Called-Station-SSID == "USER_SSID"
Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "22"
Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusReplyMessage -> Reply-Message = "Good day student"
Thu Feb 6 15:39:32 2014 : Debug: [ldap] radiusSessionTimeout -> Session-Timeout = 900
Thu Feb 6 15:39:32 2014 : Info: [ldap] looking for check items in directory...
Thu Feb 6 15:39:32 2014 : Debug: [ldap] userPassword -> Cleartext-Password == "student1"
Thu Feb 6 15:39:32 2014 : Debug: [ldap] userPassword -> Password-With-Header == "student1"
Thu Feb 6 15:39:32 2014 : Info: [ldap] looking for reply items in directory...
Thu Feb 6 15:39:32 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Thu Feb 6 15:39:32 2014 : Info: ++[ldap] = ok
- - ---[ quotation end ]-------------------------------------------
why "[ldap] looking for check items in directory..." doesn't contain
anything concerning Called-Station-SSID?
what need I to say, radiusd to know about this condition?
- --
Zeus V. Panchenko jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
iEYEARECAAYFAlL0JZIACgkQr3jpPg/3oyo0vgCg7VQxA/0l7c3dr0LK1v1JmSeO
BT8AnR6LrYLEKrzZFKc8RDm/0ub09qfa
=4UoX
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list