Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

Alan DeKok aland at deployingradius.com
Fri Dec 11 01:34:51 CET 2015


On Dec 10, 2015, at 1:50 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> My Freeradius 3.0.10 setup currently accepts eap-mschapv2 requests by
> cheking credentials against LM/NT password checksums obtained from a
> LDAP.

  Ok... just to be clear, they're hashes, and not checksums.  And the LM hashes have been deprecated (and broken) for a decade.  The LDAP server probably stores just NT hashes.

> The only freeradius client is an IPSec server which forwards EAP
> protocol to the radius (strongswan 5.2.1 with eap-radius method)

  OK.

> The LDAP module is configured to let the user connect when the
> diallupAccess is set to true.
> But it let any users connect to any network my VPN server is offering access to.

  And... what does the debug output say?

  It will tell you *why* the user was allowed in.

> What is the best method to filter users depending on which NAS-Port-Id
> they are using ?

  You can check for the value of the NAS-Port-Id attribute.

  What do you want to do?  Do you have an example?

> It will allow me to authorize several users to access any networks
> they need to access without puting any network configuration in the
> LDAP.

  Typically you control access by NAS IP address, not NAS Port-Id.

  As always, run the server in debug mode to see what the server is receiving.  Then, write rules to match those attributes, and go from there.

  Alan DeKok.




More information about the Freeradius-Users mailing list