Access-Accept / Access-Reject based on LDAP Group & SSID

Ben Humpert ben at an3k.de
Fri Mar 20 22:05:37 CET 2015


2015-03-20 16:05 GMT+01:00 Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
>
> It's not really clear what you're trying to do...

# Guest, Groups, example.com
dn: cn=Guest,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: radiusprofile
cn: Guest
gidNumber: 17068
memberUid: guest
radiusCalledStationId: 00-11-22-33-44-55
radiusCalledStationSsid: guest
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 1
radiusTunnelType: VLAN

# Developers, Groups, example.com
dn: cn=Developers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: radiusprofile
cn: Developers
gidNumber: 1421
memberUid: marc
memberUid: tim
memberUid: johnny
radiusCalledStationId: 00-11-22-33-44-55
radiusCalledStationId: 22-33-44-55-66-77
radiusCalledStationSsid: developers
radiusCalledStationSsid: employees
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 43
radiusTunnelType: VLAN

# tim, Users, example.com
dn: uid=tim,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: radiusprofile
gidNumber: 0
givenName: Tim
sn: Buktu
displayName: Buktu, Tim
uid: tim
homeDirectory: /dev/null
loginShell: /bin/false
cn: TimBuktu
uidNumber: 18459
radiusCalledStationId: 44-55-66-77-88-99
radiusCalledStationSsid: management
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 24
radiusTunnelType: VLAN
dialupAccess: Yes

# johnny, Users, example.com
dn: uid=johnny,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: radiusprofile
gidNumber: 0
givenName: John
sn: Doe
displayName: Doe, John
uid: johhny
homeDirectory: /dev/null
loginShell: /bin/false
cn: JohnDoe
uidNumber: 4552
dialupAccess: Yes

When a user connects to a wifi access point that NAS sends
Called-Station-Id = 00-11-22-33-44-55:SSID in the Access-Request
packet. RADIUS converts it (based on rewrite.called_station_id) to
Called-Station-Id = 00-11-22-33-44-55 and to Called-Station-Ssid =
SSID. After doing the basics (checking if user exists, if password
matches, if attribute dialupAccess is set)
RADIUS should check if the users group has a radiusCalledStationId
attribute matching the Called-Station-Id. If not it should check if
the user itself has a matching attribute. If not, Access-Reject. In
case a match is found and Called-Station-Ssid is set RADIUS should now
check if the users group has a matching radiusCalledStationSsid
attribute. If not it should check if the user itself has a matching
attribute. If not, Access-Reject. In case a match is found RADIUS
should finally check the users group for other attributes (eg.
radiusTunnelType, etc.) and apply them as long as the user itself
doesn't have these attributes set too. In that case the users
attributes take precedence.

So user tim will always get into VLAN 24 (user attributes precedence)
and can get authorized through NAS' with the MAC address
00-11-22-33-44-55, 22-33-44-55-66-77 or 44-55-66-77-88-99 (user and
group attributes merged) and is allowed to connect to SSID developers,
employees or management (user and group attributes merged).

User johnny always gets into VLAN 43 and can get authorized through
NAS' with the MAC address 00-11-22-33-44-55 or 22-33-44-55-66-77 and
is allowed to connect to SSID developers or employees.


Normally I don't have a problem understanding the documentation and
how software works but in this case I don't know where to put what
kind of code. Should I do everything with unlang in the authorize
section of sites-enabled/default (+ policy.conf) or post-auth or
modify modules/ldap or the users file ...
I guess it's because with freeradius everything is already configured
and enabled and I'm flooded with information I don't need (yet). It's
very nice and appreciated since you guys already did the configuring
job (eap, peap, mschap, etc.) but in my case it's just confusing me.
I'm used to start with minimal configurations and slowly adding stuff
I need step by step.


If anybody is willed to help me but upgrading to 2.2.6 or even 3.0.7
is necessary I for sure will upgrade first and will greatly appreciate
any help offered. I'm definitely not asking for the whole
configuration but an example of how to get RADIUS to eg. check for
radiusCalledStationId first in Group and then in Users and merge both
will greatly help.


Best regards,

Ben


More information about the Freeradius-Users mailing list