Evaluate Ldap-Group and SSID for WiFi authorization
Adam Cage
adamcage27 at gmail.com
Fri Aug 25 18:13:05 CEST 2017
Dear, I've tried to understand the outer condition uses. I think it has to
be used only in the inner-tunnel file, in order to evaluate the outer
session. In my case I have now:
*default file:*
if (LDAP-Group == "GROUP1" && NAS-Identifier == "WLC01") {
update reply {
Reply-Message = "Hello %{User-Name}: access
accept"
}
ok
}
else {
reject
}
}
*inner-tunnel file:*
if (LDAP-Group == "GROUP1" && *outer*:NAS-Identifier == "WLC01") {
update reply {
Reply-Message = "Hello %{User-Name}: access
accept"
}
ok
}
else {
reject
}
}
But I fail again, obtaining this error and being that this attribute is
presenta:
*? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE*
Please can you explain me more in detail please??? Maybe I can't understand
the use of defaut and inner-tunnel files, or the freeradius service in this
case. Here is the debug output for "freeradius -X"....Special thanks.
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=228,
length=393
User-Name = "adam"
Calling-Station-Id = "54:27:1e:0c:0b:fc"
Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "WLC01"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x02050090198000000086160301004610000042410432792b036bc1709157e9445300659df8e6cf018b852670087cb1872e45d8761d642753670fff9f0f4b2ace10852d4bcab684b4d631b0b3fb4d3471a3e4512f3914030100010116030100300552e45342d366c067ee5176b2c0e9082d5eb83c62dc7d9de87f6b25f0c47b3172a486bfad09e4925648e1208251f27b
State = 0x1dbde0c41fb8f982d90bece46c6e4509
Message-Authenticator = 0x8a2a7ce59d3a714c2798ff5a6d0b272d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 228 to 10.10.1.100 port 32769
EAP-Message =
0x01060041190014030100010116030100306d19383a9faaa50c050b9d84368783de27c6c838e42614994a241d335fa33d920410bc9c618e3a65c753c7d35f0e8ecb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1dbde0c41ebbf982d90bece46c6e4509
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=229,
length=255
User-Name = "adam"
Calling-Station-Id = "54:27:1e:0c:0b:fc"
Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "WLC01"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message = 0x020600061900
State = 0x1dbde0c41ebbf982d90bece46c6e4509
Message-Authenticator = 0x03765dcebe56926425508b7d393479fc
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 229 to 10.10.1.100 port 32769
EAP-Message =
0x0107002b190017030100204c55bea2a6991c719a753f19dc13e87d872edd5639901eb0181643885baa89c9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1dbde0c419baf982d90bece46c6e4509
Finished request 5.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=230,
length=292
User-Name = "adam"
Calling-Station-Id = "54:27:1e:0c:0b:fc"
Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "WLC01"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x0207002b19001703010020033da24f215ff6770592352ee0baf65289e6783f14fc951694bfcf523340d15e
State = 0x1dbde0c419baf982d90bece46c6e4509
Message-Authenticator = 0x25023a51868485812fdf968ca7c2ac85
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - adam
[peap] Got inner identity 'adam'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000f0165616c6d6f6e61636964
server {
[peap] Setting User-Name to adam
Sending tunneled request
EAP-Message = 0x0207000f0165616c6d6f6e61636964
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "adam"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for adam
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> adam
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=adam)
[ldap] expand: OU=Bapro Pagos,DC=g-bapro,DC=net -> OU=Bapro
Pagos,DC=g-bapro,DC=net
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in OU=Bapro Pagos,DC=g-bapro,DC=net, with filter
(sAMAccountName=adam)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01")
[ldap] Entering ldap_groupcmp()
expand: OU=My Company,DC=company,DC=net -> OU=My
Company,DC=company,DC=net
expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) ->
(|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG.
Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy
Company\2cDC\3dcompany\2cDC\3dnet)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in OU=My Company,DC=company,DC=net, with filter
(&(cn=GROUP1)(|(&(objectClass=group)(member=CN\3dAdam
Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy
Company\2cDC\3dcompany\2cDC\3dnet))))
rlm_ldap::ldap_groupcmp: User found in group GROUP1
[ldap] ldap_release_conn: Release Id: 0
? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE
*? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE*
*++? if (LDAP-Group == "GROUP1" && outer:NAS-Identifier == "WLC01") ->
FALSE*
++else else {
+++[reject] = reject
++} # else else = reject
+} # group authorize = reject
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> adam
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 230 to 10.10.1.100 port 32769
EAP-Message =
0x0108002b190017030100200110bb6389cea250a4fc8af36ccb735d15113f987e1111157885061c0ca49f7e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1dbde0c418b5f982d90bece46c6e4509
Finished request 6.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=231,
length=292
User-Name = "adam"
Calling-Station-Id = "54:27:1e:0c:0b:fc"
Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "WLC01"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x0208002b190017030100209e06e7779f2ee5fa88ec212fd2bfefd507fe3c35fa6307e630725297878cfb69
State = 0x1dbde0c418b5f982d90bece46c6e4509
Message-Authenticator = 0xfd7de78469c2187df23354803c7deef3
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> adam
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 231 to 10.10.1.100 port 32769
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
2017-08-25 11:37 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
> On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> >
> > Dear Alan and Mattheu....I really appreciate your help.
> >
> > Following Alan's unlang clause, I've defined in default and inner-tunnel
> > files:
> >
> > if (LDAP-Group == "GROUP1" && outer:Called-Station-Id =~ /:Free$/) {
>
> <sigh>
>
> I think you're not really paying attention. You don't understand how
> the server works, which is fine. The worse bit is you're not trying to
> understand how the server works.
>
> You're either not following instructions, or you're doing more than
> suggested without thinking about what's going on.
>
> Read "man unlang" to see what "outer" refers to. Then, think of the
> difference between the "default" server, and the "inner-tunnel" server.
> Which one is likely to allow "outer", and which one isn't likely to allow
> "outer"?
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list