Evaluate Ldap-Group and SSID for WiFi authorization

Tom Yard tomyyard at gmail.com
Fri Aug 25 21:48:51 CEST 2017


Hi, I am not sure but have you tried to use:

outer.request:Called-Station-Id
in place of outer:Called-Station-Id

People: does this clauses work in Freeradius 2.2.x or does Adam have to use
Freeradkius 3.X ?



2017-08-25 13:13 GMT-03:00 Adam Cage <adamcage27 at gmail.com>:

> Dear, I've tried to understand the outer condition uses. I think it has to
> be used only in the inner-tunnel file, in order to evaluate the outer
> session. In my case I have now:
>
> *default file:*
>
> if (LDAP-Group == "GROUP1" &&  NAS-Identifier == "WLC01") {
>                         update reply {
>                                 Reply-Message = "Hello %{User-Name}: access
> accept"
>                         }
>                         ok
>                 }
> else {
>                 reject
>         }
> }
>
> *inner-tunnel file:*
>
> if (LDAP-Group == "GROUP1" &&  *outer*:NAS-Identifier == "WLC01") {
>                         update reply {
>                                 Reply-Message = "Hello %{User-Name}: access
> accept"
>                         }
>                         ok
>                 }
> else {
>                 reject
>         }
> }
>
> But I fail again, obtaining this error and being that this attribute is
> presenta:
>
> *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE*
>
> Please can you explain me more in detail please??? Maybe I can't understand
> the use of defaut and inner-tunnel files, or the freeradius service in this
> case. Here is the debug output for "freeradius -X"....Special thanks.
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=228,
> length=393
>         User-Name = "adam"
>         Calling-Station-Id = "54:27:1e:0c:0b:fc"
>         Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
>         NAS-Port = 13
>         Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
>         NAS-IP-Address = 10.10.1.100
>         NAS-Identifier = "WLC01"
>         Airespace-Wlan-Id = 2
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-802.11
>         Tunnel-Type:0 = VLAN
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "5"
>         EAP-Message =
> 0x02050090198000000086160301004610000042410432792b036bc17091
> 57e9445300659df8e6cf018b852670087cb1872e45d8761d642753670fff
> 9f0f4b2ace10852d4bcab684b4d631b0b3fb4d3471a3e4512f3914030100
> 010116030100300552e45342d366c067ee5176b2c0e9082d5eb83c62dc7d
> 9de87f6b25f0c47b3172a486bfad09e4925648e1208251f27b
>         State = 0x1dbde0c41fb8f982d90bece46c6e4509
>         Message-Authenticator = 0x8a2a7ce59d3a714c2798ff5a6d0b272d
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "adam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 5 length 144
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 134
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: unknown state
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: unknown state
> [peap]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 228 to 10.10.1.100 port 32769
>         EAP-Message =
> 0x01060041190014030100010116030100306d19383a9faaa50c050b9d84
> 368783de27c6c838e42614994a241d335fa33d920410bc9c618e3a65c753c7d35f0e8ecb
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x1dbde0c41ebbf982d90bece46c6e4509
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=229,
> length=255
>         User-Name = "adam"
>         Calling-Station-Id = "54:27:1e:0c:0b:fc"
>         Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
>         NAS-Port = 13
>         Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
>         NAS-IP-Address = 10.10.1.100
>         NAS-Identifier = "WLC01"
>         Airespace-Wlan-Id = 2
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-802.11
>         Tunnel-Type:0 = VLAN
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "5"
>         EAP-Message = 0x020600061900
>         State = 0x1dbde0c41ebbf982d90bece46c6e4509
>         Message-Authenticator = 0x03765dcebe56926425508b7d393479fc
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "adam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 6 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state TUNNEL ESTABLISHED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 229 to 10.10.1.100 port 32769
>         EAP-Message =
> 0x0107002b190017030100204c55bea2a6991c719a753f19dc13e87d872e
> dd5639901eb0181643885baa89c9
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x1dbde0c419baf982d90bece46c6e4509
> Finished request 5.
> Going to the next request
> Waking up in 3.7 seconds.
> rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=230,
> length=292
>         User-Name = "adam"
>         Calling-Station-Id = "54:27:1e:0c:0b:fc"
>         Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
>         NAS-Port = 13
>         Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
>         NAS-IP-Address = 10.10.1.100
>         NAS-Identifier = "WLC01"
>         Airespace-Wlan-Id = 2
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-802.11
>         Tunnel-Type:0 = VLAN
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "5"
>         EAP-Message =
> 0x0207002b19001703010020033da24f215ff6770592352ee0baf65289e6
> 783f14fc951694bfcf523340d15e
>         State = 0x1dbde0c419baf982d90bece46c6e4509
>         Message-Authenticator = 0x25023a51868485812fdf968ca7c2ac85
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "adam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 7 length 43
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state WAITING FOR INNER IDENTITY
> [peap] Identity - adam
> [peap] Got inner identity 'adam'
> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
>         EAP-Message = 0x0207000f0165616c6d6f6e61636964
> server  {
> [peap] Setting User-Name to adam
> Sending tunneled request
>         EAP-Message = 0x0207000f0165616c6d6f6e61636964
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "adam"
> server inner-tunnel {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> +group authorize {
> ++[chap] = noop
> ++[mschap] = noop
> [suffix] No '@' in User-Name = "adam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> ++update control {
> ++} # update control = noop
> [eap] EAP packet type response id 7 length 15
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> [ldap] performing user authorization for adam
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} -> adam
> [ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (sAMAccountName=adam)
> [ldap]  expand: OU=Bapro Pagos,DC=g-bapro,DC=net -> OU=Bapro
> Pagos,DC=g-bapro,DC=net
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in OU=Bapro Pagos,DC=g-bapro,DC=net, with filter
> (sAMAccountName=adam)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the
> user is configured correctly?
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> ++[pap] = noop
> ++? if (LDAP-Group == "GROUP1" &&  outer:NAS-Identifier == "WLC01")
>   [ldap] Entering ldap_groupcmp()
>         expand: OU=My Company,DC=company,DC=net -> OU=My
> Company,DC=company,DC=net
>         expand: (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
> ->
> (|(&(objectClass=group)(member=CN\3dAdam Cage\2cOU\3dInfra\2cOU\3dG.
> Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy
> Company\2cDC\3dcompany\2cDC\3dnet)))
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in OU=My Company,DC=company,DC=net, with filter
> (&(cn=GROUP1)(|(&(objectClass=group)(member=CN\3dAdam
> Cage\2cOU\3dInfra\2cOU\3dG. Infra\2cOU\3dTech\2cOU\3dUsers\2cOU\3dMy
> Company\2cDC\3dcompany\2cDC\3dnet))))
> rlm_ldap::ldap_groupcmp: User found in group GROUP1
>   [ldap] ldap_release_conn: Release Id: 0
> ? Evaluating (LDAP-Group == "GROUP1" ) -> TRUE
> *? Evaluating (outer:NAS-Identifier == "WLC01") -> FALSE*
> *++? if (LDAP-Group == "GROUP1" &&  outer:NAS-Identifier == "WLC01") ->
> FALSE*
> ++else else {
> +++[reject] = reject
> ++} # else else = reject
> +} # group authorize = reject
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> adam
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> [peap] Got tunneled reply RADIUS code 3
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 230 to 10.10.1.100 port 32769
>         EAP-Message =
> 0x0108002b190017030100200110bb6389cea250a4fc8af36ccb735d1511
> 3f987e1111157885061c0ca49f7e
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x1dbde0c418b5f982d90bece46c6e4509
> Finished request 6.
> Going to the next request
> Waking up in 3.7 seconds.
> rad_recv: Access-Request packet from host 10.10.1.100 port 32769, id=231,
> length=292
>         User-Name = "adam"
>         Calling-Station-Id = "54:27:1e:0c:0b:fc"
>         Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
>         NAS-Port = 13
>         Cisco-AVPair = "audit-session-id=ac1f0c62000001c459a0487f"
>         NAS-IP-Address = 10.10.1.100
>         NAS-Identifier = "WLC01"
>         Airespace-Wlan-Id = 2
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-802.11
>         Tunnel-Type:0 = VLAN
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "5"
>         EAP-Message =
> 0x0208002b190017030100209e06e7779f2ee5fa88ec212fd2bfefd507fe
> 3c35fa6307e630725297878cfb69
>         State = 0x1dbde0c418b5f982d90bece46c6e4509
>         Message-Authenticator = 0xfd7de78469c2187df23354803c7deef3
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "adam", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state send tlv failure
> [peap] Received EAP-TLV response.
> [peap]  The users session was previously rejected: returning reject
> (again.)
> [peap]  *** This means you need to read the PREVIOUS messages in the debug
> output
> [peap]  *** to find out the reason why the user was rejected.
> [peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
> you.
> [peap]  *** what went wrong, and how to fix the problem.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject]     expand: %{User-Name} -> adam
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 7 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 7
> Sending Access-Reject of id 231 to 10.10.1.100 port 32769
>         EAP-Message = 0x04080004
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>
> 2017-08-25 11:37 GMT-03:00 Alan DeKok <aland at deployingradius.com>:
>
> > On Aug 25, 2017, at 9:36 AM, Adam Cage <adamcage27 at gmail.com> wrote:
> > >
> > > Dear Alan and Mattheu....I really appreciate your help.
> > >
> > > Following Alan's unlang clause, I've defined in default and
> inner-tunnel
> > > files:
> > >
> > > if (LDAP-Group == "GROUP1" &&  outer:Called-Station-Id =~ /:Free$/) {
> >
> >   <sigh>
> >
> >   I think you're not really paying attention.  You don't understand how
> > the server works, which is fine.  The worse bit is you're not trying to
> > understand how the server works.
> >
> >   You're either not following instructions, or you're doing more than
> > suggested without thinking about what's going on.
> >
> >   Read "man unlang" to see what "outer" refers to.  Then, think of the
> > difference between the "default" server, and the "inner-tunnel" server.
> > Which one is likely to allow "outer", and which one isn't likely to allow
> > "outer"?
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list