Trying to Authorize Users based on AD Groups and SSIDs

Misbah Hussaini misbhauddin at gmail.com
Fri Feb 17 06:41:50 CET 2017


Voila! Got it to work. Here is what was wrong.

Windows machine passes username for EAP-MSCHAP packet response in
Domain\Username format which does not goes well with our ldap filters as
there is no attribute (as I know) in AD which holds domain\username value
for a object and you cannot remove domain part from EAP packets as this
will make eap auth to fail. As mentioned here
http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057116.html
(go through whole thread for complete understanding) we have to remove
domain part from username field for ldap lookups (not from eap packets),so
ass to make ldap lookups work and this is done by configuring domain realm
in proxy.conf and configure ntdomain in virtual servers and ntdomain_hack
in mshchap mod. Below are the config details.

mods-enabled\eap
set copy_request_to_tunnel = yes

raddb/proxy.conf
#add empty stanza for your domain
realm domain {
}

mods-enabled\mschap
set with_ntdomain_hack = yes

sites-enabled\default
Authorize {
# These 2 lines will remove domain name when passing the username attribute
for ldap lookups
preprocess
ntdomain
...
..
}
sites-enabled\inner-tunnel
authrozie{
# These 2 lines will remove domain name when passing the username attribute
for ldap lookups
preprocess
suffix
ntdomain
if (!State) {
if ((outer.Called-Station-SSID =="XYZ") && (LDAP-Group != "ABC")) {
 reject
  }
}
.....
....
}

Do let me know if there is a more diligent way of doing the same.

Regards
Misbah

On 17 February 2017 at 00:23, Misbah Hussaini <misbhauddin at gmail.com> wrote:

> I think I found the reason why the ldap group check is not working.
>
> My ldap config has the filter set to sAMAccountName as shown below but the
> EAP packet is passing username as DOMAIN\USERNAME which is incorrect format
> for sAMAccountName.
>
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> Now, the question is how do I remove the domain\ from the username field,
> as I read elsewhere changing the username will cause EAP auth to fail.
>
> Pointers are welcome... Quest continues..
>
> Regards
> Misbah
>
> On 16 February 2017 at 21:45, Misbah Hussaini <misbhauddin at gmail.com>
> wrote:
>
>> Thanks for pointer, changing the condition to below worked, but im a
>> uable to figure out how to do ldap-group lookups inside inner tunnel
>> config? I have tried to do the ldap lookup inside default config by
>>  removing the if condition from inner tunnel and adding to default but
>> still it fails.
>>
>> If (outer.Called-Station-SSID != "SSID02362") {
>> Reject
>> }
>>
>>
>> On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin at quarantainenet.nl>
>> wrote:
>>
>>> On 16-02-17 14:12, Misbah Hussaini wrote:
>>> > Dear Alan,
>>> >
>>> >> The "if" condition doesn't match.  Why?  Go read the debug output.
>>> Run
>>> > tests on each "if" check.  >*Understand* how the server works.
>>> >
>>> > I changed the if condition to below but still the if condition is not
>>> > matching, I can confirm from logs that Called-Station-SSID is set to
>>> > SSID02362, what's wrong in the if condition?
>>> >
>>> >  if (!State) {
>>> >                 if ((Called-Station-SSID == "SSID02362") ) {
>>> >                         reject
>>> >                 }
>>> >         }
>>> >
>>> > Here is processing of rewrite statement from debug, full debug can be
>>> found
>>> > here -> http://pastebin.com/SuS2t9Er
>>>
>>> You're changing the Called-Station-SSID in the outer tunnel (line 1848),
>>> then send a tunneled request (line 1911) with only a few attributes. The
>>> check is performed in the inner tunnel, and can't find the
>>> Called-Station-SSID.
>>>
>>> Possible solutions:
>>> - Perform the check in the outer tunnel
>>> - Write to/Read from session-state:Called-Station-SSID
>>> - Use outer:request:Called-Station-SSID (or whatever the exact syntax
>>>   was) to use the outer request.
>>>
>>> --
>>> Herwin Weststrate
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>
>>
>


More information about the Freeradius-Users mailing list