Freeradius-Users Digest, Vol 178, Issue 5
Ted Hyde (RSI)
thyde at rndstudio.com
Mon Feb 3 19:41:53 CET 2020
Greets - is there a way in unlang to test against attributes created
after a 'files' module? Not sure if I'm asking that correctly, so
here's what I'm trying to do:
SSID: test1 -- EAP-TLS only with cert loaded on supplicant, no further
auth (my usual setup)
SSID: test2 -- EAP-TTLS with mac auth and user-name/pwd auth to
restrict unauthorized Apple clients (like watches)
SSID: test3 -- EAP-TTLS with only user-name/pwd for a guest access
portal.
clients associating with test1 only associate with test 1 (since they
are the only ones with a cert pre-installed and choose eap-tls mode to
make it work, thus no user/pwd/mac filtering needed), usernames from
'test2' shall be permitted to ONLY associate with test2, and usernames
for test3 shall be permitted to ONLY associate with test3. IF a client
attempts associating with test2 and has a valid username/pwd in
eap-ttls mode, then its mac is checked against a separate file
(auth_macs) for final permission.
I've been testing this out with manually-typed entries in nested
if/switch statements with success, however I would "like" to be able to
set my own VSA in the users file (or authorize file, since this is FR3)
and be able to test against it inside of my default virtual-server:
>>>>>>>eg "files/authorize" (assuming "My-Allowed-SSID is in the
dictionary correctly):
myusername Cleartext-Password := "mypassword"
My-Allowed-SSID = "test2"
>>>>>>>>>and in "mods-enabled/files" appending:
files authorized_macs {
key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
}
>>>>>>>>>in "${confdir}/authorized_macs":
50-F0-D3-10-B5-CA
Reply-Message = "Device authorized".
>>>>>>>>>and in "sites-enabled/default":
if (Eap-Message) {
...
if (Cisco-AVPair[0] == "ssid=test2") {
authorized_macs
if (ok) {
<<< some method of calling files and testing if
UserName matches Password and returning value of My-Allowed-SSID, and
testing against = test2 >>>
if (<<<ok and My-Allowed-SSID == "test2">>>) {
eap
}
}
}
...
}
I will eventually roll this over to a postgres db, but want to "make it
work in the simple mode first". So far I have not been able to figure
out how I would reference an attribute after calling a lookup from
"files" or similar; the docs I am reading (network... and
wiki.free....) point to module responses being mostly enumerated
responses, not something that can contain dynamic responses and later
parsed...
Realizing this is a hugely complex question, and certainly not the only
way to go about getting to the goal, this is also
half-learn-more-about-FR than just a task for the office.
Is there a way of having a separate "users" file (or files/authorize)
that is queried after eap but does double-duty of the authorized_macs
and username/pwd? The pwd for an account that has a restricted mac
filter will be one-to-one (one mac, one u/p, one SSID combination).
Regards,
Ted.
More information about the Freeradius-Users
mailing list