authorized_mac best usage way

cedric delaunay Cedric.Delaunay at insa-rennes.fr
Thu Mar 2 14:43:21 UTC 2023 

hello list.

On my last freeradius upgrade (to Version 3.2.1) I changed config files 
to reach this goal :

    Force the vlan for unknown mac adresses OR eduroam SSID
    use user's one (comming from ldap module) for known mac adresses

      (yes it looks like a small network access control)

That for, I add this unlang command in default site :

authorize {
.....
authorized_macs
if (!ok) {
        update reply {
                         Tunnel-Private-Group-Id := 602
                 }
} else {
         if (Called-Station-Id =~ /.*eduroam.*/i ) {
                 update reply {
                         Tunnel-Private-Group-Id := 602
                 }
         }
}

  and of course in ldap module :

reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivateGroupId'

Not shure why but sometimes, known mac addresses fall in vlan 602.

reading debug log, I see that access-accept request has 2 
Tunnel-Private-Group-Id values.

(917721) Login OK: [anonymous] (from client APs port 0 cli 9C-B6-D0-93-43-9B)
(917721) Sent Access-Accept Id 235 from 10..x.x.x:1812 to 10.y.y.y:34406 length 206
(917721)*Tunnel-Private-Group-Id := "602"*
(917721)   MS-MPPE-Recv-Key = 0x8b027fe2eb7a469ab2511b31ea16e1ea2c6f11b9846db09dce876d4333d99077
(917721)   MS-MPPE-Send-Key = 0xc9b83651e9ff3adefbdf2371f127d2fbdc2b5334f3ed37c0729a1e4b468945ab
(917721)   EAP-Message = 0x03170004
(917721)   Message-Authenticator = 0x00000000000000000000000000000000
(917721)   User-Name = "anonymous"
(917721)   Framed-MTU += 1014
(917721)   Tunnel-Type += VLAN
(917721)   Tunnel-Medium-Type += IEEE-802
(917721)*Tunnel-Private-Group-Id += "1001"*
(917721)   Service-Type += Administrative-User
(917721) Finished request

How can the WAP know which one apply ???

My questions are :

- Is that method a valid one ? If not, how to ?
- should I use an other operator to set Tunnel-Private-Group-Id value ?
- why is the attribute present twice even if := operator is always used 
and wiki says :

*:=* 	Attribute := value 	Always matches as a check item, and replaces 
in the configuration items any attribute of the same name. If no 
attribute of that name appears in the request, then this attribute is 
added.

Thanks for your attention.

Cédric

-- 
*Cédric Delaunay
*
*Service Infrastructure Systèmes et Réseaux / Direction du Système 
d'Information*
*RSSI Suppléant *
Tel. : +33 (0)2 23 23 8568
*INSA Rennes*
20 avenue des Buttes de Coêsmes
CS 70839 - 35 708 RENNES Cedex 7
www.insa-rennes.fr <http://www.insa-rennes.fr/>

More information about the Freeradius-Users mailing list