authorized_mac best usage way

Alan DeKok aland at deployingradius.com
Thu Mar 2 15:04:35 UTC 2023


On Mar 2, 2023, at 9:43 AM, cedric delaunay <Cedric.Delaunay at insa-rennes.fr> wrote:
> On my last freeradius upgrade (to Version 3.2.1) I changed config files to reach this goal :
> 
>   Force the vlan for unknown mac adresses OR eduroam SSID
>   use user's one (comming from ldap module) for known mac adresses
> 
>     (yes it looks like a small network access control)
> 
> That for, I add this unlang command in default site :

  Be aware of the differences between the "default" virtual server, and the "inner-tunnel" virtual server.

  The "inner-tunnel" is for authenticating passwords inside of EAP methods (PEAP or TTLS).  But attributes you set there are set for the inner-tunnel.  They don't get sent to the NAS unless you make sure that happens.

  See the comments in "inner-tunnel" for more details.

> authorize {
> .....
> authorized_macs
> if (!ok) {
>        update reply {
>                         Tunnel-Private-Group-Id := 602
>                 }
> } else {
>         if (Called-Station-Id =~ /.*eduroam.*/i ) {
>                 update reply {
>                         Tunnel-Private-Group-Id := 602
>                 }
>         }
> }

  That likely gets run before the "eap" module...

>  and of course in ldap module :
> 
> reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivateGroupId'

  Does the LDAP module get run in the "inner-tunnel" virtual server? 

  And my guess is that you're copying the inner-tunnel reply to the outer reply.  And therefore *adding* another Tunnel-Private-Group-Id.

> Not shure why but sometimes, known mac addresses fall in vlan 602.
> 
> reading debug log, I see that access-accept request has 2 Tunnel-Private-Group-Id values.

  The debug log also shows you *why* it has 2 Tunnel-Private-Group-Id attributes.

> How can the WAP know which one apply ???

  It doesn't.  It picks one.

> My questions are :
> 
> - Is that method a valid one ? If not, how to ?
> - should I use an other operator to set Tunnel-Private-Group-Id value ?
> - why is the attribute present twice

  Because you told it do to that.

> even if := operator is always used and wiki says :

  Because at some point you're not using ":=" for Tunnel-Private-Group-Id, you're using "+=".  Read the debug output and your local configuration.

  The simple solution here is to move the check for authorized MACs from the "authorize" section to the "post-auth" section.  Put it at the *bottom* of the post-auth section:

post-auth {
	...


  authorized_macs
  if (!ok) {
       update reply {
                        Tunnel-Private-Group-Id := 602
                }
  } elsif (!&reply.Tunnel-Private-Group-Id) {
        if (Called-Station-Id =~ /.*eduroam.*/i ) {
                update reply {
                        Tunnel-Private-Group-Id := 602
                }
        }
  }
}

  i.e. for non-authorized MACs, always put them in 602.

  If SOMETHING set Tunnel-Private-Group-Id, then don't change it.

  Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602 for eduroam.

  But... are you really setting Tunnel-Private-Group-Id to something other than 602 for Eduroam users?  I'd do it this way:

post-auth {
	...

  authorized_macs
  if (!ok) {
       update reply {
                        Tunnel-Private-Group-Id := 602
                }
  } elsif (Called-Station-Id =~ /.*eduroam.*/i ) {
                update reply {
                        Tunnel-Private-Group-Id := 602
                }
        }
}

  That's it.  Unauthorized MACs get 602.  Eduroam users get 602.  Everyone else gets a VLAN which was *previously* assigned by something else.

  Alan DeKok.



More information about the Freeradius-Users mailing list