authorized_mac best usage way
Delaunay Cédric
Cedric.Delaunay at insa-rennes.fr
Tue Mar 7 15:12:48 UTC 2023
Hello Alan, thanks for your reply
even afeter years, each freeradius server replacement/upgrade reminds
me how a newbee in freeradius using....
Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
> > On Mar 2, 2023, at 9:43 AM, cedric delaunay
> > <Cedric.Delaunay at insa-rennes.fr> wrote:
> > > > On my last freeradius upgrade (to Version 3.2.1) I changed
> > > > config
> > > > files to reach this goal :
> > > > Force the vlan for unknown mac adresses OR eduroam SSID use
> > > > user's one (comming from ldap module) for known mac adresses
> > > > (yes it looks like a small network access control)
> > > > That for, I add this unlang command in default site :
> > Be aware of the differences between the "default" virtual server,
> > and the "inner-tunnel" virtual server.
> > The "inner-tunnel" is for authenticating passwords inside of EAP
> > methods (PEAP or TTLS). But attributes you set there are set for
> > the
> > inner-tunnel. They don't get sent to the NAS unless you make sure
> > that happens.
> > See the comments in "inner-tunnel" for more details.
Ok, my comprehension is :
"setting this attribute depends of computer (which don't care about
inner tunnel) AND username (which have to be read into inner-tunnel)"
> > > > authorize { ..... authorized_macs if (!ok) { update
> > > > reply { Tunnel-Private-Group-Id := 602
> > > > } } else { if (Called-Station-Id =~
> > > > /.eduroam./i ) { update reply {
> > > > Tunnel-Private-Group-Id := 602
> > > > } } }
> > That likely gets run before the "eap" module...
yes it is, I'm running this script just after preprocess
> > > > and of course in ldap module :
> > > > reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
> > Does the LDAP module get run in the "inner-tunnel" virtual
> > server?
Yes it is, as my password database is ldap server and most of users use
anonymous identity as external
> > And my guess is that you're copying the inner-tunnel reply to the
> > outer reply. And therefore adding another Tunnel-Private-Group-Id.
Exact but not shure I have to. maybe to have inner identity and error
message if any in logs...
inner-tunnel
post-auth {
....
#
# Instead of "use_tunneled_reply", change this "if (0)" to an
# "if (1)".
#
if (1) {
#
# These attributes are for the inner-tunnel only,
# and MUST NOT be copied to the outer reply.
#
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}
#
# Copy the inner reply attributes to the outer
# session-state list. The post-auth policy will take
# care of copying the outer session-state list to the
# outer reply.
#
update {
&outer.session-state: += &reply:
}
}
> > > > Not shure why but sometimes, known mac addresses fall in vlan
> > > > 602.
> > > > reading debug log, I see that access-accept request has 2
> > > > Tunnel-Private-Group-Id values.
> > The debug log also shows you why it has 2 Tunnel-Private-Group-Id
> > attributes.
> > > > How can the WAP know which one apply ???
> > It doesn't. It picks one.
> > > > My questions are :
> > > > * Is that method a valid one ? If not, how to ?
> > > > * should I use an other operator to set Tunnel-Private-Group-Id
> > > > value ?
> > > > * why is the attribute present twice
> > Because you told it do to that.
Yep, unfortunately, sometimes freeradius and me don't speak same
language
> > > > even if := operator is always used and wiki says :
> > Because at some point you're not using ":=" for
> > Tunnel-Private-Group-Id, you're using "+=". Read the debug output
> > and your local configuration.
> > The simple solution here is to move the check for authorized MACs
> > from the "authorize" section to the "post-auth" section. Put it at
> > the bottom of the post-auth section:
> > post-auth { ...
> > authorized_macs if (!ok) { update reply {
> > Tunnel-Private-Group-Id := 602
> > } } elsif (!&reply.Tunnel-Private-Group-Id) {
> > if (Called-Station-Id =~ /.eduroam./i ) {
> > update reply { Tunnel-Private-Group-Id :=
> > 602 } } } }
> > i.e. for non-authorized MACs, always put them in 602.
> > If SOMETHING set Tunnel-Private-Group-Id, then don't change it.
> > Otherwise if Tunnel-Private-Group-Id is not set, then set it to
> > 602
> > for eduroam.
Ok, I'll try this
> > But... are you really setting Tunnel-Private-Group-Id to
> > something
> > other than 602 for Eduroam users? I'd do it this way:
shure not, so I'll try next solution. juste have to put linelog call
after this to log real affected vlan
> > post-auth { ...
> > authorized_macs if (!ok) { update reply {
> > Tunnel-Private-Group-Id := 602
> > } } elsif (Called-Station-Id =~ /.eduroam./i ) {
> > update reply { Tunnel-
> > Private-Group-Id := 602 } } }
> > That's it. Unauthorized MACs get 602. Eduroam users get 602.
> > Everyone else gets a VLAN which was previously assigned by
> > something else.
> > Alan DeKok.
Let's go and check debug log.
Thanks a lot Alan
Cédric
-- <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br> </b></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b>Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information</b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b><span style="font-size: small;"><span style="font-size: 11pt;">RSSI Suppléant </span></span></b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23 8568</span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #333333;"><strong>INSA Rennes</strong></span><br> <span style="color: #808080;">20 avenue des Buttes de Coêsmes</span><br> <span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex 7</span></div> <div><span style="color: #ff0000;"><a href="http://www.insa-rennes.fr/" style="color: #ff0000; font-size: 13px; font-family: 'arial';" target="_blank" rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div> </div> </body>
More information about the Freeradius-Users
mailing list