authorized_mac best usage way

Delaunay Cédric Cedric.Delaunay at insa-rennes.fr
Tue Mar 7 15:12:48 UTC 2023


Hello Alan, thanks for your reply
even afeter years, each freeradius server replacement/upgrade reminds
me how a newbee in freeradius using....
Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
> > On Mar 2, 2023, at 9:43 AM, cedric delaunay
> > <Cedric.Delaunay at insa-rennes.fr> wrote:
> > > > On my last freeradius upgrade (to Version 3.2.1) I changed
> > > > config
> > > > files to reach this goal :
> > > >   Force the vlan for unknown mac adresses OR eduroam SSID   use
> > > > user's one (comming from ldap module) for known mac adresses
> > > >     (yes it looks like a small network access control)
> > > > That for, I add this unlang command in default site :
> >   Be aware of the differences between the "default" virtual server,
> > and the "inner-tunnel" virtual server.
> >   The "inner-tunnel" is for authenticating passwords inside of EAP
> > methods (PEAP or TTLS).  But attributes you set there are set for
> > the
> > inner-tunnel.  They don't get sent to the NAS unless you make sure
> > that happens.
> >   See the comments in "inner-tunnel" for more details.
Ok, my comprehension is : 
"setting this attribute depends of computer (which don't care about
inner tunnel) AND username (which have to be read into inner-tunnel)"
> > > > authorize { ..... authorized_macs if (!ok) {        update
> > > > reply {                         Tunnel-Private-Group-Id := 602
> > > >                 } } else {         if (Called-Station-Id =~
> > > > /.eduroam./i ) {                 update reply {
> > > >                         Tunnel-Private-Group-Id := 602
> > > >                 }         } }
> >   That likely gets run before the "eap" module...
yes it is, I'm running this script just after preprocess
> > > >  and of course in ldap module :
> > > > reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivateGroupId'
> >   Does the LDAP module get run in the "inner-tunnel" virtual
> > server?
Yes it is, as my password database is ldap server and most of users use
anonymous identity as external
> >   And my guess is that you're copying the inner-tunnel reply to the
> > outer reply.  And therefore adding another Tunnel-Private-Group-Id.
Exact but not shure I have to. maybe to have inner identity and error
message if any in logs...

inner-tunnel
post-auth {
....
#
# Instead of "use_tunneled_reply", change this "if (0)" to an
# "if (1)".
#
if (1) {
#
# These attributes are for the inner-tunnel only,
# and MUST NOT be copied to the outer reply.
#
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}

#
# Copy the inner reply attributes to the outer
# session-state list. The post-auth policy will take
# care of copying the outer session-state list to the
# outer reply.
#
update {
&outer.session-state: += &reply:
}
}

> > > > Not shure why but sometimes, known mac addresses fall in vlan
> > > > 602.
> > > > reading debug log, I see that access-accept request has 2
> > > > Tunnel-Private-Group-Id values.
> >   The debug log also shows you why it has 2 Tunnel-Private-Group-Id
> > attributes.
> > > > How can the WAP know which one apply ???
> >   It doesn't.  It picks one.
> > > > My questions are :
> > > >  * Is that method a valid one ? If not, how to ?
> > > >  * should I use an other operator to set Tunnel-Private-Group-Id
> > > >    value ?
> > > >  * why is the attribute present twice
> >   Because you told it do to that.
Yep, unfortunately, sometimes freeradius and me don't speak same
language
> > > > even if := operator is always used and wiki says :
> >   Because at some point you're not using ":=" for
> > Tunnel-Private-Group-Id, you're using "+=".  Read the debug output
> > and your local configuration.
> >   The simple solution here is to move the check for authorized MACs
> > from the "authorize" section to the "post-auth" section.  Put it at
> > the bottom of the post-auth section:
> > post-auth {         ...
> >   authorized_macs   if (!ok) {        update reply {
> >                         Tunnel-Private-Group-Id := 602
> >                 }   } elsif (!&reply.Tunnel-Private-Group-Id) {
> >         if (Called-Station-Id =~ /.eduroam./i ) {                
> > update reply {                         Tunnel-Private-Group-Id :=
> > 602                 }         }   } }
> >   i.e. for non-authorized MACs, always put them in 602.
> >   If SOMETHING set Tunnel-Private-Group-Id, then don't change it.
> >   Otherwise if Tunnel-Private-Group-Id is not set, then set it to
> > 602
> > for eduroam.
Ok, I'll try this
> >   But... are you really setting Tunnel-Private-Group-Id to
> > something
> > other than 602 for Eduroam users?  I'd do it this way:
shure not, so I'll try next solution. juste have to put linelog call
after this to log real affected vlan
> >  post-auth {         ...
> >   authorized_macs   if (!ok) {        update reply {
> >                         Tunnel-Private-Group-Id := 602
> >                 }   } elsif (Called-Station-Id =~ /.eduroam./i ) {
> >                 update reply {                         Tunnel-
> > Private-Group-Id := 602                 }         } }
> >   That's it.  Unauthorized MACs get 602.  Eduroam users get 602. 
> > Everyone else gets a VLAN which was previously assigned by
> > something else.
> >   Alan DeKok.

Let's go and check debug log.
Thanks a lot Alan
Cédric
-- <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br> </b></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b>Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information</b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;"><b><span style="font-size: small;"><span style="font-size: 11pt;">RSSI Suppléant </span></span></b></span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23 8568</span></div> <div style="color: #5e5e5d; font-size: 13px; font-family: 'arial';"><span style="color: #333333;"><strong>INSA Rennes</strong></span><br> <span style="color: #808080;">20 avenue des Buttes de Coêsmes</span><br> <span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex 7</span></div> <div><span style="color: #ff0000;"><a href="http://www.insa-rennes.fr/" style="color: #ff0000; font-size: 13px; font-family: 'arial';" target="_blank" rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div> </div> </body>


More information about the Freeradius-Users mailing list