authorized_mac best usage way
Delaunay Cédric
Cedric.Delaunay at insa-rennes.fr
Wed Mar 8 12:19:58 UTC 2023
hello,
Looks like there is somethink wrong in my config based on your
suggests.
First I tried to move as you suggest authorized_mac script from default
> authorize TO default > post-auth
nothing else changed but now the Calling-Station-ID isn't find in
authorized mac file...
* module is loadedd successfully
# Loading module "authorized_macs" from file /etc/freeradius/mods-
enabled/authorized_macs
files authorized_macs {
usersfile = "/etc/freeradius/authorized_macs"
key = "%{Calling-Station-ID}"
}
.....
# Instantiating module "authorized_macs" from file
/etc/freeradius/mods-enabled/authorized_macs
reading pairlist file /etc/freeradius/authorized_macs
* expand is ok
(93) post-auth {
(93) authorized_macs: EXPAND %{Calling-Station-ID}
(93) authorized_macs: --> A0-AF-BD-E8-93-9C
(93) [authorized_macs] = noop
(93) if (!ok) {
(93) if (!ok) -> TRUE
(93) if (!ok) {
(93) update reply {
(93) Tunnel-Private-Group-Id := 602
(93) } # update reply = noop
(93) } # if (!ok) = noop
(93) ... skipping elsif: Preceding "if" was taken
mac adresse is present in file :
/etc/freeradius# grep "A0-AF-BD-E8-93-9C" authorized_macs
A0-AF-BD-E8-93-9C
Same Script in authorize section works fine :
authorized_macs: EXPAND %{Calling-Station-ID}
(82) authorized_macs: --> A0-AF-BD-E8-93-9C
(82) authorized_macs: users: Matched entry A0-AF-BD-E8-93-9C at line
2691
(82) [authorized_macs] = ok
(82) if (!ok) {
(82) if (!ok) -> FALSE
(82) elsif (Called-Station-Id =~ /.*eduroam.*/i ) {
(82) elsif (Called-Station-Id =~ /.*eduroam.*/i ) -> FALSE
same script in inner post-auth fails
Something in post-auth section prevent mac searching ????
Any help would be aprecied.
Cédric
Le jeudi 02 mars 2023 à 10:04 -0500, Alan DeKok a écrit :
> On Mar 2, 2023, at 9:43 AM, cedric delaunay
> <Cedric.Delaunay at insa-rennes.fr> wrote:
> > On my last freeradius upgrade (to Version 3.2.1) I changed config
> > files to reach this goal :
> >
> > Force the vlan for unknown mac adresses OR eduroam SSID
> > use user's one (comming from ldap module) for known mac adresses
> >
> > (yes it looks like a small network access control)
> >
> > That for, I add this unlang command in default site :
>
> Be aware of the differences between the "default" virtual server,
> and the "inner-tunnel" virtual server.
>
> The "inner-tunnel" is for authenticating passwords inside of EAP
> methods (PEAP or TTLS). But attributes you set there are set for the
> inner-tunnel. They don't get sent to the NAS unless you make sure
> that happens.
>
> See the comments in "inner-tunnel" for more details.
>
> > authorize {
> > .....
> > authorized_macs
> > if (!ok) {
> > update reply {
> > Tunnel-Private-Group-Id := 602
> > }
> > } else {
> > if (Called-Station-Id =~ /.*eduroam.*/i ) {
> > update reply {
> > Tunnel-Private-Group-Id := 602
> > }
> > }
> > }
>
> That likely gets run before the "eap" module...
>
> > and of course in ldap module :
> >
> > reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
>
> Does the LDAP module get run in the "inner-tunnel" virtual server?
>
> And my guess is that you're copying the inner-tunnel reply to the
> outer reply. And therefore *adding* another Tunnel-Private-Group-Id.
>
> > Not shure why but sometimes, known mac addresses fall in vlan 602.
> >
> > reading debug log, I see that access-accept request has 2 Tunnel-
> > Private-Group-Id values.
>
> The debug log also shows you *why* it has 2 Tunnel-Private-Group-Id
> attributes.
>
> > How can the WAP know which one apply ???
>
> It doesn't. It picks one.
>
> > My questions are :
> >
> > - Is that method a valid one ? If not, how to ?
> > - should I use an other operator to set Tunnel-Private-Group-Id
> > value ?
> > - why is the attribute present twice
>
> Because you told it do to that.
>
> > even if := operator is always used and wiki says :
>
> Because at some point you're not using ":=" for Tunnel-Private-
> Group-Id, you're using "+=". Read the debug output and your local
> configuration.
>
> The simple solution here is to move the check for authorized MACs
> from the "authorize" section to the "post-auth" section. Put it at
> the *bottom* of the post-auth section:
>
> post-auth {
> ...
>
>
> authorized_macs
> if (!ok) {
> update reply {
> Tunnel-Private-Group-Id := 602
> }
> } elsif (!&reply.Tunnel-Private-Group-Id) {
> if (Called-Station-Id =~ /.*eduroam.*/i ) {
> update reply {
> Tunnel-Private-Group-Id := 602
> }
> }
> }
> }
>
> i.e. for non-authorized MACs, always put them in 602.
>
> If SOMETHING set Tunnel-Private-Group-Id, then don't change it.
>
> Otherwise if Tunnel-Private-Group-Id is not set, then set it to 602
> for eduroam.
>
> But... are you really setting Tunnel-Private-Group-Id to something
> other than 602 for Eduroam users? I'd do it this way:
>
> post-auth {
> ...
>
> authorized_macs
> if (!ok) {
> update reply {
> Tunnel-Private-Group-Id := 602
> }
> } elsif (Called-Station-Id =~ /.*eduroam.*/i ) {
> update reply {
> Tunnel-Private-Group-Id := 602
> }
> }
> }
>
> That's it. Unauthorized MACs get 602. Eduroam users get 602.
> Everyone else gets a VLAN which was *previously* assigned by
> something else.
>
> Alan DeKok.
>
--
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<div style="color: #5e5e5d; font-size: 13px; font-family:
'arial';"><b><span style="color: #333333;">Cédric Delaunay</span><br>
</b></div>
<div style="color: #5e5e5d; font-size: 13px; font-family:
'arial';"><span style="color: #808080;"><b>Service
Infrastructure Systèmes et Réseaux / Direction du Système
d'Information</b></span></div>
<div style="color: #5e5e5d; font-size: 13px; font-family:
'arial';"><span style="color: #808080;"><b><span
style="font-size: small;"><span style="font-size: 11pt;">RSSI
Suppléant </span></span></b></span></div>
<div style="color: #5e5e5d; font-size: 13px; font-family:
'arial';"><span style="color: #808080;">Tel. : +33 (0)2 23 23
8568</span></div>
<div style="color: #5e5e5d; font-size: 13px; font-family:
'arial';"><span style="color: #333333;"><strong>INSA
Rennes</strong></span><br>
<span style="color: #808080;">20 avenue des Buttes de
Coêsmes</span><br>
<span style="color: #808080;">CS 70839 - 35 708 RENNES Cedex
7</span></div>
<div><span style="color: #ff0000;"><a
href="http://www.insa-rennes.fr/" style="color: #ff0000;
font-size: 13px; font-family: 'arial';" target="_blank"
rel="nofollow noopener noreferrer">www.insa-rennes.fr</a></span></div>
</div>
</body>
More information about the Freeradius-Users
mailing list