RE: Authorising Clients by Calling Station ID Not IP
Some of YFi's users sit with the same problem. This looks like a nice solution as an alternative to VPNs. I've created a small write-up to implement it which you may find handy. The tests done on a VM set-up seems to work just fine... production environments may be another monster... https://sourceforge.net/apps/trac/hotcakes/wiki/YfiTechDynamicClients https://sourceforge.net/apps/trac/hotcakes/wiki/YfiTechDynamicClients Cheers -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4986728.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorising Clients by Calling Station ID Not IP
You are an asset to the community! I've just read through and it's fantastic - just what I and many others need for sure. Am going to have a play now :) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4986852.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
JennyBlunt wrote: Cool, thanks I'll download now and take a look J Hi JennyBlunt, How did you go with Johan Meiring's solution for authenticating NAS clients based on their MAC address? I am in a similar situation to you with AP's on dynamic IP's and am interested to hear if you were successul in acheiving this. I look forward to hearing your results! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4981116.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Hi, not had much chance to do much recently. The aim's to take a peek this afternoon. Will report back after -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4981123.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authorising Clients by Calling Station ID Not IP
That would be greatly appreciated, thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4981135.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Cool, thanks I'll download now and take a look J -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4943676.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On 2011/10/24 09:06 PM, Jennyanydots Napoleon Shoehorn wrote: OH! I've looked too many lines of code over the last week. I have no idea how to patch but will investigate. Was thinking we might have to use nas-id instead. The ultimate intention was to use the mac address of the nas and a nas specific shared secret. In your opinion, are there better ways to deal with dynamic clients? Thanks again Hi, I look up my clients using dynamic clients and Nas-Identifier. You need a module that is not included by default called rlm_raw. You can download a patch here: http://www.sendspace.com/file/f91rqi The last file wont apply cleanly to 2.1.12, just manually add rlm_raw to the src/modules/stable file. (Look at the patch). In your freeradius config, you need to instantiate rlm_raw. /etc/freeradius/radiusd.conf instantiate { raw } You need a module: /etc/freeradius/modules/raw raw { } My dynamic clients config: /etc/freeradius/sites-available/my-dynamic-clients client dymamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_nas lifetime = 86400 } server dynamic_nas { authorize { if (%{sql: select count(*) from Nas where Identifier='%{raw:NAS-Identifier}'} == 1) { update control { FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address} FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = %{sql: select RadiusSecret from Nas where Identifier='%{raw:NAS-Identifier}' and NasTypeID=1} FreeRADIUS-Client-Shortname = %{Packet-Src-IP-Address} FreeRADIUS-Client-NAS-Type = other FreeRADIUS-Client-Virtual-Server = dynamic_server } ok } } } Notes: - dynamic_server is the spesific virtual server than handles the dynamic clients. - the rlm_raw packet MIGHT contain Calling-Station-Id (or do you mean Called-Station-Id??) as well. You will have to look. Hope this helps. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Hi, I dont know why you say you dont get Called-Station-ID *before* the user is authenticated/authorized. It comes as part of the Access-Request from the NAS. Here is how we use Called-Station-Id in the authorize section of our sites-enabled/default file Huntgroup-Name := %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE UPPER(REPLACE(LEFT(`nasipaddress`,17),':',''))=UPPER(REPLACE(LEFT('%{Called-Station-Id}',17), '-', ''))} -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4931487.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Hi, Thanks for the reply. My hosts are all dynamic so am using dynamic-clients - don't think that affects things though does it? If I put the following in my authorize section (to keep things simply), my query has a null value: Huntgroup-Name := %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} The mysql query then looks like this: SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='' If I use packet-src-ip-address, the query is fine. Replacing with called-station-id renders nothing as well. Does this have something to do with the dynamic clients?? Jenny -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4931764.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
If I put in default authorize section, the called-station-id is present. What I just don't understand is why it doesn't work in dynamic hosts and also why default is loaded at all? The called-station-id is certainly present in the request: rad_recv: Access-Request packet from host 94.x.x.x port 29429, id=3, length=141 server dynamic_client_server { } # server dynamic_client_server - Added client 94.x.x.x with shared secret testing123 rad_recv: Access-Request packet from host 94.x.x.x port 29429, id=3, length=141 User-Name = full User-Password = Y\270\306\323 NAS-Identifier = simulator NAS-Port-Type = Wireless-802.11 Service-Type = Login-User NAS-IP-Address = 192.168.0.1 Called-Station-Id = 00-00-00-11-00-10 Calling-Station-Id = 11-11-11-22-11-21 Acct-Session-Id = JRadius-851365653dd8b055354910131660a6ad # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default --- On 24 Oct 2011, at 10:03, Fajar A. Nugraha-2 [via FreeRadius] wrote: On Mon, Oct 24, 2011 at 3:47 PM, JennyBlunt [hidden email] wrote: Hi, Huntgroup-Name := %{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'} The mysql query then looks like this: SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='' If I use packet-src-ip-address, the query is fine. Replacing with called-station-id renders nothing as well. Does this have something to do with the dynamic clients?? It shouldn't. What does the debug log show? What attributes were sent by the NAS in access-request packet? http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address says Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. so if your NAS sends neither, it's broken. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4931798.html To unsubscribe from Authorising Clients by Calling Station ID Not IP, click here. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4933540.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On 10/24/2011 07:02 PM, JennyBlunt wrote: If I put in default authorize section, the called-station-id is present. What I just don't understand is why it doesn't work in dynamic hosts and As per the comments in the sample dynamic-clients: # The request that is processed through this section # is EMPTY. There are NO attributes. The request is fake, # and is NOT the packet that triggered the lookup of # the dynamic client. # # The ONLY piece of useful information is either # # Packet-Src-IP-Address (IPv4 clients) # Packet-Src-IPv6-Address (IPv6 clients) # # The attributes used to define a dynamic client mirror # the configuration items in the client structure. You'll need to patch the source to make what you want work. This may (or may not) be a generally useful patch; the problem is that, in many cases, a single NAS might have 1 Called-Station-Id e.g. multiple BSSIDs for a wireless AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
OH! I've looked too many lines of code over the last week. I have no idea how to patch but will investigate. Was thinking we might have to use nas-id instead. The ultimate intention was to use the mac address of the nas and a nas specific shared secret. In your opinion, are there better ways to deal with dynamic clients? Thanks again On 24 Oct 2011, at 19:52, Phil Mayers wrote: On 10/24/2011 07:02 PM, JennyBlunt wrote: If I put in default authorize section, the called-station-id is present. What I just don't understand is why it doesn't work in dynamic hosts and As per the comments in the sample dynamic-clients: # The request that is processed through this section # is EMPTY. There are NO attributes. The request is fake, # and is NOT the packet that triggered the lookup of # the dynamic client. # # The ONLY piece of useful information is either # # Packet-Src-IP-Address (IPv4 clients) # Packet-Src-IPv6-Address (IPv6 clients) # # The attributes used to define a dynamic client mirror # the configuration items in the client structure. You'll need to patch the source to make what you want work. This may (or may not) be a generally useful patch; the problem is that, in many cases, a single NAS might have 1 Called-Station-Id e.g. multiple BSSIDs for a wireless AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On Tue, Oct 25, 2011 at 2:06 AM, Jennyanydots Napoleon Shoehorn jennyshoeh...@me.com wrote: In your opinion, are there better ways to deal with dynamic clients? Use Packet-Src-IP-Address -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On 10/24/2011 08:06 PM, Jennyanydots Napoleon Shoehorn wrote: The ultimate intention was to use the mac address of the nas and a nas specific shared secret. Do you really need a per-NAS secret? In your opinion, are there better ways to deal with dynamic clients? It depends. Can you describe your setup in any detail? If you've got untrusted clients on IP addresses you don't control and can't know ahead of time, then it's really hard. The best solution is don't do that. If your NAS and network topology support it, things like VPN tunnels from NAS-radius server with IP assignment might be one option. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
We started this conversation because we can't use the packet-src-ip address. Hence the requirement for dynamic hosts? On 24 Oct 2011, at 20:28, Fajar A. Nugraha wrote: On Tue, Oct 25, 2011 at 2:06 AM, Jennyanydots Napoleon Shoehorn jennyshoeh...@me.com wrote: In your opinion, are there better ways to deal with dynamic clients? Use Packet-Src-IP-Address -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Hello Phil I guess we don't need a per NAS secret but thought it might help block any customers we don't need. We have a load of wifi hotspots on dynamic ips. We know all their nas ids, but not their ip addresses. That's the main reason for it. I guess the other way would be to use hunt groups or a network id to allow / disallow clients instead of worrying about the nas? J On 24 Oct 2011, at 20:42, Phil Mayers [via FreeRadius] wrote: On 10/24/2011 08:06 PM, Jennyanydots Napoleon Shoehorn wrote: The ultimate intention was to use the mac address of the nas and a nas specific shared secret. Do you really need a per-NAS secret? In your opinion, are there better ways to deal with dynamic clients? It depends. Can you describe your setup in any detail? If you've got untrusted clients on IP addresses you don't control and can't know ahead of time, then it's really hard. The best solution is don't do that. If your NAS and network topology support it, things like VPN tunnels from NAS-radius server with IP assignment might be one option. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4933898.html To unsubscribe from Authorising Clients by Calling Station ID Not IP, click here. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4933910.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Jennyanydots Napoleon Shoehorn wrote: We started this conversation because we can't use the packet-src-ip address. Hence the requirement for dynamic hosts? RADIUS works by using the source IP of the packet. If you want something else, set up SSH or SSL tunnels, and forward the RADIUS packets over that. Or, make massive changes to the internals of the server. It's designed to use source IP. Using anything else will take a lot of work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On 10/24/2011 08:45 PM, JennyBlunt wrote: Hello Phil I guess we don't need a per NAS secret but thought it might help block any customers we don't need. We have a load of wifi hotspots on dynamic ips. We know all their nas Ok, that's about the hardest case I'm afraid. If you have the option of using something like a tunnel (IPSec) to bring the NASes into your network and give them local IPs I would take it. If not, then an out-of-band solution might work. There's no easy answer here I'm afraid. It will depend on the numbers and vendor of your NAS, the capabilities they have and lots of other factors. In an ideal world, radius-over-TLS (RadSec) would solve this problem but it's basically guaranteed your NASes don't support it (nothing does yet, and possibly never will for NAS-Server traffic). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
This is very interesting, really appreciate the replies. Other than using a VPN, how do other wifi providers actually operate securely? J On 24 Oct 2011, at 21:04, Phil Mayers wrote: On 10/24/2011 08:45 PM, JennyBlunt wrote: Hello Phil I guess we don't need a per NAS secret but thought it might help block any customers we don't need. We have a load of wifi hotspots on dynamic ips. We know all their nas Ok, that's about the hardest case I'm afraid. If you have the option of using something like a tunnel (IPSec) to bring the NASes into your network and give them local IPs I would take it. If not, then an out-of-band solution might work. There's no easy answer here I'm afraid. It will depend on the numbers and vendor of your NAS, the capabilities they have and lots of other factors. In an ideal world, radius-over-TLS (RadSec) would solve this problem but it's basically guaranteed your NASes don't support it (nothing does yet, and possibly never will for NAS-Server traffic). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
On 24 Oct 2011, at 23:09, Jennyanydots Napoleon Shoehorn wrote: This is very interesting, really appreciate the replies. Other than using a VPN, how do other wifi providers actually operate securely? They don't :) It's either VPN or same shared secret. If your equipment is running something like DD-WRT or Open WRT, it should be possible to cross compile FreeRADIUS and setup a RadSec gateway on the Access Point. The code works and PKI administration isn't as bad as everyone thinks it is. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Fantastic news ;) !! We use some ddwrt, openwrt routers, coovap (ubuntu) and higher end Meraki / Ruckus stuff. Might be a pain to configure each. What about the idea of a common shared secret and then assigning a 'network' or huntgroup to each user. We could then block end users authenticating from a nas with a called-station-id which wasn't in db (or if a network wasn't set). Just an idea? On 24 Oct 2011, at 22:26, Arran Cudbard-Bell wrote: On 24 Oct 2011, at 23:09, Jennyanydots Napoleon Shoehorn wrote: This is very interesting, really appreciate the replies. Other than using a VPN, how do other wifi providers actually operate securely? They don't :) It's either VPN or same shared secret. If your equipment is running something like DD-WRT or Open WRT, it should be possible to cross compile FreeRADIUS and setup a RadSec gateway on the Access Point. The code works and PKI administration isn't as bad as everyone thinks it is. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorising Clients by Calling Station ID Not IP
Hi Can anyone out there help me with this??? I really need to authorize our dynamic clients against a db which includes the called-station-id I can see called-station-id is only sent after authorization but need to see if this can be changed. My requirements are: 1. Allow all dynamic clients through 2. Lookup their called-station-id in the db 3. Use the 'hotspot' shared secret which is done per location and stored in the same table as above 4. Allow or disallow access to user Thanks Jenny -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4927984.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html