Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
Adam Wien wrote: > I have this so far in my users file and it's working. > > adamCleartext-Password := "testing" radcheck > Airespace-Wlan-Id = 8, > Airespace-Interface-Name = SecWifiTesting0, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = 802, > Tunnel-Private-Group-ID = 4 radreply (with the user name column) > Now I just need to translate that into SQL. It should be easy. Read doc/rlm_sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
On Feb 17, 2010, at 3:55 PM, Fajar A. Nugraha wrote: > On Thu, Feb 18, 2010 at 12:26 AM, Adam Wien wrote: >> I guess that's my real question. What database does that belong in? > > try radcheck first. Make sure it works on per-user basis. > >> >> I've tried adding it to 'radgroupreply' and also 'radgroupcheck' with a >> higher ID(although the latter doesn't seem correct). > > ID shouldn't really matter. > Did you read doc/rlm_sql like Alan mentioned? I think you're missing I did. I'm actually taking a different approach now which sounds more complicated but is easier. Dynamic VLANs I have this so far in my users file and it's working. adamCleartext-Password := "testing" Airespace-Wlan-Id = 8, Airespace-Interface-Name = SecWifiTesting0, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 4 Now I just need to translate that into SQL. > Fall-Through. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
On Thu, Feb 18, 2010 at 12:26 AM, Adam Wien wrote: > I guess that's my real question. What database does that belong in? try radcheck first. Make sure it works on per-user basis. > > I've tried adding it to 'radgroupreply' and also 'radgroupcheck' with a > higher ID(although the latter doesn't seem correct). ID shouldn't really matter. Did you read doc/rlm_sql like Alan mentioned? I think you're missing Fall-Through. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
On Feb 17, 2010, at 10:54 AM, Alan DeKok wrote: > Adam Wien wrote: >> Here's my database setup. > > Please read doc/rlm_sql. > >> mysql> select * from radcheck where username='a...@cpanel.net'; >> +--+-+++--+ >> | id | username| attribute | op | value| >> +--+-+++--+ >> | 1072 | a...@cpanel.net | Cleartext-Password | := | BLANK | >> +--+-+++--+ > > Defines a password... > >> mysql> select * from radgroupcheck; >> +--+---+---++---+ >> | id | groupname | attribute | op | value | >> +--+---+---++---+ >> | 1072 | Sysadmin | Airespace-Wlan-Id | == | 9 | >> +--+---+---++---+ > > Says "group sysadmin checks if the airespace attribute matches" > >> mysql> select * from radusergroup; >> +-+---+--+ >> | username| groupname | priority | >> +-+---+--+ >> | a...@cpanel.net | Sysadmin |1 | >> +-+---+--+ > > Says "user adam... is in group sysadmin". > > Where did you configure it do *do* something, like reject the user? I guess that's my real question. What database does that belong in? I've tried adding it to 'radgroupreply' and also 'radgroupcheck' with a higher ID(although the latter doesn't seem correct). > > This configuration does *not* deny users access by matching > Airespace-Wlan-Id. That should be clear: there is no "deny" rule! > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
Adam Wien wrote: > Here's my database setup. Please read doc/rlm_sql. > mysql> select * from radcheck where username='a...@cpanel.net'; > +--+-+++--+ > | id | username| attribute | op | value| > +--+-+++--+ > | 1072 | a...@cpanel.net | Cleartext-Password | := | BLANK | > +--+-+++--+ Defines a password... > mysql> select * from radgroupcheck; > +--+---+---++---+ > | id | groupname | attribute | op | value | > +--+---+---++---+ > | 1072 | Sysadmin | Airespace-Wlan-Id | == | 9 | > +--+---+---++---+ Says "group sysadmin checks if the airespace attribute matches" > mysql> select * from radusergroup; > +-+---+--+ > | username| groupname | priority | > +-+---+--+ > | a...@cpanel.net | Sysadmin |1 | > +-+---+--+ Says "user adam... is in group sysadmin". Where did you configure it do *do* something, like reject the user? This configuration does *not* deny users access by matching Airespace-Wlan-Id. That should be clear: there is no "deny" rule! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
Here's my database setup.
mysql> select * from radcheck where username='a...@cpanel.net';
+--+-+++--+
| id | username| attribute | op | value|
+--+-+++--+
| 1072 | a...@cpanel.net | Cleartext-Password | := | BLANK |
+--+-+++--+
1 row in set (0.00 sec)
mysql>
mysql> select * from radgroupcheck;
+--+---+---++---+
| id | groupname | attribute | op | value |
+--+---+---++---+
| 1072 | Sysadmin | Airespace-Wlan-Id | == | 9 |
+--+---+---++---+
1 row in set (0.02 sec)
mysql>
mysql> select * from radusergroup;
+-+---+--+
| username| groupname | priority |
+-+---+--+
| a...@cpanel.net | Sysadmin |1 |
+-+---+--+
1 row in set (0.02 sec)
mysql>
Here's my radiiusd -X output
rad_recv: Access-Request packet from host 208.74.121.102 port 24716, id=18,
length=201
User-Name = "a...@cpanel.net"
Calling-Station-Id = "f8-1e-df-f4-c3-36"
Called-Station-Id = "00-26-cb-a0-cf-a0:SecWifiTesting0"
NAS-Port = 1
NAS-IP-Address = 172.31.2.250
NAS-Identifier = "WLC1.3131"
Airespace-Wlan-Id = 8
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "200"
EAP-Message = 0x02010014016164616d406370616e656c2e6e6574
Message-Authenticator = 0x194b1cc6aba2fdf6fe796d58e57f5e04
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_eap: EAP packet type response id 1 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
expand: %{User-Name} -> a...@cpanel.net
rlm_sql (sql): sql_set_user escaped user --> 'a...@cpanel.net'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'a...@cpanel.net' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'a...@cpanel.net' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'a...@cpanel.net'
ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'Sysadmin' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 18 to 208.74.121.102 port 24716
EAP-Message = 0x010200061520
Message-Authenticator = 0x
State = 0x6a1490ae6a168516e9c153b1a670f7e8
Finished request 2.
Going to the next request
I set the 'Airespace-Wlan-Id == 9' and I'm connecting to 'Airespace-Wlan-Id ==
8' and it's still allowing me to connect.
On Feb 17, 2010, at 12:56 AM, Alan DeKok wrote:
> Adam Wien wrote:
>> I'm trying to get FreeRadius working with a Cisco WLC.
>>
>> I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs.
>>
>> I can't seem to deny access using this attribute.
>
> "I tried stuff and it didn't work".
>
>> Is there a trick to this?
>
> Describe what you did (text copied from the configuration files), and
> what happened (text copied from debug output)
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Airespace-Wlan-Id in users files or radgroupcheck database
Adam Wien wrote: > I'm trying to get FreeRadius working with a Cisco WLC. > > I would like to match on Airespace-Wlan-Id to permit access to certain SSIDs. > > I can't seem to deny access using this attribute. "I tried stuff and it didn't work". > Is there a trick to this? Describe what you did (text copied from the configuration files), and what happened (text copied from debug output) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
