Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-12 Thread Fabrizio Vecchi 
Hi Alan and thanks for the reply.


On 12 October 2013 13:42, Alan DeKok  wrote:


> > So far, I managed to do the dynamic VLAN assignment, but cannot seem to
> > get it to work together with the MAC checking.
>

Get them working independently.  Then, put the pieces together.


I managed to get them to work independently, it's the putting together
phase that I can't quite crack... :)


> > I can get an auth to be refused if the MAC is not listed in the
> > authorized_macs file, but can't quite put the two things together.
> > Perhaps I am a bit confused with regards to where to put the MAC check.
>
>   Put it into "authorize".
>
> If I put the MAC check in the authorize section, then I can allow users to
use only the devices in the authorized_macs file (unless I am missing
something). I would like the users to use any device, but just have a
limited access to the network if the device isn't listed in the
authorized_macs file...


> > For now, I just managed to get the check to work only on the
> > authorization phase in sites-enabled/default, but then the VLAN
> > assignment, which is done in the internal-tunnel, seems to overwrite my
> > changes.
>
>   That can be fixed.
>
> > So I tried to put the MAC check in the post-auth section in the default
> > file, but the MAC check doesn't seem to ever work.
>
>   Because the "users" file works differently there.
>

Can you point me to some part of the docs that explain what is different,
please?


>
> > Here are the relevant config files:
>
>   Which seem to use a reasonable approach.
>
> > As you can see, the device wasn't listed in the file, the authentication
> > went fine, saying that the tunnel that I should get has ID 40, but that
> > wasn't overwritten by the authorized_macs check...
>
>   I think part of the problem is you're juggling a lot.  You also
> mentioned MACs and VLANs... and then halfway through the message "Oh,
> there's an inner-tunnel, too".
>
>   Stop with all of your solutions.  Instead, write down exactly what you
> have.  Write down what you want to happen in plain English.  Write down
> what should happen, and when.  Then, convert it to the configuration.
>
>   Your system is using TTLS.  OK... I'll ignore the question of *why*
> you're authenticating unknown MACs.  That seems weird.
>

What I am trying to achieve is the following:
1. Authenticate the users through LDAP
2. IF the user is using a device listed in the authorized_macs file, then
assign a VLAN which depends on the user's LDAP group.
3. IF the user is using another (their own), allow them to access an
"isolated" VLAN, which doesn't allow the device to talk to our servers.

This will allow my colleagues to connect to the Internet with their
devices, but not to mess around with our servers in case there is malware
installed on them.

Does this make sense?


>   The debug log shows this:
>
> [ttls] Got tunneled reply code 2
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "40"
>
>   Where did that VLAN come from?  Why is it there?  If you don't know,
> that's a huge problem.
>

SO SORRY! I pasted twice the sites-available/default file!

It comes from the post-auth section in the inner-tunnel file.
In inner-tunnel, I check if the user belongs to the dept_tech_corporate_it
group, and if so, I update the outher request by assigning a VLAN with ID
40.

This part of the config works properly, as showed by the following few
lines of debug output:

rlm_ldap::ldap_groupcmp: User found in group cn=dept_tech_corporate_it,ou=
Groups,c=gb,dc=mindcandy,dc=com
  [ldap] ldap_release_conn: Release Id: 0
? Evaluating (LDAP-Group ==
"cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy,dc=com") -> TRUE


>
>   Generally, the policies should be arranged like this:
>
> authorize: allow only known kinds of authentication
>decide which authentication method to use
>grab "known good" passwords
>
> authenticate: run authentication methods
>
> post-auth: return attributes for a successfully authenticated user
>
>
>   In your case, I'd say return to a default configuration.  Then, get
> the MAC address filtering working in post-auth.  Once that's working,
> add VLAN assignment.
>

That seems to be an approach similar to the one I am trying to use. I would
like to do the check of the MAC address for last, so that I can associate
the right VLAN to the user. But for some reason this check doesn't seem to
work.

I guess at the end of the day my question boils down to the following:
where should I put the MAC check, so that the user gets assigned to the
right VLAN?
If I put it in the authorize part of sites-enabled/default, the VLAN update
request will get overwritten by the post-auth part of
sites-enabled/inner-tunnel; and if I put it in the post-auth of the file
sites-enabled/default file (which gets executed after inner-tunnel), the
authorized_macs function always returns noop.

If I could get any pointers towards a working soluti

Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-11 Thread Fabrizio Vecchi 
Hi everyone.

First of all, sorry if my email is very long, I am just trying not to leave
any important details out. :)

In my Company, I'd like to setup a freeradius based wifi authentication
following the same principle:
First check if a user is using the Company's laptop (or phone) by checking
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a "public" VLAN, which cannot reach our internal servers.
This is basically to take care of users who connect to our network with
their own devices, on which we don't have control and that could spread all
sorts of malware in the internal network.

So far, I managed to do the dynamic VLAN assignment, but cannot seem to get
it to work together with the MAC checking.
I can get an auth to be refused if the MAC is not listed in the
authorized_macs file, but can't quite put the two things together. Perhaps
I am a bit confused with regards to where to put the MAC check. For now, I
just managed to get the check to work only on the authorization phase in
sites-enabled/default, but then the VLAN assignment, which is done in the
internal-tunnel, seems to overwrite my changes.
So I tried to put the MAC check in the post-auth section in the default
file, but the MAC check doesn't seem to ever work.

Here are the relevant config files:

Radius version:
2.1.10+dfsg-2+squeeze1 (running on Debian)

--- policy.conf
(...)
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
"%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
else {
noop
}
}

}


--- modules/files:
(...)
files authorized_macs {
key = "%{tolower:%{Calling-Station-ID}}"
usersfile = ${confdir}/authorized_macs
compat = no
}

---authorized_macs
e8-99-c4-a2-39-36
  Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized
for network access"

--- sites-available/default
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}

--- sites-available/inner-tunnel
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}

And here is an authentication example, with a device not listed in
authorized_macs:
(...)

rad_recv: Access-Request packet from host 192.168.59.202 port 32769,
id=129, length=345
User-Name = "fabrizio.vecchi"
Calling-Station-Id = "60-fa-cd-47-1a-44"
Called-Station-Id = "24-01-c7-28-aa-d0:MindCandyAuth"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=ca3ba8c000dede1c5852"
NAS-IP-Address = 192.168.59.202
NAS-Identifier = "Cisco_6e:1f:4f"
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "36"
EAP-Message =
0x0206005f1580005517030100506509e5008fb8b33c992bdddc007472c4f5d210aa8d535f747241bc99c4cb8785066c7ef4f262c470986626e1d31efc71f0d3b42b80663afc9fdc68715d1ee49c02af509c6b12de0bca5bf5501cba
State = 0xf1f3e6cbf5f5f3adc22ef694ca5dfcba
Message-Authenticator = 0xeff670953d883040f13b8dfc42d39849
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Add

Dynamic VLAN assignment depending on LDAP user group and MAC address

2013-10-11 Thread Fabrizio Vecchi 
Hi everyone.

First of all, sorry if my email is very long, I am just trying not to leave
any important details out. :)

In my Company, I'd like to setup a freeradius based wifi authentication
following the same principle:
First check if a user is using the Company's laptop (or phone) by checking
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a "public" VLAN, which cannot reach our internal servers.
This is basically to take care of users who connect to our network with
their own devices, on which we don't have control and that could spread all
sorts of malware in the internal network.

So far, I managed to do the dynamic VLAN assignment, but cannot seem to get
it to work together with the MAC checking.
I can get an auth to be refused if the MAC is not listed in the
authorized_macs file, but can't quite put the two things together. Perhaps
I am a bit confused with regards to where to put the MAC check. For now, I
just managed to get the check to work only on the authorization phase in
sites-enabled/default, but then the VLAN assignment, which is done in the
internal-tunnel, seems to overwrite my changes.
So I tried to put the MAC check in the post-auth section in the default
file, but the MAC check doesn't seem to ever work.

Here are the relevant config files:

Radius version:
2.1.10+dfsg-2+squeeze1 (running on Debian)

--- policy.conf
policy {
forbid_eap {
if (EAP-Message) {
reject
}
}
permit_only_eap {
if (!EAP-Message) {
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {

Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {

Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
}
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
cui_accounting {
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := "%{cui: SELECT cui FROM cui
WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid =
'%{Calling-Station-Id}' AND username = '%{User-Name}'}"
}
}
if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
cui
}
}
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
"%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
else {
noop
}
}

}


--- modules/files:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
files second_files {
usersfile = ${confdir}/second_users
acctusersfile = ${confdir}/second_acct_users
preproxy_usersfile = ${confdir}/second_preproxy_users
}
files authorized_macs {
key = "%{tolower:%{Calling-Station-ID}}"
usersfile = ${confdir}/authorized_macs
compat = no
}

---authorized_macs
e8-99-c4-a2-39-36
  Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized
for network access"

--- sites-available/default
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}

--- sites-available/inner-tunnel
authorize {
preprocess
auth_log
suffix
eap {
ok = r