Authorising Clients by Calling Station ID Not IP

classic Classic list List threaded Threaded
25 messages Options
12
| Threaded
Open this post in threaded view
|

Authorising Clients by Calling Station ID Not IP

JennyBlunt
This post has NOT been accepted by the mailing list yet.
This post was updated on .
Currently, we have quite a few chilli based hotspots that all have static IP addresses. So far this has worked out fine with our freeradius installation but we now have a few sites using dynamic IP addresses.

I'd like to know whether we can use the calling station id of each device to authenticate?

Ideally we would create a new location, enter the name and station id (mac address) of the remote access controller and also add to a network.

Can anyone tell me if this is possible and if so, how so.

Thanks

Jenny

--- EDIT ---

I've figured out I can amend the dynamic clients file and modify the sql query. I've tried this:

1. Added a new column to nas table - nasID
2. Altered the code dynamic clients to look up the Called-Station-ID from the table and authorize if it's there.

My code looked like this:

 authorize {

                update control {

                        #  Echo the IP address of the client.
                        FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"

                        # require_message_authenticator
                        FreeRADIUS-Client-Require-MA = no

                        # secret
                        FreeRADIUS-Client-Secret = "testing123"

                        # shortname
                        FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"

                        # nastype
                        FreeRADIUS-Client-NAS-Type = "other"

                        FreeRADIUS-Client-Virtual-Server = "something"

                        Called-Station-Id = "%{Called-Station-ID}"
                }

#               if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {

                if ("%{sql: SELECT nasname FROM nas WHERE nasId = '%{Called-Station-ID}'}") {
                        update control {
                                #
                                #  Echo the IP.
                                FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"

                                Called-Station-Id = "%{sql: SELECT nasID FROM nas WHERE nasname = Called-Station-Id}"

                                FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"

                                FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"

                                FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"

                                FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
                        }

                }

                ok
        }
}


The server loads OK but I get an error in the sql query - looks like it's not getting the called station ID out properly.

Can anyone tell me how to call this in the dynamic clients file??

Thanks again
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
This post has NOT been accepted by the mailing list yet.
After playing, I've got the sql sorted but my Called-Station-ID is always blank.

Have also included preprocess in the auth section of dynamic hosts. My query looks like this:

if ("%{sql: SELECT CalledStationId FROM nas WHERE CalledStationId = '%{Called-Station-ID}'}") {

But in my mysql query log, I can see this:

SELECT CalledStationId FROM nas WHERE CalledStationId = ''"

I read one post here that said this was a bug in version 2.1.10 but I'm running 2.1.12.

How is it possible to get the called station id before the user logs in?

Thanks


| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
Hi

Can anyone out there help me with this???

I really need to authorize our dynamic clients against a db which includes the called-station-id

I can see called-station-id is only sent after authorization but need to see if this can be changed.

My requirements are:

1. Allow all dynamic clients through
2. Lookup their called-station-id in the db
3. Use the 'hotspot' shared secret which is done per location and stored in the same table as above
4. Allow or disallow access to user

Thanks

Jenny
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

shiv
Hi,
I dont know why you say you dont get Called-Station-ID *before* the user is authenticated/authorized. It comes as part of the Access-Request from the NAS.
Here is how we use Called-Station-Id in the authorize section of our sites-enabled/default file
 Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE UPPER(REPLACE(LEFT(`nasipaddress`,17),':',''))=UPPER(REPLACE(LEFT('%{Called-Station-Id}',17), '-', ''))}"




| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
Hi,

Thanks for the reply.

My hosts are all dynamic so am using dynamic-clients - don't think that affects things though does it?

If I put the following in my authorize section (to keep things simply), my query has a null value:

Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}"

The mysql query then looks like this:

SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress=''

If I use packet-src-ip-address, the query is fine.

Replacing with called-station-id renders nothing as well.

Does this have something to do with the dynamic clients??

Jenny
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Fajar A. Nugraha-2
On Mon, Oct 24, 2011 at 3:47 PM, JennyBlunt <[hidden email]> wrote:

> Hi,
> Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
> nasipaddress='%{NAS-IP-Address}'}"
>
> The mysql query then looks like this:
>
> SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress=''
>
> If I use packet-src-ip-address, the query is fine.
>
> Replacing with called-station-id renders nothing as well.
>
> Does this have something to do with the dynamic clients??

It shouldn't.

What does the debug log show? What attributes were sent by the NAS in
access-request packet?

http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address says "Either
NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request
packet."

so if your NAS sends neither, it's broken.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
If I put in default authorize section, the called-station-id is present.

What I just don't understand is why it doesn't work in dynamic hosts and also why default is loaded at all?

The called-station-id is certainly present in the request:

rad_recv: Access-Request packet from host 94.x.x.x port 29429, id=3, length=141
server dynamic_client_server {
} # server dynamic_client_server
- Added client 94.x.x.x with shared secret testing123
rad_recv: Access-Request packet from host 94.x.x.x port 29429, id=3, length=141
User-Name = "full"
User-Password = "Y\270\306\323"
NAS-Identifier = "simulator"
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
NAS-IP-Address = 192.168.0.1
Called-Station-Id = "00-00-00-11-00-10"
Calling-Station-Id = "11-11-11-22-11-21"
Acct-Session-Id = "JRadius-851365653dd8b055354910131660a6ad"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

---




On 24 Oct 2011, at 10:03, Fajar A. Nugraha-2 [via FreeRadius] wrote:

On Mon, Oct 24, 2011 at 3:47 PM, JennyBlunt <<a href="x-msg://1875/user/SendEmail.jtp?type=node&amp;node=4931798&amp;i=0" target="_top" rel="nofollow" link="external">[hidden email]> wrote:

> Hi,
> Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE
> nasipaddress='%{NAS-IP-Address}'}"
>
> The mysql query then looks like this:
>
> SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress=''
>
> If I use packet-src-ip-address, the query is fine.
>
> Replacing with called-station-id renders nothing as well.
>
> Does this have something to do with the dynamic clients??
It shouldn't.

What does the debug log show? What attributes were sent by the NAS in
access-request packet?

http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address says "Either
NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request
packet."

so if your NAS sends neither, it's broken.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4931798.html
To unsubscribe from Authorising Clients by Calling Station ID Not IP, click here.

| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Phil Mayers
On 10/24/2011 07:02 PM, JennyBlunt wrote:
> If I put in default authorize section, the called-station-id is present.
>
> What I just don't understand is why it doesn't work in dynamic hosts and

As per the comments in the "sample" dynamic-clients:

#  The request that is processed through this section
#  is EMPTY.  There are NO attributes.  The request is fake,
#  and is NOT the packet that triggered the lookup of
#  the dynamic client.
#
#  The ONLY piece of useful information is either
#
#       Packet-Src-IP-Address (IPv4 clients)
#       Packet-Src-IPv6-Address (IPv6 clients)
#
#  The attributes used to define a dynamic client mirror
#  the configuration items in the "client" structure.

You'll need to patch the source to make what you want work. This may (or
may not) be a generally useful patch; the problem is that, in many
cases, a single NAS might have >1 Called-Station-Id e.g. multiple BSSIDs
for a wireless AP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
OH! I've looked too many lines of code over the last week.

I have no idea how to patch but will investigate. Was thinking we might have to use nas-id instead.

The ultimate intention was to use the mac address of the nas and a nas specific shared secret. 

In your opinion, are there better ways to deal with dynamic clients?

Thanks again


On 24 Oct 2011, at 19:52, Phil Mayers wrote:

On 10/24/2011 07:02 PM, JennyBlunt wrote:
If I put in default authorize section, the called-station-id is present.

What I just don't understand is why it doesn't work in dynamic hosts and

As per the comments in the "sample" dynamic-clients:

#  The request that is processed through this section
#  is EMPTY.  There are NO attributes.  The request is fake,
#  and is NOT the packet that triggered the lookup of
#  the dynamic client.
#
#  The ONLY piece of useful information is either
#
#       Packet-Src-IP-Address (IPv4 clients)
#       Packet-Src-IPv6-Address (IPv6 clients)
#
#  The attributes used to define a dynamic client mirror
#  the configuration items in the "client" structure.

You'll need to patch the source to make what you want work. This may (or may not) be a generally useful patch; the problem is that, in many cases, a single NAS might have >1 Called-Station-Id e.g. multiple BSSIDs for a wireless AP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Fajar A. Nugraha-2
On Tue, Oct 25, 2011 at 2:06 AM, Jennyanydots Napoleon Shoehorn
<[hidden email]> wrote:
> In your opinion, are there better ways to deal with dynamic clients?

Use Packet-Src-IP-Address

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Phil Mayers
In reply to this post by JennyBlunt
On 10/24/2011 08:06 PM, Jennyanydots Napoleon Shoehorn wrote:

> The ultimate intention was to use the mac address of the nas and a nas
> specific shared secret.

Do you really need a per-NAS secret?

>
> In your opinion, are there better ways to deal with dynamic clients?

"It depends". Can you describe your setup in any detail?

If you've got untrusted clients on IP addresses you don't control and
can't know ahead of time, then it's really hard. The best solution is
"don't do that".

If your NAS and network topology support it, things like VPN tunnels
from NAS->radius server with IP assignment might be one option.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
In reply to this post by Fajar A. Nugraha-2
We started this conversation because we can't use the packet-src-ip address. Hence the requirement for dynamic hosts?

On 24 Oct 2011, at 20:28, Fajar A. Nugraha wrote:

On Tue, Oct 25, 2011 at 2:06 AM, Jennyanydots Napoleon Shoehorn
<[hidden email]> wrote:
In your opinion, are there better ways to deal with dynamic clients?

Use Packet-Src-IP-Address

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
In reply to this post by Phil Mayers
Hello Phil

I guess we don't need a per NAS secret but thought it might help block any customers we don't need.

We have a load of wifi hotspots on dynamic ips. We know all their nas ids, but not their ip addresses. That's the main reason for it. I guess the other way would be to use hunt groups or a network id to allow / disallow clients instead of worrying about the nas?

J

On 24 Oct 2011, at 20:42, Phil Mayers [via FreeRadius] wrote:

On 10/24/2011 08:06 PM, Jennyanydots Napoleon Shoehorn wrote:

> The ultimate intention was to use the mac address of the nas and a nas
> specific shared secret.

Do you really need a per-NAS secret?

>
> In your opinion, are there better ways to deal with dynamic clients?

"It depends". Can you describe your setup in any detail?

If you've got untrusted clients on IP addresses you don't control and
can't know ahead of time, then it's really hard. The best solution is
"don't do that".

If your NAS and network topology support it, things like VPN tunnels
from NAS->radius server with IP assignment might be one option.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tp4883866p4933898.html
To unsubscribe from Authorising Clients by Calling Station ID Not IP, click here.

| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Alan DeKok-2
In reply to this post by JennyBlunt
Jennyanydots Napoleon Shoehorn wrote:
> We started this conversation because we can't use the packet-src-ip
> address. Hence the requirement for dynamic hosts?

  RADIUS works by using the source IP of the packet.

  If you want something else, set up SSH or SSL tunnels, and forward the
RADIUS packets over that.

  Or, make massive changes to the internals of the server.  It's
designed to use source IP.  Using anything else will take a lot of work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Phil Mayers
In reply to this post by JennyBlunt
On 10/24/2011 08:45 PM, JennyBlunt wrote:
> Hello Phil
>
> I guess we don't need a per NAS secret but thought it might help block
> any customers we don't need.
>
> We have a load of wifi hotspots on dynamic ips. We know all their nas

Ok, that's about the hardest case I'm afraid.

If you have the option of using something like a tunnel (IPSec) to bring
the NASes into your network and give them local IPs I would take it.

If not, then an out-of-band solution might work.

There's no easy answer here I'm afraid. It will depend on the numbers
and vendor of your NAS, the capabilities they have and lots of other
factors.

In an ideal world, radius-over-TLS (RadSec) would solve this problem but
it's basically guaranteed your NASes don't support it (nothing does yet,
and possibly never will for NAS->Server traffic).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
This is very interesting, really appreciate the replies.

Other than using a VPN, how do other wifi providers actually operate securely?

J

On 24 Oct 2011, at 21:04, Phil Mayers wrote:

On 10/24/2011 08:45 PM, JennyBlunt wrote:
Hello Phil

I guess we don't need a per NAS secret but thought it might help block
any customers we don't need.

We have a load of wifi hotspots on dynamic ips. We know all their nas

Ok, that's about the hardest case I'm afraid.

If you have the option of using something like a tunnel (IPSec) to bring the NASes into your network and give them local IPs I would take it.

If not, then an out-of-band solution might work.

There's no easy answer here I'm afraid. It will depend on the numbers and vendor of your NAS, the capabilities they have and lots of other factors.

In an ideal world, radius-over-TLS (RadSec) would solve this problem but it's basically guaranteed your NASes don't support it (nothing does yet, and possibly never will for NAS->Server traffic).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

arr2036

On 24 Oct 2011, at 23:09, Jennyanydots Napoleon Shoehorn wrote:

This is very interesting, really appreciate the replies.

Other than using a VPN, how do other wifi providers actually operate securely?

They don't :)

It's either VPN or same shared secret. If your equipment is running something like DD-WRT or Open WRT, it should be possible to cross compile FreeRADIUS and setup a RadSec gateway on the Access Point.

The code works and PKI administration isn't as bad as everyone thinks it is.

-Arran

Arran Cudbard-Bell
[hidden email]

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
Fantastic news ;) !!

We use some ddwrt, openwrt routers, coovap (ubuntu) and higher end Meraki / Ruckus stuff. Might be a pain to configure each.

What about the idea of a common shared secret and then assigning a 'network' or huntgroup to each user. We could then block end users authenticating from a nas with a called-station-id which wasn't in db (or if a network wasn't set). 

Just an idea?


On 24 Oct 2011, at 22:26, Arran Cudbard-Bell wrote:


On 24 Oct 2011, at 23:09, Jennyanydots Napoleon Shoehorn wrote:

This is very interesting, really appreciate the replies.

Other than using a VPN, how do other wifi providers actually operate securely?

They don't :)

It's either VPN or same shared secret. If your equipment is running something like DD-WRT or Open WRT, it should be possible to cross compile FreeRADIUS and setup a RadSec gateway on the Access Point.

The code works and PKI administration isn't as bad as everyone thinks it is.

-Arran

Arran Cudbard-Bell
[hidden email]

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

Johan Meiring
In reply to this post by JennyBlunt
On 2011/10/24 09:06 PM, Jennyanydots Napoleon Shoehorn wrote:

> OH! I've looked too many lines of code over the last week.
>
> I have no idea how to patch but will investigate. Was thinking we might have
> to use nas-id instead.
>
> The ultimate intention was to use the mac address of the nas and a nas
> specific shared secret.
>
> In your opinion, are there better ways to deal with dynamic clients?
>
> Thanks again
>


Hi,

I look up my clients using "dynamic clients" and Nas-Identifier.

You need a module that is not included by default called rlm_raw.
You can download a patch here:  http://www.sendspace.com/file/f91rqi

The last file wont apply cleanly to 2.1.12, just manually add rlm_raw to the "src/modules/stable" file.  (Look at the patch).

In your freeradius config, you need to "instantiate" rlm_raw.

/etc/freeradius/radiusd.conf
instantiate {
        raw
}

You need a module:
/etc/freeradius/modules/raw
raw {
}

My dynamic clients config:
/etc/freeradius/sites-available/my-dynamic-clients
client dymamic {
  ipaddr = 0.0.0.0
  netmask = 0
  dynamic_clients = dynamic_nas
  lifetime = 86400
}

server dynamic_nas {
  authorize {
    if ("%{sql: select count(*) from Nas where Identifier='%{raw:NAS-Identifier}'}" == "1") {
      update control {
        FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
        FreeRADIUS-Client-Require-MA = no
        FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas where Identifier='%{raw:NAS-Identifier}' and NasTypeID=1}"
        FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
        FreeRADIUS-Client-NAS-Type = "other"
        FreeRADIUS-Client-Virtual-Server = "dynamic_server"
      }
      ok
    }
  }
}


Notes:
- "dynamic_server" is the spesific virtual server than handles the dynamic clients.
- the rlm_raw packet MIGHT contain Calling-Station-Id (or do you mean Called-Station-Id??) as well.  You will have to look.


Hope this helps.

Cheers,





--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

--------------------
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:

http://www.pcservices.co.za/disclaimer.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authorising Clients by Calling Station ID Not IP

JennyBlunt
Cool, thanks I'll download now and take a look

J
12