Freeradius 2.2.5 Access by SSID

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Freeradius 2.2.5 Access by SSID

Alejandro Cabrera Obed
Dear, I have a Debian server with Freeradius 2.2.5+dfsg-0.2, authenticating
against an Active Directory server. I use PEAP / MSCHAPv2 and NTLM
authentication.

I have no MySQL server installed, all my config is in /etc/freeradius/*
files.

Everything work OK at the moment, but now I need to authenticate users by
different SSID's, as below:

SSID1 --> User-A and User-B
SSID2 --> User-C and User-D

Is this implementation possible in my current scenario? In the affirmartive
case, what is the best way to do that?

Thanks in advance!!!

Alejandro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 2.2.5 Access by SSID

Alejandro Cabrera Obed
Hi, I want to add that in Freerdaius debug mode, I can see lines like this
coming from the WiFi clients:

Called-Station-Id = "44:05:d9:0e:dd:40:SSID1"
Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"

For each SSID, I need to match a different AD group with the corresponding
users.

Regards!!!

2017-08-08 12:43 GMT-03:00 Alejandro Cabrera Obed <[hidden email]>:

> Dear, I have a Debian server with Freeradius 2.2.5+dfsg-0.2,
> authenticating against an Active Directory server. I use PEAP / MSCHAPv2
> and NTLM authentication.
>
> I have no MySQL server installed, all my config is in /etc/freeradius/*
> files.
>
> Everything work OK at the moment, but now I need to authenticate users by
> different SSID's, as below:
>
> SSID1 --> User-A and User-B
> SSID2 --> User-C and User-D
>
> Is this implementation possible in my current scenario? In the
> affirmartive case, what is the best way to do that?
>
> Thanks in advance!!!
>
> Alejandro
>



--
 //  Alejandro   //
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 2.2.5 Access by SSID

Matthew Newton-3
On Tue, 2017-08-08 at 13:23 -0300, Alejandro Cabrera Obed wrote:

> Hi, I want to add that in Freerdaius debug mode, I can see lines like
> this
> coming from the WiFi clients:
>
> Called-Station-Id = "44:05:d9:0e:dd:40:SSID1"
> Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"
>
> For each SSID, I need to match a different AD group with the
> corresponding
> users.

In version 3 you can add the "rewrite_called_station_id" policy to
sites-enabled/default, and that will split out the SSID into the
Called-Station-SSID attribute for you. Add it before the call to
'files' so the attribute is there ready for that to use.

You can do it in version 2 as well, but that's obsolete and I can't
remember if the policy is already there. I don't think it is. So you'd
have to write the unlang yourself, or copy the policy over from v3.

Then you can update your users file to compare the SSID as well, e.g.
something like

bob Called-Station-SSID != 'SSID1', Auth-Type := Reject

Or if you are already using the users file (sounds like you are) then
you might want to add a second instantiation of the files module with a
different file other than 'users' so the SSID check is completely
separate.

You could do it directly in unlang if there are a small number of
users. Anything that compares the User-Name to Called-Station-SSID will
work.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 2.2.5 Access by SSID

Alejandro Cabrera Obed
Dear Matthew, thanks for yor response. Maybe I have to update from
Freeradius 2.x to 3.x, in order to have more benefits like the one I want.

After reading your explanation, I understand I have to edit the users file
with a line like "bob     Called-Station-SSID != 'SSID1', Auth-Type :=
Reject" for each user that have to access to the WiFi service...so If I
have 500 users, I will have a lot of work because I have to replicate all
the AD users in the Freeradius "users" file. These 500 users are in our
Active Directory service that Freeradius authenticate to.

So is there any manner to validate user / SSID against the AD in place of
the "users" local file????

Thanking in advance !!!

Alejandro

2017-08-08 13:33 GMT-03:00 Matthew Newton <[hidden email]>:

> On Tue, 2017-08-08 at 13:23 -0300, Alejandro Cabrera Obed wrote:
> > Hi, I want to add that in Freerdaius debug mode, I can see lines like
> > this
> > coming from the WiFi clients:
> >
> > Called-Station-Id = "44:05:d9:0e:dd:40:SSID1"
> > Called-Station-Id = "44:ad:82:0e:2d:40:SSID2"
> >
> > For each SSID, I need to match a different AD group with the
> > corresponding
> > users.
>
> In version 3 you can add the "rewrite_called_station_id" policy to
> sites-enabled/default, and that will split out the SSID into the
> Called-Station-SSID attribute for you. Add it before the call to
> 'files' so the attribute is there ready for that to use.
>
> You can do it in version 2 as well, but that's obsolete and I can't
> remember if the policy is already there. I don't think it is. So you'd
> have to write the unlang yourself, or copy the policy over from v3.
>
> Then you can update your users file to compare the SSID as well, e.g.
> something like
>
> bob     Called-Station-SSID != 'SSID1', Auth-Type := Reject
>
> Or if you are already using the users file (sounds like you are) then
> you might want to add a second instantiation of the files module with a
> different file other than 'users' so the SSID check is completely
> separate.
>
> You could do it directly in unlang if there are a small number of
> users. Anything that compares the User-Name to Called-Station-SSID will
> work.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




--
 //  Alejandro   //
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 2.2.5 Access by SSID

Matthew Newton-3
On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
> Dear Matthew, thanks for yor response. Maybe I have to update from
> Freeradius 2.x to 3.x, in order to have more benefits like the one I
> want.

You don't need to for what you want to do, but you should do so in the
long run. There isn't much interest here in version 2 any more, it's
end of life. Version 4 is in the works, and version 3 has been out for
nearly four years now.

> After reading your explanation, I understand I have to edit the users
> file
> with a line like "bob     Called-Station-SSID != 'SSID1', Auth-Type
> :=
> Reject" for each user that have to access to the WiFi service...so If
> I
> have 500 users, I will have a lot of work because I have to replicate
> all
> the AD users in the Freeradius "users" file. These 500 users are in
> our
> Active Directory service that Freeradius authenticate to.

OK, I missed the bit where you said AD...

> So is there any manner to validate user / SSID against the AD in
> place of
> the "users" local file????

Configure the ldap module to do group lookups against AD. If you add
people into AD groups, let's say one per SSID, then you could look up
the group based on the SSID they are trying to join.

See the LDAP documentation on how to use the Ldap-Group virtual
attribute, e.g.

http://wiki.freeradius.org/modules/Rlm_ldap#group-support

Then compare this to the SSID. Depending on how many SSIDs you have you
might want to do a files lookup to get the group name from the SSID, or
just hardcode it in unlang. Along the lines of

if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-
one")) {
  reject
}

etc.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 2.2.5 Access by SSID

Alejandro Cabrera Obed
Matthew, thanks a lot for your support.

According to your response, I see I have to configure the
/etc/freeradius/modules/ldap file with my AD parameteres (IP, port,
user/pass for query, etc).

After that, please can you clarify this points?

1) Do I have to add a new attribute in the AD for each user, with a SSID
field in order to check it through LDAP lookup ?

2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and
!(Ldap-Group == "group-ssid-one")) {reject}" sentence ?

3) What do I have to fill the Ldap-group attribute in my users file, If I
want to check SSID attribute and after that compare it with the SSID coming
into "Called-id-station"???

Regards!!!

2017-08-09 11:01 GMT-03:00 Matthew Newton <[hidden email]>:

> On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
> > Dear Matthew, thanks for yor response. Maybe I have to update from
> > Freeradius 2.x to 3.x, in order to have more benefits like the one I
> > want.
>
> You don't need to for what you want to do, but you should do so in the
> long run. There isn't much interest here in version 2 any more, it's
> end of life. Version 4 is in the works, and version 3 has been out for
> nearly four years now.
>
> > After reading your explanation, I understand I have to edit the users
> > file
> > with a line like "bob     Called-Station-SSID != 'SSID1', Auth-Type
> > :=
> > Reject" for each user that have to access to the WiFi service...so If
> > I
> > have 500 users, I will have a lot of work because I have to replicate
> > all
> > the AD users in the Freeradius "users" file. These 500 users are in
> > our
> > Active Directory service that Freeradius authenticate to.
>
> OK, I missed the bit where you said AD...
>
> > So is there any manner to validate user / SSID against the AD in
> > place of
> > the "users" local file????
>
> Configure the ldap module to do group lookups against AD. If you add
> people into AD groups, let's say one per SSID, then you could look up
> the group based on the SSID they are trying to join.
>
> See the LDAP documentation on how to use the Ldap-Group virtual
> attribute, e.g.
>
> http://wiki.freeradius.org/modules/Rlm_ldap#group-support
>
> Then compare this to the SSID. Depending on how many SSIDs you have you
> might want to do a files lookup to get the group name from the SSID, or
> just hardcode it in unlang. Along the lines of
>
> if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid-
> one")) {
>   reject
> }
>
> etc.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>



--
 //  Alejandro   //
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Freeradius 2.2.5 Access by SSID

Matthew Newton-2
On Wed, Aug 09, 2017 at 12:57:16PM -0300, Alejandro Cabrera Obed wrote:
> According to your response, I see I have to configure the
> /etc/freeradius/modules/ldap file with my AD parameteres (IP, port,
> user/pass for query, etc).

Yes. And the group settings so it knows how to query groups
correctly.

> 1) Do I have to add a new attribute in the AD for each user, with a SSID
> field in order to check it through LDAP lookup ?

No, you can add the users to an AD group. Then you check the user
is in that group, for a certain condition.

So if you add user 'bob' to group 'sales', and configure the
group settings in ldap correctly, you can do something like

if (Ldap-group == 'sales') {
 ...
}

Ldap-group is a "magic" attribute which will trigger an ldap
lookup behind the scenes. The mods-enabled/ldap config has the
settings to tell the ldap module to look up the User-Name
attribute, hence it will look up 'bob' (User-Name) in 'sales'
(from the if statement).

> 2) Which file do I have to add "if (Called-Station-SSID == "SSID1" and
> !(Ldap-Group == "group-ssid-one")) {reject}" sentence ?

sites-enabled/default (or sometimes sites-enabled/inner-tunnel, depending
on what you're doing), likely in the authorize section, or the
post-auth section.

> 3) What do I have to fill the Ldap-group attribute in my users file, If I
> want to check SSID attribute and after that compare it with the SSID coming
> into "Called-id-station"???

I wouldn't do it in your users file. Use unlang in the
sites-enabled/ file as described above. The wiki page does give
examples of this.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...