Hi I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 with an OpenLDAP backend, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which users belong to.
From what I can gather, I need to add appropriate rules to /etc/freeradius/users which matches the SSID/group combinations, and rejects everything else. The problem I'm having is with the default reject, not the SSID/group matching. My first attempt was this: DEFAULT Ldap-Group == "employees" DEFAULT Auth-Type := Reject But this immediately rejects the Access-Request in the outer tunnel, because the "anonymous" user is not in the "employees" group. I then modified it to this so that it only matches inner tunnel requests: DEFAULT Ldap-Group == "employees" DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1" Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID." The inner tunnel Access-Request is now sent and members of the "employees" group are accepted, but non-members are not actually rejected. I see the users entry being matched, and the Reply-Message is even set, but the server responds with Access-Accept and eapol_test reports SUCCESS. Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member. Info: [files] users: Matched entry DEFAULT at line 209 Info: ++[files] returns ok ... Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel) Info: WARNING: Empty section. Using default return values. ... Info: [peap] Got tunneled reply code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Got tunneled reply RADIUS code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Tunneled authentication was successful. Info: [peap] SUCCESS Info: [peap] Saving tunneled attributes for later ... Sending Access-Accept of id 11 to 172.16.2.44 port 60746 Reply-Message = "User does not belong to any groups which may access this SSID." User-Name = "mgorven" eapol_test receives an Access-Accept with the Reply-Message set. RADIUS message: code=2 (Access-Accept) identifier=11 length=233 Attribute 18 (Reply-Message) length=64 Value: 'User does not belong to any groups which may access this SSID.' Attribute 1 (User-Name) length=9 Value: 'mgorven' ... SUCCESS Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and TTLS sections, but this didn't make a difference. How do I actually reject an inner tunnel request? Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html