Problems to do an SSID based authentication
Hello everyone!
I am trying to do an SSID based authentication per user.
What I mean is that i try in the users.conf file to check for which SSID the
users is trying to use to login and if it is wrong it shall do an reject for
that user.
The problem is that i dont succeed with this so I thought it does not hurt to
ask the ones who knows.
My users.conf file looks like this:
#lameuserAuth-Type := Reject
#Reply-Message = Your account has been disabled.
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULTGroup == disabled, Auth-Type := Reject
#Reply-Message = Your account has been disabled.
#
#
# This is a complete entry for steve. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steveCleartext-Password := testing
#Service-Type = Framed-User,
#Framed-Protocol = PPP,
#Framed-IP-Address = 172.16.3.33,
#Framed-IP-Netmask = 255.255.255.0,
#Framed-Routing = Broadcast-Listen,
#Framed-Filter-Id = std.ppp,
#Framed-MTU = 1500,
#Framed-Compression = Van-Jacobsen-TCP-IP
PeterCleartext-Password := kaffe , Called-Station-Id ==
04-0B-6B-33-62-35:raket
#Tunnel-Type = VLAN,
#Tunnel-Medium-Type = IEEE-802,
#Tunnel-Private-Group-Id = 2
JensCleartext-Password := kaffe , Called-Station-Id ==
02-0B-6B-33-62-35:3
#Tunnel-Type = VLAN,
#Tunnel-Medium-Type = IEEE-802,
#Tunnel-Private-Group-Id = 3
#NAS-Port-Id == wlan1
Mattiasuser-password := kaffe
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 1
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#John DoeCleartext-Password := hello
#Reply-Message = Hello, %{User-Name}
#
# Dial user back and telnet to the default host for that port
#
#DegCleartext-Password := ge55ged
#Service-Type = Callback-Login-User,
#Login-IP-Host = 0.0.0.0,
#Callback-Number = 9,5551212,
#Login-Service = Telnet,
#Login-TCP-Port = Telnet
#
# Another complete entry. After the user dialbk has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host timeshare1.
#
#dialbkCleartext-Password := callme
#Service-Type = Callback-Login-User,
#Login-IP-Host = timeshare1,
#Login-Service = PortMaster,
#Callback-Number = 9,1-800-555-1212
#
# user swilson will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting Fall-Through, other attributes will be added from
# the following DEFAULT entries
#
#swilsonService-Type == Framed-User, Huntgroup-Name == alphen
#Framed-IP-Address = 192.168.1.65,
#Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULTSuffix == .shell
#Service-Type = Login-User,
#Login-Service = Telnet,
#Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
#
# Set up different IP address pools for the terminal servers.
# Note that the + behind the IP address means that this is the base
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen
#Framed-IP-Address = 192.168.1.32+,
#Fall-Through = Yes
#DEFAULTService-Type == Framed-User, Huntgroup-Name == delft
#Framed-IP-Address = 192.168.2.32+,
#Fall-Through = Yes
#
# Sample defaults for all framed connections.
#
#DEFAULTService-Type == Framed-User
#Framed-IP-Address = 255.255.255.254,
#Framed-MTU = 576,
#Service-Type = Framed-User,
#Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = PPP, since PPP might also be auto-detected
#by the terminal server in which case there may not be a P suffix.
#The terminal server sends Framed-Protocol = PPP for auto PPP.
#
DEFAULTFramed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULTHint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULTHint == SLIP
Framed-Protocol = SLIP
#
# Last default: rlogin to our main
Re: Problems to do an SSID based authentication
Hi, I am trying to do an SSID based authentication per user. What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user. The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows. My users.conf file looks like this: PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 so Peter can only connect from 04-0B-6B-33-62-35:raket and Jens can only get on from 02-0B-6B-33-62-35:3 ? okay - where is your log from 'radiusd -X' ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Problems to do an SSID based authentication
--
Message: 3
Date: Mon, 16 Nov 2009 10:03:22 +
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
Subject: Re: Problems to do an SSID based authentication
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 20091116100322.gb5...@lboro.ac.uk
Content-Type: text/plain; charset=us-ascii
Hi,
I am trying to do an SSID based authentication per user.
What I mean is that i try in the users.conf file to check for which SSID
the users is trying to use to login and if it is wrong it shall do an
reject for that user.
The problem is that i dont succeed with this so I thought it does not hurt
to ask the ones who knows.
My users.conf file looks like this:
PeterCleartext-Password := kaffe , Called-Station-Id ==
04-0B-6B-33-62-35:raket
JensCleartext-Password := kaffe , Called-Station-Id ==
02-0B-6B-33-62-35:3
so Peter can only connect from 04-0B-6B-33-62-35:raket and
Jens can only get on from 02-0B-6B-33-62-35:3 ?
okay - where is your log from 'radiusd -X' ?
alan
Hi Alan!
The logs from my radius -X is following:
rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97,
length=194
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = Jens
Acct-Session-Id = 82200128
Acct-Multi-Session-Id =
02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10
Calling-Station-Id = 00-26-BB-14-50-CF
Called-Station-Id = 02-0B-6B-33-62-35:3
EAP-Message = 0x02020009014a656e73
Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.118.10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = Jens, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry Jens at line 92
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 97 to 192.168.118.10 port 42531
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0xb5e02fd1b5e336db4711a92c3e7dc829
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.118.10 port 46429, id=98,
length=316
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = Jens
State = 0xb5e02fd1b5e336db4711a92c3e7dc829
Acct-Session-Id = 82200128
Acct-Multi-Session-Id =
02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10
Calling-Station-Id = 00-26-BB-14-50-CF
Called-Station-Id = 02-0B-6B-33-62-35:3
EAP-Message =
0x02030071198000671603010062015e03014b01325d9b7522753ffde3bdcb960b88f167535ca9ec96ffa88e3f5577fc7b4c18002f00350005000ac013c014c009c00a0032003800130004011d00090007046a656e73000a0006000400170018000b00020100
Message-Authenticator = 0xbb5e04e25bd1a69911623d1fa6fc555e
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.118.10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = Jens, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 113
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 103
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0062], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 98 to 192.168.118.10 port 46429
EAP-Message
RE: RE: Problems to do an SSID based authentication
My users.conf file looks like this:
PeterCleartext-Password := kaffe , Called-Station-Id ==
04-0B-6B-33-62-35:raket
JensCleartext-Password := kaffe , Called-Station-Id ==
02-0B-6B-33-62-35:3
The logs from my radius -X is following:
rad_recv: Access-Request packet from host 192.168.118.10 port 42531,
id=97, length=194
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = Jens
Acct-Session-Id = 82200128
Acct-Multi-Session-Id =
02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10
Calling-Station-Id = 00-26-BB-14-50-CF
Called-Station-Id = 02-0B-6B-33-62-35:3
EAP-Message = 0x02020009014a656e73
Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.118.10
+- entering group authorize {...}
...
Sending tunneled request
EAP-Message = 0x02080009014a656e73
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = Jens
server inner-tunnel {
...
You haven't got ssid in inner-tunnel request. Enable
copy_request_to_tunnel in peap section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Problems to do an SSID based authentication(t...@kalik.net)
Hi Ivan!
It worked! Woho! ^^ Thank you very much for your help =), of course alan to =)
Now I will probably get a ton of more problems in my walk towards a good setup.
=)
Best regards/ Peter Carlstedt
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091116/b10f1801/attachment.html
--
Message: 3
Date: Tue, 17 Nov 2009 00:01:08 - (UTC)
From: t...@kalik.net
Subject: RE: RE: Problems to do an SSID based authentication
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 62479.87.194.16.13.1258416068.squir...@www.kalik.net
Content-Type: text/plain;charset=iso-8859-1
My users.conf file looks like this:
Peter Cleartext-Password := kaffe , Called-Station-Id ==
04-0B-6B-33-62-35:raket
Jens Cleartext-Password := kaffe , Called-Station-Id ==
02-0B-6B-33-62-35:3
The logs from my radius -X is following:
rad_recv: Access-Request packet from host 192.168.118.10 port 42531,
id=97, length=194
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = Jens
Acct-Session-Id = 82200128
Acct-Multi-Session-Id =
02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10
Calling-Station-Id = 00-26-BB-14-50-CF
Called-Station-Id = 02-0B-6B-33-62-35:3
EAP-Message = 0x02020009014a656e73
Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.118.10
+- entering group authorize {...}
...
Sending tunneled request
EAP-Message = 0x02080009014a656e73
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = Jens
server inner-tunnel {
...
You haven't got ssid in inner-tunnel request. Enable
copy_request_to_tunnel in peap section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
--
_
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
