Problems to do an SSID based authentication
Hello everyone! I am trying to do an SSID based authentication per user. What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user. The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows. My users.conf file looks like this: #lameuserAuth-Type := Reject #Reply-Message = Your account has been disabled. # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULTGroup == disabled, Auth-Type := Reject #Reply-Message = Your account has been disabled. # # # This is a complete entry for steve. Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steveCleartext-Password := testing #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 172.16.3.33, #Framed-IP-Netmask = 255.255.255.0, #Framed-Routing = Broadcast-Listen, #Framed-Filter-Id = std.ppp, #Framed-MTU = 1500, #Framed-Compression = Van-Jacobsen-TCP-IP PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket #Tunnel-Type = VLAN, #Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-Id = 2 JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 #Tunnel-Type = VLAN, #Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-Id = 3 #NAS-Port-Id == wlan1 Mattiasuser-password := kaffe Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 1 # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #John DoeCleartext-Password := hello #Reply-Message = Hello, %{User-Name} # # Dial user back and telnet to the default host for that port # #DegCleartext-Password := ge55ged #Service-Type = Callback-Login-User, #Login-IP-Host = 0.0.0.0, #Callback-Number = 9,5551212, #Login-Service = Telnet, #Login-TCP-Port = Telnet # # Another complete entry. After the user dialbk has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host timeshare1. # #dialbkCleartext-Password := callme #Service-Type = Callback-Login-User, #Login-IP-Host = timeshare1, #Login-Service = PortMaster, #Callback-Number = 9,1-800-555-1212 # # user swilson will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting Fall-Through, other attributes will be added from # the following DEFAULT entries # #swilsonService-Type == Framed-User, Huntgroup-Name == alphen #Framed-IP-Address = 192.168.1.65, #Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # using the default method, give them shell access, and stop processing # the rest of the file. # #DEFAULTSuffix == .shell #Service-Type = Login-User, #Login-Service = Telnet, #Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # Set up different IP address pools for the terminal servers. # Note that the + behind the IP address means that this is the base # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen #Framed-IP-Address = 192.168.1.32+, #Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == delft #Framed-IP-Address = 192.168.2.32+, #Fall-Through = Yes # # Sample defaults for all framed connections. # #DEFAULTService-Type == Framed-User #Framed-IP-Address = 255.255.255.254, #Framed-MTU = 576, #Service-Type = Framed-User, #Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected #by the terminal server in which case there may not be a P suffix. #The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULTFramed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULTHint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULTHint == SLIP Framed-Protocol = SLIP # # Last default: rlogin to our main
Re: Problems to do an SSID based authentication
Hi, I am trying to do an SSID based authentication per user. What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user. The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows. My users.conf file looks like this: PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 so Peter can only connect from 04-0B-6B-33-62-35:raket and Jens can only get on from 02-0B-6B-33-62-35:3 ? okay - where is your log from 'radiusd -X' ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Problems to do an SSID based authentication
-- Message: 3 Date: Mon, 16 Nov 2009 10:03:22 + From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: Problems to do an SSID based authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20091116100322.gb5...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, I am trying to do an SSID based authentication per user. What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user. The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows. My users.conf file looks like this: PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 so Peter can only connect from 04-0B-6B-33-62-35:raket and Jens can only get on from 02-0B-6B-33-62-35:3 ? okay - where is your log from 'radiusd -X' ? alan Hi Alan! The logs from my radius -X is following: rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97, length=194 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02020009014a656e73 Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = Jens, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry Jens at line 92 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 97 to 192.168.118.10 port 42531 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xb5e02fd1b5e336db4711a92c3e7dc829 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.118.10 port 46429, id=98, length=316 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens State = 0xb5e02fd1b5e336db4711a92c3e7dc829 Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02030071198000671603010062015e03014b01325d9b7522753ffde3bdcb960b88f167535ca9ec96ffa88e3f5577fc7b4c18002f00350005000ac013c014c009c00a0032003800130004011d00090007046a656e73000a0006000400170018000b00020100 Message-Authenticator = 0xbb5e04e25bd1a69911623d1fa6fc555e NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = Jens, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 113 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 103 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0062], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 98 to 192.168.118.10 port 46429 EAP-Message
RE: RE: Problems to do an SSID based authentication
My users.conf file looks like this: PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 The logs from my radius -X is following: rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97, length=194 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02020009014a656e73 Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ... Sending tunneled request EAP-Message = 0x02080009014a656e73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = Jens server inner-tunnel { ... You haven't got ssid in inner-tunnel request. Enable copy_request_to_tunnel in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Problems to do an SSID based authentication(t...@kalik.net)
Hi Ivan! It worked! Woho! ^^ Thank you very much for your help =), of course alan to =) Now I will probably get a ton of more problems in my walk towards a good setup. =) Best regards/ Peter Carlstedt -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091116/b10f1801/attachment.html -- Message: 3 Date: Tue, 17 Nov 2009 00:01:08 - (UTC) From: t...@kalik.net Subject: RE: RE: Problems to do an SSID based authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 62479.87.194.16.13.1258416068.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 My users.conf file looks like this: Peter Cleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket Jens Cleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 The logs from my radius -X is following: rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97, length=194 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02020009014a656e73 Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ... Sending tunneled request EAP-Message = 0x02080009014a656e73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = Jens server inner-tunnel { ... You haven't got ssid in inner-tunnel request. Enable copy_request_to_tunnel in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP -- _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html