user/group acces with 2 SSID with Radius / Ldap
Hello
My network :
AP Wifi (NWA1123-ACv2) => freeRadius => openldap
I have configure 2 Wifi SSID "wifi1" & "wifi2"
I have creat 2 groups in the ldap and I would like only user of "wifiX" groups can access to "wifiX" SSID.
I was expecting to use the "NAS identifier" parameter send from AP to Radius to filter
It works only partially :
if I put the folowing filter in freeRadius :
(&(uid=%{User-Name})(|(memberOf=cn=wifi1,ou=group,dc=mydomain,dc=net)(memberOf=cn=wifi2,ou=group,dc=mydomain,dc=net)))
=> the authentication "works" but of course all user from wifi1 ou wifi2 can access to both SSID
if I put the folowing filter in freeRadius :
(&(uid=%{User-Name})((memberOf=cn=%{NAS-Identifier},ou=group,dc=mydomain,dc=net)))
My network :
AP Wifi (NWA1123-ACv2) => freeRadius => openldap
I have configure 2 Wifi SSID "wifi1" & "wifi2"
I have creat 2 groups in the ldap and I would like only user of "wifiX" groups can access to "wifiX" SSID.
I was expecting to use the "NAS identifier" parameter send from AP to Radius to filter
It works only partially :
if I put the folowing filter in freeRadius :
(&(uid=%{User-Name})(|(memberOf=cn=wifi1,ou=group,dc=mydomain,dc=net)(memberOf=cn=wifi2,ou=group,dc=mydomain,dc=net)))
=> the authentication "works" but of course all user from wifi1 ou wifi2 can access to both SSID
if I put the folowing filter in freeRadius :
(&(uid=%{User-Name})((memberOf=cn=%{NAS-Identifier},ou=group,dc=mydomain,dc=net)))
=> the authentication does not works
If I have a look at the ldap log with debug I can see that 2 request are perform by the radius:
- the first one has "SRCH base="dc=mydomain,dc=net" scope=2 deref=0 filter="(&(uid=user1)(memberOf=cn=wifi1,ou=group,dc=mydomain,dc=net))"
- the second one has "SRCH base="dc=mydomain,dc=net" scope=2 deref=0 filter="(&(uid=user1)(?memberOf=cn=,ou=group,dc=mydomain,dc=net))"
So it seems that the second request did not have the "NAS identifier" i have put in the AP Wifi conf.
And second possibility, why is there 2 search ? I have another "NAS" using the same Radius/ldap, and when authentification is done there is only one request....
Any Idea of how to solve the problem?
If I have a look at the ldap log with debug I can see that 2 request are perform by the radius:
- the first one has "SRCH base="dc=mydomain,dc=net" scope=2 deref=0 filter="(&(uid=user1)(memberOf=cn=wifi1,ou=group,dc=mydomain,dc=net))"
- the second one has "SRCH base="dc=mydomain,dc=net" scope=2 deref=0 filter="(&(uid=user1)(?memberOf=cn=,ou=group,dc=mydomain,dc=net))"
So it seems that the second request did not have the "NAS identifier" i have put in the AP Wifi conf.
And second possibility, why is there 2 search ? I have another "NAS" using the same Radius/ldap, and when authentification is done there is only one request....
Any Idea of how to solve the problem?
0
All Replies
-
Hi Sir,
Let me first clarify your structure like the picture below:
This case can be analyzed into two partition:
1. AP <-> freeRadius
2. freeRadius <-> LDAP Server
Here we'll focus on clarifying the part 1 issue, to see if AP behaves abnormally, or optimize the setting for you.
So for your requirement, you have to create two security profiles with the same server IP, but with different NAS-Identifier. Hence when AP send the request to the RADIUS server, it will add different attributes.
There're several process for AP to negotiate with RADIUS server, in my local LAB, all the requests sent from AP include this NAS Identifier. So I think you can capture the packet (filter = radius), and see if the packet format/content is wrong. If there's no issue in the packet, then the issue may be not happened on the AP side.
Another approach we recommend is using the "Called-Station-ID", where you can see this column includes the MAC address of the connected AP and the SSID name. So you can set the rule on the radius server, where user must belongs to the specific group, and the connected SSID must also match the string, then Grant the access. (the AP's MAC address can be set as *, + specific string)
Best Regards,
Richard
0 -
Hello
Thanks for reply
Did the 2 screenshot where perform with a kind of wireshark?
What was the filetering ? only the radius word ?
0 -
Ok check with wireshark with all traffic betwwen AP and Radius.
Indeed all the packet send from the AP to the Radius have the Nas-Identifier with the correct value.
That means that the radius server for one reason lost the Nas-Identifier befor sending the request to the ldap....
Any idea of what could be the issue?
0 -
Hi Sir,
From our previous supporting experience, we haven't found cases with the same symptom.
As general recommendation, you can check if your freeRADIUS is at updated version (to exclude some known issues), if the duplicate case still exists, you can also request for their support, or check their online document to see if there could be any configuration error on the server side.
https://stackoverflow.com/questions/tagged/freeradius
Best Regards,
Richard0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight