user/group acces with 2 SSID with Radius / Ldap

ewok2
ewok2 Posts: 3
Hello
My network :
AP Wifi (NWA1123-ACv2) => freeRadius => openldap

I have configure 2 Wifi SSID "wifi1" & "wifi2"
I have creat 2 groups in the ldap and I would like only user of "wifiX" groups can access to "wifiX" SSID.
I was expecting to use the "NAS identifier" parameter send from AP to Radius to filter

It works only partially :
if I put the folowing filter in freeRadius :
(&(uid=%{User-Name})(|(memberOf=cn=wifi1,ou=group,dc=mydomain,dc=net)(memberOf=cn=wifi2,ou=group,dc=mydomain,dc=net)))
=> the authentication "works"  but of course all user from wifi1 ou wifi2 can access to both SSID

if I put the folowing filter in freeRadius :
(&(uid=%{User-Name})((memberOf=cn=%{NAS-Identifier},ou=group,dc=mydomain,dc=net)))
=> the authentication does not works

If I have a look at the ldap log with debug I can see that 2 request are perform by the radius:
- the first one has "SRCH base="dc=mydomain,dc=net" scope=2 deref=0 filter="(&(uid=user1)(memberOf=cn=wifi1,ou=group,dc=mydomain,dc=net))"
- the second one has "SRCH base="dc=mydomain,dc=net" scope=2 deref=0 filter="(&(uid=user1)(?memberOf=cn=,ou=group,dc=mydomain,dc=net))"

So it seems that the second request did not have the "NAS identifier" i have put in the AP Wifi conf.

And second possibility, why is there 2 search ? I have another "NAS" using the same Radius/ldap, and when authentification is done there is only one request....

Any Idea of how to solve the problem?

All Replies

  • Zyxel_Richard
    Zyxel_Richard Posts: 177  Zyxel Employee
    Hi Sir,

    Let me first clarify your structure like the picture below:



    This case can be analyzed into two partition:
    1. AP <-> freeRadius
    2. freeRadius <-> LDAP Server

    Here we'll focus on clarifying the part 1 issue, to see if AP behaves abnormally, or optimize the setting for you.

    So for your requirement, you have to create two security profiles with the same server IP, but with different NAS-Identifier. Hence when AP send the request to the RADIUS server, it will add different attributes. 



    There're several process for AP to negotiate with RADIUS server, in my local LAB, all the requests sent from AP include this NAS Identifier. So I think you can capture the packet (filter = radius), and see if the packet format/content is wrong. If there's no issue in the packet, then the issue may be not happened on the AP side.

    Another approach we recommend is using the "Called-Station-ID", where you can see this column includes the MAC address of the connected AP and the SSID name. So you can set the rule on the radius server, where user must belongs to the specific group, and the connected SSID must also match the string, then Grant the access. (the AP's MAC address can be set as *, + specific string)

    Best Regards,
    Richard
  • ewok2
    ewok2 Posts: 3
    Hello
    Thanks for reply
    Did the 2 screenshot where perform with a kind of wireshark?
    What was the filetering ? only the radius word ?

  • ewok2
    ewok2 Posts: 3
    Ok check with wireshark with all traffic betwwen AP and Radius.
    Indeed all the packet send from the AP to the Radius have the Nas-Identifier with the correct value.
    That means that the radius server for one reason lost the Nas-Identifier befor sending the request to the ldap....
    Any idea of what could be the issue?

  • Zyxel_Richard
    Zyxel_Richard Posts: 177  Zyxel Employee
    Hi Sir,

    From our previous supporting experience, we haven't found cases with the same symptom.

    As general recommendation, you can check if your freeRADIUS is at updated version (to exclude some known issues), if the duplicate case still exists, you can also request for their support, or check their online document to see if there could be any configuration error on the server side.

    https://stackoverflow.com/questions/tagged/freeradius

    Best Regards,
    Richard