Re: [SOLVED]LDAP authentication allowed if User Object does not exist.
This is a discussion on Re: [SOLVED]LDAP authentication allowed if User Object does not exist. within the FreeRADIUS Users forums, part of the Networking and Network Related category; --===============1322165194== Content-Type: multipart/alternative; boundary="=__PartFCD8563B.0__=" --=__PartFCD8563B.0__= Content-Type: text/plain; charset=US-ASCII Content-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2007
|
|||
|
|||
Re: [SOLVED]LDAP authentication allowed if User Object does not exist.
--===============1322165194==
Content-Type: multipart/alternative; boundary="=__PartFCD8563B.0__=" --=__PartFCD8563B.0__= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit HI, I solved my own problem and thought someone else might like the solution. As I followed the Novell Freeradius integration notes, I had check items disabled. If I enabled this, and modified the ldap.attrmap to suit just those elements I want to check, if the user does not exist, the matching process fails, thus returning a reject. This has added benefit when we use the Client-Calling-ID which is the MAC address of the client. As we record these anyway for a matching 802.1x certificate, we can now make certain that our students don't pass around the certificates as a mismatching MAC address and certificate will now also fail. Regards Eric. Eric Belcher Manager - Technology Services Anglican Church Grammar School Oaklands Parade, East Brisbane Eric.Belcher@acgs.qld.edu.au Phone 617 3896 2186 Fax 617 3891 5976 >>> "Eric Belcher" <Eric.Belcher@acgs.qld.edu.au> 22/02/2007 4:39 pm >>> Hi, I'm using freeradius on a SUSE 10 server. I'm using it to authenticate WPA2 wireless clients to Novell eDirectory. There is a twofold process. Being a school security is quite an issue. Each student is issued with a certificate that is used to authenticate him to the radius server. The certificate name is his MAC address. A corresponding NDS account exists for this MAC address. So, if the student installs his certificate and has an account in NDS, he is authenticated and the wireless access point allows an IP address to be obtained and the student has access. Using the NDS account I can limit the students access by changing the parameters of his MAC account. ie, allowed times. THIS IS ALL WORKING WELL. However, I have found a flaw I can't seem to find an answer for. I'm hoping someone can help. If the NDS account does not exist, as long as the SSL certificate is not revoked and is in the Freeradius database, the student will gain access. The radius server, does a lookup, can't find the account and just continues on. I need the radius server to reject access is an missing attribute causing a rejection if the account can't be found. Can anyone tell me how I can do this? Thanks Eric Belcher Eric Belcher Manager - Technology Services Anglican Church Grammar School Oaklands Parade, East Brisbane Eric.Belcher@acgs.qld.edu.au Phone 617 3896 2186 Fax 617 3891 5976 Disclaimer This email is intended for the use of the named individual or entity and may contain confidential and privileged information. Any dissemination distribution or copying by anyone other than the intended recipient of this email is strictly prohibited. If this email has been received in error, please send an email in response, or telephone us immediately on +61 7 38962200, and destroy the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Corporation of the Synod of the Diocese of Brisbane or Churchie. Disclaimer This email is intended for the use of the named individual or entity and may contain confidential and privileged information. Any dissemination distribution or copying by anyone other than the intended recipient of this email is strictly prohibited. If this email has been received in error, please send an email in response, or telephone us immediately on +61 7 38962200, and destroy the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Corporation of the Synod of the Diocese of Brisbane or Churchie. --=__PartFCD8563B.0__= Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: HTML <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=us-ascii"> <META content="MSHTML 6.00.2900.2668" name=GENERATOR></HEAD> <BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma"> <DIV>HI,</DIV> <DIV> </DIV> <DIV>I solved my own problem and thought someone else might like the solution.</DIV> <DIV> </DIV> <DIV>As I followed the Novell Freeradius integration notes, I had check items disabled. If I enabled this, and modified the ldap.attrmap to suit just those elements I want to check, if the user does not exist, the matching process fails, thus returning a reject.</DIV> <DIV> </DIV> <DIV>This has added benefit when we use the Client-Calling-ID which is the MAC address of the client. As we record these anyway for a matching 802.1x certificate, we can now make certain that our students don't pass around the certificates as a mismatching MAC address and certificate will now also fail.</DIV> <DIV> </DIV> <DIV>Regards</DIV> <DIV>Eric.</DIV> <DIV> </DIV> <DIV>Eric Belcher<BR>Manager - Technology Services<BR>Anglican Church Grammar School<BR>Oaklands Parade, East Brisbane<BR>Eric.Belcher@acgs.qld.edu.au <BR>Phone 617 3896 2186<BR>Fax 617 3891 5976<BR><BR><BR>>>> "Eric Belcher" <Eric.Belcher@acgs.qld.edu.au> 22/02/2007 4:39 pm >>><BR></DIV> <DIV>Hi,</DIV> <DIV> </DIV> <DIV>I'm using freeradius on a SUSE 10 server. I'm using it to authenticate WPA2 wireless clients to Novell eDirectory. There is a twofold process. Being a school security is quite an issue.</DIV> <DIV> </DIV> <DIV>Each student is issued with a certificate that is used to authenticate him to the radius server. The certificate name is his MAC address. A corresponding NDS account exists for this MAC address.</DIV> <DIV> </DIV> <DIV>So, if the student installs his certificate and has an account in NDS, he is authenticated and the wireless access point allows an IP address to be obtained and the student has access. Using the NDS account I can limit the students access by changing the parameters of his MAC account. ie, allowed times. THIS IS ALL WORKING WELL.</DIV> <DIV> </DIV> <DIV>However, I have found a flaw I can't seem to find an answer for. I'm hoping someone can help.</DIV> <DIV> </DIV> <DIV>If the NDS account does not exist, as long as the SSL certificate is not revoked and is in the Freeradius database, the student will gain access. The radius server, does a lookup, can't find the account and just continues on. I need the radius server to reject access is an missing attribute causing a rejection if the account can't be found.</DIV> <DIV> </DIV> <DIV>Can anyone tell me how I can do this?</DIV> <DIV>Thanks</DIV> <DIV>Eric Belcher</DIV> <DIV> </DIV> <DIV> </DIV>Eric Belcher<BR>Manager - Technology Services<BR>Anglican Church Grammar School<BR>Oaklands Parade, East Brisbane<BR>Eric.Belcher@acgs.qld.edu.au <BR>Phone 617 3896 2186<BR>Fax 617 3891 5976<BR><BR> <P><FONT size=2><B>Disclaimer</B></FONT> </P> <P><FONT size=2>This email is intended for the use of the named individual or entity and may contain confidential and privileged information. Any dissemination distribution or copying by anyone other than the intended recipient of this email is strictly prohibited. If this email has been received in error, please send an email in response, or telephone us immediately on +61 7 38962200, and destroy the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Corporation of the Synod of the Diocese of Brisbane or Churchie. </FONT></P><BR> <p> <font size="2"><b>Disclaimer</b></font> </p> <p> <font size="2">This email is intended for the use of the named individual or entity and may contain confidential and privileged information. Any dissemination distribution or copying by anyone other than the intended recipient of this email is strictly prohibited. If this email has been received in error, please send an email in response, or telephone us immediately on +61 7 38962200, and destroy the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Corporation of the Synod of the Diocese of Brisbane or Churchie. </font> </p> </BODY></HTML> --=__PartFCD8563B.0__=-- --===============1322165194== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --===============1322165194==-- 
|
Linear Mode
