Friday, July 25, 2014

Freeradius Access By SSID

I use the Meraki products for wireless and they were supposed to be the super-advanced-easy-interface-with-custom-configuration-no-issue APs with cloud manager, MDM, 600 horse power, 4wd, etc, etc.

If you need to setup a wireless network with a few SSIDs and all your users have the same access, then it works. If you also want to have your users limited to one device, it works too. But if you need certain users to have limited access and certain users to have regular access then good luck. The only option available on the Meraki system is to assign policies per device. Therefore, if you have devices that multiple users use, then you are out of luck.

I had an SSID set and then I configured a Freeradius server and everyone authenticated using the Radius server that connected to a MySQL database and pulled user info.

Since I work in a school, I wanted to have different access for Staff and different access for Students. The Meraki support team told me that it is not possible to assign policies on a per username basis even if you have Active Directory, LDAP or Radius.

So, after a lot of searching I figured out a way to do it through the Freeradius server. It turned out to be pretty simple in the end.

First in the policy.conf file you add the following:

rewrite_called_station_to_ssid {
                if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-$
                        update request {
                                Called-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
                                Called-Station-SSID := "%{7}"
                        }
                }
                else {
                        noop
                }
        }
When the client sends an authorization request to the radius server, the packet has the attribute of Called-Station-Id and the value of the mac address of the AP then ":" and then the SSID that the user is trying to authenticate to. View here the complete instructions. So what that does is to split the value into the mac address of the AP and the SSID in two. The SSID is saved in the Called-Station-SSID.

Then in the dictionary file (it should be in the freeradius directory), add
ATTRIBUTE        Called-Station-SSID        3010                string
Then open up the file sites-enabled/default. In that file there are sections separated with {}. Find the section authorize and add
rewrite_called_station_id
after the preprocess.

Next add a table in your database with 2 columns; groupname and groupssid. Then add this to the file sites-enabled/default in the post_auth section:

if("%{sql:SELECT COUNT(*) FROM radusergroup,radgroupssid WHERE radusergroup.groupname = radgroupssid.groupname and radusergroup.username= '%{User-Name}' AND radusergroup.groupname='Staff' and radgroupssid.ssid= '%{Called-Station-SSID}'} >0"){
                ok
        }
        else {
                reject
        }
        sql

This assumes that you have freeradius configured with MySQL and your users belong in groups and that your controller sends the attribute Called-Station-Id as mentioned above. This will not allow access to SSIDs that you do not have listed in your database.

Thursday, April 4, 2013

Dovecot, Amavis-new, Auto subscribe

I have followed the excellent tutorial located here http://workaround.org/ispmail/squeeze/content-scanning-amavis and I have setup an email server on Debian. Everything was up and running with a few differences (I have my users in a different server but wanted the mail stored on the localhost).

The only issue I had was when an email client was connecting, and a spam email came to dovecot, the sieve would work as in the tutorial but the headers would not be added to the message itself. After a lot of searching I figured out that if the folder did not exist, then dovecot would just deliver the email to the inbox.  So to create the default folders for every user just edit /etc/dovecot/dovecot.conf and add the following:


Now to figure out how to install Horde Groupware 5 on this server...

Wednesday, June 20, 2012

FreeNAS, OpenFiler or Ubuntu Server

Lately, I have been thinking that I will digitize everything in the house and I researched for a while on what to do and what to use.

First, the media front. I read the Roku, Boxee Box, etc reviews, but they were not for me. SO I decided to go with XBMC. I am very familiar with Ubuntu and most plugins are Ubuntu native in XBMC but unfortunately the new version of Ubuntu comes with Unity. I went against my hatred for the new layout and stupid desktop environment and since I could not be bothered to remove Unity for another environment...what the hell, I said I'll try it.

The hardware was pretty simple:

I installed Ubuntu 11.10 with OpenSHH server, then XBMC. As soon as XBMC was up and running, I installed the extra repositories. Addons installed include Pandora for XBMC, Swiss Army Knife, mythtv for XBMC. Then I installed MythTV and configured the TVTuner Card. Very buggy and does not work properly.

So now I am ripping my DVD collection, arranging my pictures and fixing my music files. Now comes the time to figure out what to do for disk space. I looked at Synology, Promise, QNap which are the more respectable names in NAS boxes. Then I remembered that I installed and configured FreeNAS a long time ago so I started reading about FreeNAS and OpenFiler. A lot of people recommend the former than the latter and that reminded me why I had chosen it as well so long ago. 

The decision was made and I dug some hardware I had in the closet, bought some hard drives and started building. The hardware is a bit ridiculous but they used to belong in a former gaming rig.
  • Asus A8N32-SLI Deluxe Motherboard
  • AMD FX-55
  • I could not use the 8800GTX (too much power) so I just got a $20 video card
  • 1 80 GB drive I found lying around and 3x2TB
  • 4 GB of RAM
I read a lot about ZFS file system and I was intrigued so I installed freeNAS and I created a RAIDZ array. I could not change the configuration and it kept crashing all the time so I removed it and installed openFiler. Even worse...

So I saw that ZFS is natively supported in Ubuntu. I installed Ubuntu 11.10 server, added the ZFS repository, installed ZFS, created a RAIDZ array and everything was good to go. Then I wanted a time machine backup for my laptop and I came across a huge article on how to install netatalk(TODO) . That did not work. All you have to do is sudo apt-get install netatalk and add 2 configuration lines. After that was done, I installed and configured SAMBA.

Time Machine backup, Windows Backup, reliable NAS storage for any OS. Now why would people not choose this?
[Update]
Eventually I had to remove Unity and use Xfce because the video was very choppy and there was a line in the middle of the TV. 

My Blog List