Friday, January 29, 2016

Goodbye Java plugin - You will not be missed

Wonderful news:

Friday, July 25, 2014

Freeradius Access By SSID

I use the Meraki products for wireless and they were supposed to be the super-advanced-easy-interface-with-custom-configuration-no-issue APs with cloud manager, MDM, 600 horse power, 4wd, etc, etc.

If you need to setup a wireless network with a few SSIDs and all your users have the same access, then it works. If you also want to have your users limited to one device, it works too. But if you need certain users to have limited access and certain users to have regular access then good luck. The only option available on the Meraki system is to assign policies per device. Therefore, if you have devices that multiple users use, then you are out of luck.

I had an SSID set and then I configured a Freeradius server and everyone authenticated using the Radius server that connected to a MySQL database and pulled user info.

Since I work in a school, I wanted to have different access for Staff and different access for Students. The Meraki support team told me that it is not possible to assign policies on a per username basis even if you have Active Directory, LDAP or Radius.

So, after a lot of searching I figured out a way to do it through the Freeradius server. It turned out to be pretty simple in the end.

First in the policy.conf file you add the following:

rewrite_called_station_to_ssid {
                if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-$
                        update request {
                                Called-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
                                Called-Station-SSID := "%{7}"
                else {
When the client sends an authorization request to the radius server, the packet has the attribute of Called-Station-Id and the value of the mac address of the AP then ":" and then the SSID that the user is trying to authenticate to. View here the complete instructions. So what that does is to split the value into the mac address of the AP and the SSID in two. The SSID is saved in the Called-Station-SSID.

Then in the dictionary file (it should be in the freeradius directory), add
ATTRIBUTE        Called-Station-SSID        3010                string
Then open up the file sites-enabled/default. In that file there are sections separated with {}. Find the section authorize and add
after the preprocess.

Next add a table in your database with 2 columns; groupname and groupssid. Then add this to the file sites-enabled/default in the post_auth section:

if("%{sql:SELECT COUNT(*) FROM radusergroup,radgroupssid WHERE radusergroup.groupname = radgroupssid.groupname and radusergroup.username= '%{User-Name}' AND radusergroup.groupname='Staff' and radgroupssid.ssid= '%{Called-Station-SSID}'} >0"){
        else {

This assumes that you have freeradius configured with MySQL and your users belong in groups and that your controller sends the attribute Called-Station-Id as mentioned above. This will not allow access to SSIDs that you do not have listed in your database.

Thursday, April 4, 2013

Dovecot, Amavis-new, Auto subscribe

I have followed the excellent tutorial located here and I have setup an email server on Debian. Everything was up and running with a few differences (I have my users in a different server but wanted the mail stored on the localhost).

The only issue I had was when an email client was connecting, and a spam email came to dovecot, the sieve would work as in the tutorial but the headers would not be added to the message itself. After a lot of searching I figured out that if the folder did not exist, then dovecot would just deliver the email to the inbox.  So to create the default folders for every user just edit /etc/dovecot/dovecot.conf and add the following:

Now to figure out how to install Horde Groupware 5 on this server...

My Blog List