Description Ingo Jürgensmann 2023-05-12 16:58:40 CEST

Created attachment 11064 [details]
patch-alike file for sites-available/default - will not work out of the box

Currently UCS RADIUS supports the authentication and VLAN-assignment for user objects. So, if someone wants to do such things as MAC Authentication Bypass (MAB) with a computer object and assign a VLAN-ID on this, the current approach will not work - unless another user object is being created with the MAC address as username/uid. 

This will lead to double data in many cases: one time for the computer object and another time for the user object. Maintaining this will be difficult if it is not automated. 

However, changing the RADIUS config in such way that a MAC address can be used (and therefor a computer object) will solve the issue. 
To just authenticate a MAC address a simple addition to the filter in mods-available/ldap should be sufficient: 

----------------------------------------------------------------------
 #              filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
-               filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
-
+#              filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
+                filter = "(|(uid=%{mschap:User-Name:-%{User-Name}})(macAddress=%{mschap:User-Name:-%{User-Name}}))"

                #  Filter to find group objects a user is a member of.
                #  That is, group objects with attributes that
                #  identify members (the inverse of membership_attribute).
-#              membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
+               membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
----------------------------------------------------------------------

The issue is that assigning a VLAN-ID is more challenging. The current config uses the uid and memberUid attributed to match the groups containing the VLAN-IDs with the requesting user. 
With a MAC another step is necessary, because the memberUid of the group lists the machine name ("<uid>$"), but the provided "user" is the MAC address. So, another lookup must be done to get the uid from the provided MAC address and use this for looking up the group and VLAN-ID: 

----------------------------------------------------------------------
--- default     2023-05-12 16:17:27.040000000 +0200
+++ ../server-available_default 2023-05-12 16:15:54.616000000 +0200
@@ -761,18 +761,45 @@
			 User-Name := "%{1}$"    # The uid attribute in the ldap object is filled with the host name and a trailing dollar sign.
		 }
	 }
+
+    if ("%{ldap:ldap:///dc=domain,dc=net?uid?sub?(macAddress=%{User-Name})}") {
+        # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
+        # In case there are assignments for several groups the first vlan-id is automatically taken.
+        update request {
+            User-Name := "%{ldap:ldap:///dc=domain,dc=net?uid?sub?(macAddress=%{User-Name})}"    # The uid attribute in the ldap object is filled with the host name and a trailing dollar sign.
+        }
+        if ("%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(macAddress=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*))}") {
+            update reply {
+                Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
+                Tunnel-Type := VLAN
+                Tunnel-Medium-Type := IEEE-802
+                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{User-Name}))(univentionObjectType=groups/group)(univentionVlanId=*))}"
+            }
+        }
+        # If we can't find a matching VLAN ID for the user or machine client in LDAP, we return the default VLAN ID, if configured.
+        # If no default vlan-id is configured in ucr we do not return any vlan information
+        elsif ("1") {
+            update reply {
+                Reply-Message := "DEBUG: Not found, assigning default VLAN-ID"
+                Tunnel-Type := VLAN
+                Tunnel-Medium-Type := IEEE-802
+                Tunnel-Private-Group-Id := "1"
+            }
+        }
+    }
+
	 # Check if the user or machine exists and do post-auth actions
	 # else do nothing in post-auth
	 # This way we also make sure that we do not change the VLAN ID again if the non-EAP-auth (MAC address auth) succeeded before (see above)
-    if ("%{ldap:ldap:///dc=domain,dc=net?uid?sub?(uid=%{User-Name})}") {
+    if ("%{ldap:ldap:///dc=domain,dc=net?uid?sub?(|(uid=%{User-Name})(macAddress=%{User-Name}))}") {
		 # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
		 # In case there are assignments for several groups the first vlan-id is automatically taken.
-        if ("%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(memberUid=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*))}") {
+        if ("%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(macAddress=%{User-Name}))(univentionObjectType=groups/group)(univentionVlanId=*))}") {
			 update reply {
				 Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
				 Tunnel-Type := VLAN
				 Tunnel-Medium-Type := IEEE-802
-                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(memberUid=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*))}"
+                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*))}"
			 }
		 }
		 # If we can't find a matching VLAN ID for the user or machine client in LDAP, we return the default VLAN ID, if configured.
----------------------------------------------------------------------
 
Please note that the above is a diff from /etc/freeradius/3.0/sites-available/default and NOT from the template!
Anyway, it shows what maybe needs to be done/changed. I'd recommend to use a more elaborated approach with nested if/elif or case statements inside of the RADIUS config. 

Please also note that this works when the MAC address is transmitted from the client in a certain format (":" as separator). On a Cisco 2690 switch with IOS 15.x this can be achieved by configuring "mab request format attribute 1 groupsize 2 separator :". 

Using MAB and VLAN-IDs are sometimes requested in customer projects. One customer already did chose another solution because UCS couldn't provide a simple solution for this task. In another project the customer asked, if this is possible. 


PS: 
The resulting RADIUS debug is like this: 

(0)           Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
(0)           Tunnel-Type := VLAN
(0)           Tunnel-Medium-Type := IEEE-802
rlm_ldap (ldap): Reserved connection (6)
(0)           Performing search in "dc=domain,dc=net" with filter "(&(|(memberUid=arrakis$)(memberUid=))(univentionObjectType=groups/group)(univentionVlanId=*))", scope "sub"
(0)           Waiting for search result...
rlm_ldap (ldap): Released connection (6)
(0)           EXPAND %{ldap:ldap:///dc=domain,dc=net?univentionVlanId?sub?(&(|(memberUid=%{User-Name})(memberUid=%{1}))(univentionObjectType=groups/group)(univentionVlanId=*))}
(0)              --> 300
(0)           Tunnel-Private-Group-Id := 300

Or as transmitted to the client/switch: 

(0) Login OK: [arrakis$] (from client c2960 port 50001 cli 28-CD-4C-FF-FD-BD)
(0) Sent Access-Accept Id 10 from 192.168.254.5:1812 to 172.19.21.10:1645 length 0
(0)   Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
(0)   Tunnel-Type := VLAN
(0)   Tunnel-Medium-Type := IEEE-802
(0)   Tunnel-Private-Group-Id := "300"