Security

Reply
MVP

Limiting automatic mac account creation?

I'm currently using AD to push different users in different roles. This I got working (yay)

As a next step I'd like to limit the number of mac-addresses any 1 user can register.

 

I use the following expression to accomplish that:

return 
empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'sponsor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['displayname'],
'sponsor_name'=>$user['userprincipalname'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'24h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

 I'm setting the sponsoir_name to AD's userprinciplename to identify who actualy created the mac account.

 

The amigopodTechNoteAutoMACAuthAccount.pdf doc then explains to add a bit to limit the number of mac-accounts can be created by a single user. So I chaged the above role to:

 

return 
(
($MAX_MAC_ACCOUNTS = 1)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'sponsor_name' => strtolower(GetAttr('User-Name')),
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1
)
&& empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'sponsor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['displayname'],
'sponsor_name'=>$user['userprincipalname'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'24h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

 

The example in the doc used "'sponsor_name' => strtolower(GetAttr('User-Name')),"  which I honestly do not understand. Ok, it retrieves the user-name variable, changes it to lowercase .. but then what? Does this change the sponsor_name to this value? What does the => do?

Since I'm using AD and already filling sponsor-name with the userprincipalname I'm guessing the above code won't work? Simply replacing User-Name with userprincipalname didn't do much either.

 

My problem? The limit is simply ignored. Any ideas.

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP

Re: Limiting automatic mac account creation?

Guess I was trying to do it a bit harder then required.

Below is the code that actualy works. You may want to replace "studnr" with "sponsor_name" (or add a field studnr) as studnr is a field I added since its more logical for my situation.

 

Unfortunatally still is that the user has no idea why his logon is failing. A redirect to a simple explanation might be better. Probably possible to code this, but as I don't have a clue how...

 

return 
(
($MAX_MAC_ACCOUNTS = 1)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'studnr' => strtolower(GetAttr('User-Name')), 
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1)
&& empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'studnr'=>strtolower($user['username']),
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array( 
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['username'], 
'studnr'=>strtolower(GetAttr('User-Name')), 
'modify_expire_time'=>'24h', 
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

 

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba Employee

Re: Limiting automatic mac account creation?

Glad you figured it out.  The purpose of strtolower is to lowercase the username received from the RADIUS request and lowercase the matching parameter in Amigopod's database.  It is quite common for a samaccountname to be stored with uppercase characters such as "UserX1".  The GetUserCount function is case sensitive so if you searched for what most end user's would enter for their username, "userx1", the function wouldn't give any results.  By lowercasing both the input username and the AD/local username, you make the function case insensitive.

 

Unfortunately, it is not possible to redirect a failed attempt to a page explaining why.  That will hopefully change when the controller support RADIUS reply message responses and can feed those back to an "explanation" page.

 

You may want to consider not sending back AccessReject() if the user already has two devices registered.  The use case for this would be to only cache two MAC addresses for a user but still let the user on the network if they've reached their cached limit.

 

Change

? (AccessReject() && 0) : 1)

to:

? 0 : 1)

 

MVP

Re: Limiting automatic mac account creation?

A few more questions..

 

1)  I am using SMS receipts to have a 'sort of' authentication to the self-registered accounts. When I edit something as the duration of an account however SMS's are also being sent.

Is it possible to choose when SMS's are being sent. For example: only on account creation or when an account passwd is changed? I cannot seem to find a setting for this.

 

2) I'm using mac_auth_pair to link the mac-device that is created to the account that created it. I allow up to 3 devices to be created however. Any way to link all 3 devices to the account? Currently only the last device added seems to be linked.

 

 3) my customer indicated he'd rather have the self-registration boxes immediatly on the web login page we're serving all clients instead of having to click through to the guest_register page.

I found the following function in the manual, which seems to be intended for exactly my problem but I cannot get it to include the guest_register.php file. It keeps complaining about being unable to read the resource.

Anyone know what the exact syntax would be to include this guest_register.php file?

 

{include file="public/included_file.html"}

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: