proxy DEFAULT realm bug-o-feature?

Tue Oct 17 21:20:17 CEST 2006

Hello!

Let me be the first to say: what a brain-dead scenario. Not your fault, of 
course - it's just an incredibly dumb device.
In any case, assigning a string to an IPADDR field will very probably not 
work, period. How about

> My RADIUS server is a third party POS that relies on NAS-IP-Address to
> match up the origin of the RADIUS request with the Realm it belongs
> to.  

using a different RADIUS server that doesn't rely on stupid things? If that's 
not an option, read on.

> This presents an obvious problem when one device needs to be used 
> from multiple Realms.  To further complicate the issue, the
> originating device has no way to convey the Realm outside of the
> User-Name field.  I am using FreeRADIUS as a proxy between the device
> that has control over User-Name and RADIUS server that decies what
> Realm to use based on NAS-IP-Address.  The configuration on the device
> allows me to put:
> some_user1 at 10.0.0.1
> and
> some_user1 at 10.0.0.2

Let's assume a device shall belong to realms 10.0.0.1 and 10.0.0.2. Then you 
could do in the users file:

DEFAULT	User-Name =~ ".*@10.0.0.1"
		NAS-IP-Address := 10.0.0.1

DEFAULT	User-Name =~ ".*@10.0.0.2"
		NAS-IP-Address := 10.0.0.2

and proxy to DEFAULT Realm. That way you can leave proxy.conf untouched in the 
future, having only one DEFAULT realm entry there. Still, you would need to 
have a seperate entry for each NAS+Realm combination in the users file.

> FreeRADIUS receives this request, strips off the Realm, and substitues
> the Realm (10.0.0.x) into the NAS-IP-Address field. 

Which doesn't work, unfortunately.

> When RADIUS server receives the request, it is able to properly handle it in
> the appropriate Realm by finding the realm with the correct IP address.
>
> The above example has two Realms.  In reality I have 40+ and growing.
> I can solve it by copying and pasting:
> realm 10.0.0.1 { ... }
> realm 10.0.0.2 { ... }
> ...
> realm 10.0.0.40 { ... }
> 40 times and update in the future when I need more.  Instead, I tried
> to be "smarter" by using the default realm, that way I need to only
> have a single realm statement in config and it will work "forever".

See above, you can have your DEFAULT realm. But that isn't really smarter, the 
manual c&p work just goes elsewhere.

> When I did this, I find that the suffix module is actually returning
> the string DEFAULT instead of actual Realm name, so the real Realm
> name is lost and can not be used in the preproxy_user rules (in my
> case to put it into the NAS-IP-Address field.)

The reason for that is that the part after the @ in User-Name doesn't match 
any configured realm in proxy.conf. So it's caught by the DEFAULT realm.

> I hope the explanation above makes sense.  Thanks in advance for your
> help (and a great RADIUS proxy server: it works (seemingly) flawlessly
> as long as DEFAULT is not used.)

One final thing: if you dare to write a shell or perl program you could make 
it really clever even without the users file... write a shell script to be 
executed with Exec-Program-Wait whose input parameter is User-Name and output 
is NAS-IP-Address. All your shell code has to do is taking the realm part and 
writing it to stdout as
NAS-IP-Adress = yourrealmgoeshere
In this case, FreeRADIUS would (hopefully) parse this string-based output and 
convert it into the IP address you are looking for.
The more i think of this, this is probably the most beautiful solution. Just 
be aware that executing a script at every authentication uses more processor 
resources, so if you are running a *heavy* duty system, it might be a 
bottleneck.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg