Autz-Type Config Clarification

Phil Mayers p.mayers at imperial.ac.uk
Mon Aug 21 13:40:42 CEST 2006 

Nathan L. Cable wrote:
> I'm setting up a Radius environment which covers several physical sites.
> Usernames and passwords come from an Active Directory server via ntlm_auth.
> Each site has a group in the NT domain.  So, it would be nice to have
> multiple auth-types for each area.

You don't want and probably shouldn't use multiple auth-types. You want, 
as per your subject line, multiple Autz-Types. The behaviour of the 
mschap module can be controlled by setting variables based on Autz-Type 
then using them later on.

> 
> For clarification, I've tested my server without the Autz-type arguments
> (ie, only using the one mschap instance), and everything works fine.
> Everything also works great if I declare multiple instances of mschap, and
> just have the radius server search through them in order - however, this
> seems to be a rather inefficient way of doing things.

It's also not guaranteed to work I think.

> 
> The debug output of radiusd indicates that my modules are being loaded, but
> when the client authenticates, it's not done so against an auth-type.
> 
> Any thoughts as to why this is not working?
> 
> Here are the relevant portions of my config files:
> 
> # radiusd.conf:
> 
> .
> .
> .
> modules {
>     .
>     .
>     .
>     mschap group1 {
>         authtype = group1
>         ...some config stuff...
>         }
>     mschap group2 {
>         authtype = group2
>         ...some config stuff...
>         }
> }
> .
> .
> .
> authorize {
>     preprocess
>     files
>     Autz-Type group1 {
>         group1
>     }
>     Autz-Type group2 {
>         group2 {
>     }
>     eap
> }
> 
> authenticate {
>     Auth-Type group1 {
>         group1
>     }
>     Auth-Type group2 {
>         group2 {
>     }
>     eap
> }
> .
> .
> .
> 
> # users
> DEFAULT Called-Station-Id == "00-11-22-33-44-55-66",Autz-Type := group1
> DEFAULT Autz-Type = group2

What precisely are you trying to do here?

You may be better off using the "ldap" module against the AD to pull the 
groups into the radius server and make decisions there, which is 
*separate* from the running of the authentication algorithm.

Failing that, you could do this:

DEFAULT	Called-Station-Id == "00-11-22-33-44-55"
	Tmp-String-1 = "group1"

DEFAULT
	Tmp-String-1 = "group2"

...then have:

modules {
  mschap {
   ntlm_auth = "ntlm_auth 
--require-membership-of=%{reply:Tmp-String-1:-Domain Users --other-options"
  }
}

authorize {
  preprocess
  files
  mschap
  eap
}
authenticate {
   Auth-Type MSCHAP {
     mschap
   }
}

If you are on an older version of the server you may need to define the 
Tmp-String-1 attributes like so in "dictionary":

ATTRIBUTE	Tmp-String-1	3000	string

More information about the Freeradius-Users mailing list