Re: add realm to user based on NAS-IP

Alexander Papenburg wrote:

Hi Arran, hi Alexander and hi Freeradius-List,

I ran into problems regarding to the Proxy-to-realm thing... :(

My Setup:

10.0.0.1 A cisco Router
10.0.1.20 My Terminal
192.168.0.1 Radius (Home Server)
192.168.0.2 Radius (Proxy)


At first a successful login with username abc@realm:

--snip1--
        User-Name = "abc@realm"
        Reply-Message = "Password: "
        User-Password = "testtest"
        NAS-Port = 2
        NAS-Port-Id = "tty2"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "10.0.1.20"
        NAS-IP-Address = 10.0.0.1
Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm "realm" for User-Name = "abc@realm" 
Tue Apr 10 19:41:10 2007 : Debug:     rlm_realm: Found realm "realm"
Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from user abc to realm realm 
Tue Apr 10 19:41:10 2007 : Debug:     rlm_realm: Adding Realm = "realm"
Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy authentication request to realm "realm" Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "suffix" returns updated for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 
Tue Apr 10 19:41:10 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "files" returns notfound for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 0 
Tue Apr 10 19:41:10 2007 : Debug:  proxy: creating 688187c3:1812
Tue Apr 10 19:41:10 2007 : Debug:  proxy: allocating 688187c3:1812 0
Sending Access-Request of id 0 to 192.168.0.1 port 1812
        User-Name = "abc@realm"
        Reply-Message = "Password: "
        User-Password = "testtest"
        NAS-Port = 2
        NAS-Port-Id = "tty2"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "10.0.1.20"
        NAS-IP-Address = 10.0.0.1
        Proxy-State = 0x3836
Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24
Tue Apr 10 19:41:10 2007 : Debug:  proxy: de-allocating 688187c3:1812 0
Tue Apr 10 19:41:10 2007 : Debug: rl_next:  returning NULL
Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore
Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1 handled so far) 
        Proxy-State = 0x3836
Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module "eap" returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy (returns noop) for request 0 Tue Apr 10 19:41:10 2007 : Debug: authorize: Skipping authorize in post-proxy stage 
Tue Apr 10 19:41:10 2007 : Debug:   rad_check_password:  Found Auth-Type
Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Auth-Type = Accept, accepting the user 
Sending Access-Accept of id 86 to 10.0.0.1 port 1645
Tue Apr 10 19:41:10 2007 : Debug: Finished request 0
Tue Apr 10 19:41:10 2007 : Debug: Going to the next request
Tue Apr 10 19:41:10 2007 : Debug: Thread 2 waiting to be assigned a request
Tue Apr 10 19:41:10 2007 : Debug: Waking up in 31 seconds...
--snip1--


Now trying Alexander's (Klepikov) hint with the following in "hints"

 >DEFAULT Suffix !~ "@."
 >        Realm = "%{NAS-IP-Address:-unknown}"


--snip2--
        User-Name = "abc"
        Reply-Message = "Password: "
        User-Password = "testtest"
        NAS-Port = 2
        NAS-Port-Id = "tty2"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "10.0.1.20"
        NAS-IP-Address = 10.0.0.1
Tue Apr 10 19:42:41 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:42:41 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 
Tue Apr 10 19:42:41 2007 : Debug:   hints: Matched DEFAULT at 77
Tue Apr 10 19:42:41 2007 : Debug: radius_xlat:  '10.0.0.1'
Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:42:41 2007 : Debug: rlm_realm: Request already proxied. Ignoring. Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 
Tue Apr 10 19:42:41 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "files" returns notfound for request 0 Tue Apr 10 19:42:41 2007 : Debug: modcall: leaving group authorize (returns ok) for request 0 Tue Apr 10 19:42:41 2007 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user 
Tue Apr 10 19:42:41 2007 : Debug: auth: Failed to validate the user.
Tue Apr 10 19:42:41 2007 : Debug: Delaying request 0 for 1 seconds
Tue Apr 10 19:42:41 2007 : Debug: Finished request 0
Tue Apr 10 19:42:41 2007 : Debug: Going to the next request
Tue Apr 10 19:42:41 2007 : Debug: Thread 1 waiting to be assigned a request
--snip2--

At last trying Arran's hint with the following in "users"
 >DEFAULT
 >        NAS-IP-Address == 10.0.1.20, Proxy-To-Realm = "realm",
 >        User-Name = "%{User-Name}@realm"

--snip3--
        User-Name = "abc"
        Reply-Message = "Password: "
        User-Password = "testtest"
        NAS-Port = 2
        NAS-Port-Id = "tty2"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "10.0.1.20"
        NAS-IP-Address = 10.0.0.1
Tue Apr 10 19:44:45 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:44:45 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:44:45 2007 : Debug: rlm_realm: No '@' in User-Name = "abc", looking up realm NULL 
Tue Apr 10 19:44:45 2007 : Debug:     rlm_realm: No such realm "NULL"
Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 
Tue Apr 10 19:44:45 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:44:45 2007 : Debug: users: Matched entry DEFAULT at line 215 
Tue Apr 10 19:44:45 2007 : Debug: radius_xlat:  'abc@realm'
Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "files" returns ok for request 0 Tue Apr 10 19:44:45 2007 : Debug: modcall: leaving group authorize (returns ok) for request 0 Tue Apr 10 19:44:45 2007 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user 
Tue Apr 10 19:44:45 2007 : Debug: auth: Failed to validate the user.
Tue Apr 10 19:44:45 2007 : Debug: Delaying request 0 for 1 seconds
Tue Apr 10 19:44:45 2007 : Debug: Finished request 0
Tue Apr 10 19:44:45 2007 : Debug: Going to the next request
Tue Apr 10 19:44:45 2007 : Debug: Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 10.0.0.1:1645, id=89, length=93
Sending Access-Reject of id 89 to 10.0.0.1 port 1645
--snip3--
Where is my mistake? The Freeradius-package is the latest in debian stable (4.0) branch (freeradius_1.1.3-3_i386) 


Regards Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hmmm I don't think Alexanders will work as you still need something to actually trigger the proxying process. Or at least I thought you did ? And that can be a rlm_realm instance or a Proxy-To-Realm check item... 
Just setting the realm attribute isn't enough.

With mine the entry in users should be

DEFAULT NAS-IP-Address == 10.0.1.20, Proxy-To-Realm = "realm"
	User-Name = "%{User-Name}@realm"

Thats NAS-IP-Address and Proxy-To-Realm as check items
and user-name as a reply item.
	
You should also comment out any rlm_realm instances in the authorize section.

Such as suffix and ipass.

Now if you wan't a better way of doing this, that is proxy a user to the a realm based on the NAS-IP-Address
like.

User with NAS-IP-Address 10.0.1.20 gets proxied to realm 10.0.1.20
and username gets rewritten to user@10.0.1.20.

Then you should be able to use Alexanders hint.
But modify the User-Name instead.


DEFAULT Suffix !~ "@."
	User-Name = "%{User-Name}@%{NAS-IP-Address:-unknown}"

Then use the 'suffix' instance in authorize.

What should happen is the user request comes in,
If it's suffix does not already contain a realm.
Then rewrite the User-Name in the request packet, to be User@NAS-IP-Address

Then in the authorize section

the suffix instance, will split the username back into user and NAS-IP-Address,
and proxy to a realm with a name equal to the NAS-IP-Address.

---
Arran
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.