Add reply attributes to a proxy radius response

Paul TAVERNIER paul.tavernier at ac-rouen.fr
Mon Nov 3 15:19:29 CET 2008


	Hi all,

	I run with Freeradius 2.1, CiscoASA and RSASecurid "OTP"+RSARadius.

	I set my CiscoASA to authenticate against freeradius. On this 
freeradius server, i created a realm "OTP" which proxy the request to a 
RSARadius (the only one who can ask RSAOTP Securid database). So when i 
authenticate with myuserlogin at OTP/Passcode with my CiscoVPNclient, the 
authentication is successful. No pb. Here's the log:

======(log)
[suffix] Looking up realm "otp" for User-Name = "xxxxxxxxxx at otp"
[suffix] Found realm "otp"
[suffix] Adding Stripped-User-Name = "xxxxxxxxxx"
[suffix] Adding Realm = "otp"
[suffix] Proxying request from user xxxxxxxxxx to realm otp
[suffix] Preparing to proxy authentication request to realm "otp"
++[suffix] returns updated
...
rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=4, 
length=85
	Class = x53425232434cd5a0c3accfca8fd9efc01180270180038198
	Proxy-State = 0x313530
======(end of log)



	The second thing i want to do is to "import" the user's "policy group" 
(radiusClass) and its own IP Address (radiusFramedIPAddress). Those 
attributes are located in a LDAP directory server. So i decided to add 
the "ldap" module in the authorization section of my freeradius conf 
files. In the logs, i clearly see that freeradius is doing a great job 
(asking and receiving my ldap attrs)

======(log)
[ldap] performing user authorization for xxxxxxxxxx
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
	expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=xxxxxxxxxx)
	expand: o=gouv,c=fr -> o=gouv,c=fr
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
...
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=gouv,c=fr, with filter (uid=xxxxxxxxxx)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: radiusClass -> Class = 0x646976696e666f
rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 1.2.3.4
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user xxxxxxxxxxx authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
======(end of log)


	My problem is that that finally i get 2 successful auth (i interpret it 
like these sorry...), and Freeradius "chooses" Auth-Type=Accept 
(ProxyRSARadius Response which doesn't contain my class and 
framedipaddress i need to push to my CiscoASA)

	
======(log)
Found Auth-Type = LDAP
Found Auth-Type = Accept
Warning:  Found 2 auth-types on request for user 'xxxxxxxxxxx'
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 150 to 192.168.1.2 port 1025
	Class = 0x53425232434cd5a0c3accfca8fd9efc0118027018
Finished request 0.
======(end of log)

	In other words (sorry for being so long), i would love to authenticate 
againt my OTP RSASecurid boxes and concatenate Radius attributes found 
in a LDAP directory...

	Where should i go? post_proxy module?

	Any help would be greatly appreciated.

	Kind regards,
	Paul

	
-- 
============================
Paul TAVERNIER
Equipe Reseaux-Securite
Division Informatique
Rectorat de ROUEN
	






More information about the Freeradius-Users mailing list