user group problems, my logic or freeradius limitation

tnt at kalik.net tnt at kalik.net
Tue Nov 4 14:29:27 CET 2008


Sorry, you have problem with users in multiple groups. What I posted will
have no effect. You should create a different huntgroup - add every NAS
that groups wilab2 and nolab are allowed to connect. Than remove that
users file entry and add:

DEFAULT   Huntgroup-Name == "wilab2", Etc-Group-Name == "wilab2"
                 Fall-Through = yes

DEFAULT   Huntgroup-Name == "nolab", Etc-Group-Name == "nolab"
                 Fall-Through = yes

Ivan Kalik
Kalik Informatika ISP


Dana 4/11/2008, "Reynolds, Walter" <waltr at umich.edu> piše:

>I am trying to find a good way to limit who is able to login at specific NAS's.  I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS.  So I figured the best way was to use groups.  The users are not account holders on the system, so I could not user the 'Group' option in huntgroups.  I also do not have a database backend so wanted to uses a local file.
>
>So in looking I saw that I could do the following:
>
>1. modules/etc_group - Define a local file with a group list
>2. Created the group file referenced in etc_group
>3. Added a dictionary item for the attribute
>4. Add the desired NAS to a huntgroup
>5. Set a policy in the users file to be based on the list.
>
>Where I am having a problem is if the user is assigned to more than one group.  As you can see from the first debug output from below, if a user is a member of the group alone it works fine.  But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match.
>
>The reason I need users in more than one group is if they are affiliated with more than one department.  Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS.
>
>In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file.
>
>So, is this a error in my logic/setup or is this a limitation I have with Freeradius.  Is there some other way to do this?
>
>
>===============
>
>/usr/local/etc/raddb/modules/etc_group
>
>passwd etc_group {
>       filename = /usr/local/etc/raddb/group_file
>       format = "~Etc-Group-Name:*,User-Name"
>       hashsize = 150
>       ignorenislike = yes
>       allowmultiplekeys = yes
>       delimiter = ":"
>}
>
>================
>
>/usr/local/etc/raddb/group_file
>
>wilab:walt,walter
>wilab2:walter,walter01
>nolab:walter01
>
>=================
>
>/usr/local/etc/raddb/dictionary
>
>ATTRIBUTE       Etc-Group-Name          3000    string
>
>=================
>
>/usr/local/etc/raddb/huntgroups
>
>ILAB            NAS-IP-Address == 10.11.224.36
>
>=================
>
>/usr/local/etc/raddb/users  (added line numbers for the debug)
>
>
>    102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject
>    103                 Fall-Through = no
>    104
>    105 walt    Cleartext-Password := "walter01"
>    106 walter  Cleartext-Password := "walter01"
>    107 walter01        Cleartext-Password := "walter01"
>
>
>-------------------------------
>
>
>rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131
>        User-Name = "walt"
>        User-Password = "walter01"
>        NAS-IP-Address = 10.11.224.36
>        Service-Type = Login-User
>        Framed-IP-Address = 192.168.135.25
>        Called-Station-Id = "00:07:E9:D1:8F:C2"
>        NAS-Identifier = "Bluesocket"
>        Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
>        NAS-Port-Type = Wireless-802.11
>Tue Nov  4 07:09:21 2008 : Info: +- entering group authorize {...}
>Tue Nov  4 07:09:21 2008 : Info: ++[preprocess] returns ok
>Tue Nov  4 07:09:21 2008 : Info: ++[chap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[mschap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL
>Tue Nov  4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
>Tue Nov  4 07:09:21 2008 : Info: ++[suffix] returns noop
>Tue Nov  4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
>Tue Nov  4 07:09:21 2008 : Info: ++[eap] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[unix] returns notfound
>Tue Nov  4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
>Tue Nov  4 07:09:21 2008 : Info: ++[etc_group] returns ok
>Tue Nov  4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
>Tue Nov  4 07:09:21 2008 : Info: ++[files] returns ok
>Tue Nov  4 07:09:21 2008 : Info: ++[expiration] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[logintime] returns noop
>Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns updated
>Tue Nov  4 07:09:21 2008 : Info: Found Auth-Type = PAP
>Tue Nov  4 07:09:21 2008 : Info: +- entering group PAP {...}
>Tue Nov  4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
>Tue Nov  4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
>Tue Nov  4 07:09:21 2008 : Info: [pap] User authenticated successfully
>Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns ok
>Tue Nov  4 07:09:21 2008 : Info: +- entering group post-auth {...}
>Tue Nov  4 07:09:21 2008 : Info: ++[exec] returns noop
>Sending Access-Accept of id 111 to 10.11.224.36 port 32783
>Tue Nov  4 07:09:21 2008 : Info: Finished request 0.
>
>
>=======================
>rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133
>        User-Name = "walter"
>        User-Password = "walter01"
>        NAS-IP-Address = 10.11.224.36
>        Service-Type = Login-User
>        Framed-IP-Address = 192.168.135.25
>        Called-Station-Id = "00:07:E9:D1:8F:C2"
>        NAS-Identifier = "Bluesocket"
>        Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505"
>        NAS-Port-Type = Wireless-802.11
>Tue Nov  4 07:09:49 2008 : Info: +- entering group authorize {...}
>Tue Nov  4 07:09:49 2008 : Info: ++[preprocess] returns ok
>Tue Nov  4 07:09:49 2008 : Info: ++[chap] returns noop
>Tue Nov  4 07:09:49 2008 : Info: ++[mschap] returns noop
>Tue Nov  4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL
>Tue Nov  4 07:09:49 2008 : Info: [suffix] No such realm "NULL"
>Tue Nov  4 07:09:49 2008 : Info: ++[suffix] returns noop
>Tue Nov  4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP
>Tue Nov  4 07:09:49 2008 : Info: ++[eap] returns noop
>Tue Nov  4 07:09:49 2008 : Info: ++[unix] returns notfound
>Tue Nov  4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items
>Tue Nov  4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
>Tue Nov  4 07:09:49 2008 : Info: ++[etc_group] returns ok
>Tue Nov  4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102
>Tue Nov  4 07:09:49 2008 : Info: ++[files] returns ok
>Tue Nov  4 07:09:49 2008 : Info: ++[expiration] returns noop
>Tue Nov  4 07:09:49 2008 : Info: ++[logintime] returns noop
>Tue Nov  4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it.
>Tue Nov  4 07:09:49 2008 : Info: ++[pap] returns noop
>Tue Nov  4 07:09:49 2008 : Info: Found Auth-Type = Reject
>Tue Nov  4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user
>Tue Nov  4 07:09:49 2008 : Info: Failed to authenticate the user.
>Tue Nov  4 07:09:49 2008 : Info: Using Post-Auth-Type Reject
>Tue Nov  4 07:09:49 2008 : Info: +- entering group REJECT {...}
>Tue Nov  4 07:09:49 2008 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> walter
>Tue Nov  4 07:09:49 2008 : Debug:  attr_filter: Matched entry DEFAULT at line 11
>Tue Nov  4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated
>Tue Nov  4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds
>Tue Nov  4 07:09:49 2008 : Debug: Going to the next request
>Tue Nov  4 07:09:49 2008 : Debug: Waking up in 0.9 seconds.
>Tue Nov  4 07:09:50 2008 : Info: Sending delayed reject for request 1
>Sending Access-Reject of id 112 to 10.11.224.36 port 32783
>Tue Nov  4 07:09:50 2008 : Debug: Waking up in 4.9 seconds.
>Tue Nov  4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39
>Tue Nov  4 07:09:55 2008 : Debug: Ready to process requests.
>
>
>
>
>--
>Walt Reynolds
>Principal Systems Security Development Engineer
>Information Technology Central Services
>University of Michigan
>(734) 615-9438
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list