user group problems, my logic or freeradius limitation
Reynolds, Walter
waltr at umich.edu
Tue Nov 4 17:20:41 CET 2008
The first comment you gave mentioned to put the Etc-Group-Name in the huntgroups file. This unfortunately does not work as it will only accept system groups (and users do not have accounts for this system).
This option does not scale if I am understanding you right.
I would have to add a section for each user for every huntgroup. If I have 20 administrators and 20 huntgroups I would have to create 400 entries just for them. With the number of users I would have to deal with this would not scale.
It seems like there should be a easy way to deal with users in more than one group.
>Date: Tue, 04 Nov 2008 14:33:26 +0100
>From: <tnt at kalik.net>
>Subject: Re: user group problems, my logic or freeradius limitation
>
>Sorry, my brain is like sieve today.
>
>Not DEFAULT but user entries (as I said in the text):
>
>walt password, hutgroup, group
>fall-through
>
>walt bpassword, huntgroup, group
>
>Ivan Kalik
>Kalik Informatika ISP
>
> Date: Tue, 04 Nov 2008 14:29:27 +0100
> From: <tnt at kalik.net>
> Subject: Re: user group problems, my logic or freeradius limitation
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <TWkceAyP.1225805367.8814670.tnt at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> Sorry, you have problem with users in multiple groups. What I posted will
> have no effect. You should create a different huntgroup - add every NAS
> that groups wilab2 and nolab are allowed to connect. Than remove that
> users file entry and add:
>
> DEFAULT Huntgroup-Name == "wilab2", Etc-Group-Name == "wilab2"
> Fall-Through = yes
>
> DEFAULT Huntgroup-Name == "nolab", Etc-Group-Name == "nolab"
> Fall-Through = yes
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 4/11/2008, "Reynolds, Walter" <waltr at umich.edu> pi?e:
>
> >I am trying to find a good way to limit who is able to login at specific NAS's. I
> know I could add all the allowed user names to the Huntgroups file, but this can
> get tedious as I must do it for each NAS. So I figured the best way was to use
> groups. The users are not account holders on the system, so I could not user
> the 'Group' option in huntgroups. I also do not have a database backend so
> wanted to uses a local file.
> >
> >So in looking I saw that I could do the following:
> >
> >1. modules/etc_group - Define a local file with a group list
> >2. Created the group file referenced in etc_group
> >3. Added a dictionary item for the attribute
> >4. Add the desired NAS to a huntgroup
> >5. Set a policy in the users file to be based on the list.
> >
> >Where I am having a problem is if the user is assigned to more than one
> group. As you can see from the first debug output from below, if a user is a
> member of the group alone it works fine. But the second debug shows that if a
> user is a member of more than one group, even if one is the right one, it will not
> work because one of the groups does not match.
> >
> >The reason I need users in more than one group is if they are affiliated with
> more than one department. Also will need more than one affiliation for support
> to be able to troubleshoot connecting on each NAS.
> >
> >In case it matters, the back end authentication is Kerberos on our production
> service but for this test I just have some local accounts defined in the users file.
> >
> >So, is this a error in my logic/setup or is this a limitation I have with
> Freeradius. Is there some other way to do this?
> >
> >
> >===============
> >
> >/usr/local/etc/raddb/modules/etc_group
> >
> >passwd etc_group {
> > filename = /usr/local/etc/raddb/group_file
> > format = "~Etc-Group-Name:*,User-Name"
> > hashsize = 150
> > ignorenislike = yes
> > allowmultiplekeys = yes
> > delimiter = ":"
> >}
> >
> >================
> >
> >/usr/local/etc/raddb/group_file
> >
> >wilab:walt,walter
> >wilab2:walter,walter01
> >nolab:walter01
> >
> >=================
> >
> >/usr/local/etc/raddb/dictionary
> >
> >ATTRIBUTE Etc-Group-Name 3000 string
> >
> >=================
> >
> >/usr/local/etc/raddb/huntgroups
> >
> >ILAB NAS-IP-Address == 10.11.224.36
> >
> >=================
> >
> >/usr/local/etc/raddb/users (added line numbers for the debug)
> >
> >
> > 102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-
> Type := Reject
> > 103 Fall-Through = no
> > 104
> > 105 walt Cleartext-Password := "walter01"
> > 106 walter Cleartext-Password := "walter01"
> > 107 walter01 Cleartext-Password := "walter01"
> >
> >
> >-------------------------------
> >
> >
> >rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111,
> length=131
> > User-Name = "walt"
> > User-Password = "walter01"
> > NAS-IP-Address = 10.11.224.36
> > Service-Type = Login-User
> > Framed-IP-Address = 192.168.135.25
> > Called-Station-Id = "00:07:E9:D1:8F:C2"
> > NAS-Identifier = "Bluesocket"
> > Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
> > NAS-Port-Type = Wireless-802.11
> >Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...}
> >Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking
> up realm NULL
> >Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
> >Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
> >Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound
> >Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to
> request_items
> >Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
> >Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop
> >Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated
> >Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP
> >Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...}
> >Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
> >Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
> >Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully
> >Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok
> >Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...}
> >Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop
> >Sending Access-Accept of id 111 to 10.11.224.36 port 32783
> >Tue Nov 4 07:09:21 2008 : Info: Finished request 0.
> >
> >
> >=======================
> >rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112,
> length=133
> > User-Name = "walter"
> > User-Password = "walter01"
> > NAS-IP-Address = 10.11.224.36
> > Service-Type = Login-User
> > Framed-IP-Address = 192.168.135.25
> > Called-Station-Id = "00:07:E9:D1:8F:C2"
> > NAS-Identifier = "Bluesocket"
> > Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505"
> > NAS-Port-Type = Wireless-802.11
> >Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...}
> >Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok
> >Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking
> up realm NULL
> >Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL"
> >Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP
> >Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound
> >Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to
> request_items
> >Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to
> request_items
> >Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok
> >Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line
> 102
> >Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok
> >Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing
> it.
> >Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop
> >Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject
> >Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user
> >Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user.
> >Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject
> >Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...}
> >Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-
> Name} -> walter
> >Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line
> 11
> >Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated
> >Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds
> >Tue Nov 4 07:09:49 2008 : Debug: Going to the next request
> >Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds.
> >Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1
> >Sending Access-Reject of id 112 to 10.11.224.36 port 32783
> >Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds.
> >Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp
> +39
> >Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests.
> >
> >
> >
> >
> >--
> >Walt Reynolds
> >Principal Systems Security Development Engineer
> >Information Technology Central Services
> >University of Michigan
> >(734) 615-9438
> >
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 43, Issue 12
> ************************************************
More information about the Freeradius-Users
mailing list