Authorization question

Larry Ross lfross at ucdavis.edu
Tue Apr 7 00:27:14 CEST 2009


Hello all :)
So after getting my testing box current with FR 2.1.5 I have my config 97% there, but I am having a interesting situation occur that I am hoping is fairly straight forward.

Overview of config.

User accounts authenticated against Kerberos KDC (Working 100%)
User Account Attributes held in LDAP, LM Hash for PEAP, Blacklist (if you are in there you are denied) (working 100%)  I cannot inject values into LDAP, would like to but cannot...


So all that is left is a little authorization work.

In my passwd module I have the following. (made sense to have the group name appear as if it came from the authenticator... hence the ~)

        passwd noc_group {
                filename = /usr/local/etc/raddb/group
                format = "~Group-Name:*,User-Name"
                hashsize = 50
                ignorenislike = yes
                allowmultiplekeys = yes
                delimiter = ":"
        }

the "Group" file is formatted
NOC:Usernamea,Usernameb etc

Here is where I get a touch lost.  The noc_group section appears to be working, when I look at the debug output it is properly finding the usernames in the list and reports
[noc_group] Added Group-Name: 'NOC' to request_items
++[noc_group] returns ok

Now where to go from here...  Let me start by where I would like to go...  I would like to have a block of vendor specific radius attributes sent back in the access accept (assuming they passed authentication...)  This way when folks log into network devices they are granted the correct level of access (like with our switches... Some people are granted read only access to verify certain aspects, and admins who get read write, so while I am starting with the admin group there will be other groups with different vendor specific attr's I would like to have sent for them.)  I am assuming unlang will be the way to go however when I attempt to utilize this method I fail (Radius will not start as currently I am simply trying to append a Reply message when NOC-Group scores a hit.
I have tried this in the post-auth section within default in sites-enabled.

       if (%{request:Group-Name} == "NOC") {
              Reply-Message = 'Noc-Group Match'
       }
I receive "Unknown action 'NOC-Group Match'  and radius does not load.  (Error Initializing Modules)

So where should I be placing the unlang code and what parameters does it understand and can pass to and from the daemon.

Thank you

Larry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090406/f76a86b2/attachment.html>


More information about the Freeradius-Users mailing list