Help checking group membership with FreeRadius

Chris Li chrisyw.li at gmail.com
Thu Mar 26 17:50:11 CET 2009


> Date: Mon, 23 Mar 2009 11:22:22 -0400
> From: Josh Hiner <josh at remc1.org>
> Subject: Help checking group membership with FreeRadius
> To: freeradius-users at lists.freeradius.org
> Message-ID: <200903231522.n2NFMNxv077788 at mxdrop218.xs4all.nl>
> Content-Type: text/plain; charset=UTF-8

> Currently we have a radius server that performs authentication off our
samba domain controller for wireless users. This works great. I would like
to limit users so they must be a member of the wireless group in order to
connect. Since the /etc/group file is on a different server I believe I
cannot use the etc_group module. Also, in order to use that module the user
must have a valid account on the radius server as well.

> Any ideas on checking group membership? I use ntlm_auth in the mschap
module for authentication in Freeradius ver 2.1.3-1.

i had a similar problem a few days ago

run "getent passwd username" to see if you can get a line like:
smith:*:100:3243::/home/smith:/usr/bin/sh

if you do, '3243' is the principal group ID of the user

my solution:

use a perl script 'chkgrpmembership.pl'. to check the group membership of
the user. the script set 'Group' attribute if the user is found.

1. chkgrpmembership.pl

use strict;
# use ...
# This is very important ! Without this script will not get the filled
 hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;

# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;

#
# This the remapping of return values
#
       use constant    RLM_MODULE_REJECT=>    0;#  /* immediately reject the
request */
       use constant    RLM_MODULE_FAIL=>      1;#  /* module failed, don't
reply */
       use constant    RLM_MODULE_OK=>        2;#  /* the module is OK,
continue */
       use constant    RLM_MODULE_HANDLED=>   3;#  /* the module handled the
request, so stop. */
       use constant    RLM_MODULE_INVALID=>   4;#  /* the module considers
the request invalid. */
       use constant    RLM_MODULE_USERLOCK=>  5;#  /* reject the request
(user is locked out) */
       use constant    RLM_MODULE_NOTFOUND=>  6;#  /* user not found */
       use constant    RLM_MODULE_NOOP=>      7;#  /* module succeeded
without doing anything */
       use constant    RLM_MODULE_UPDATED=>   8;#  /* OK (pairs modified) */
       use constant    RLM_MODULE_NUMCODES=>  9;#  /* How many return codes
there are */

# Function to handle authorize
sub authorize {
                my $getentResult = qx(getent passwd
$RAD_REQUEST{'User-Name'});
                my @resultArray = split ":", $getentResult;
                my $arraySize = scalar @resultArray;
                # Group ID 11184 = staff
                # Group ID 12705 = student
                if ($arraySize != 0) {
                        my $groupID = $resultArray[3];
                        if ($groupID == 11184) {
                               $RAD_REPLY{'Group'} = "Staff";
                        }
                        elsif ($groupID == 12705) {
                               $RAD_REPLY{'Group'} = "Student";
                        }

                        else {
                                # We only allow Staff and Student group
                               return RLM_MODULE_REJECT;
                        }
                }
                else {
                        #user no found in AD
                       return RLM_MODULE_REJECT;
                }
       return RLM_MODULE_OK;
}


2.add the following lines to the modules section of radius.conf
perl {
  module = /etc/freeradius/chkgrpmembership.pl
  func_authorize = authorize

 }

3. In the Authorize section, uncomment 'files'. Then add a line
containing 'perl' after it.

In the Authentication section add

Auth-Type Perl {

perl

 }


4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap
and/or ttls section) eap.conf

5. finally, you can a line to 'users' file

DEFAULT        Group != "wireless", Auth-Type := Reject


(Sorry for starting a new thread, i subscribed to the "digest" version
of the mailing
 list)


Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090327/923da94c/attachment.html>


More information about the Freeradius-Users mailing list