update : Re: Authentication on the basis of circuit id and not mac address

Mahima Kumar mahima at ualberta.ca
Mon Mar 10 18:35:39 CET 2014 

Hello Alan,
Thanks for your reply.

To be more specific i can tell you my scenario.
client---switch---alcatel(dhcp relay agent)---freeradius and dhcp server

The dhcp relay agent is generating a circuit id which i can see in the
debug output, it is a hex string beginning from 0x as well as the dhcp
agent remote id is visible as a hex string. Now i am putting the username
format in the alcatel as mac address and i have no problem in
authenticating the client from the radius server on the basis of mac
address and dhcp server is giving ip address to the client. But my goal is
to authenticate my client on the basis of this circuit id which is being
generated by the alcatel dhcp relay agent , and hence provide ip address to
the client on from the dhcp server. As i change the username format to
circuit-id in the alcatel relay agent, the authentication fails as the
debug output in alcatel shows the username format implies circuit-id.
I am actually implementing the Alcatel Triple Play ESM scenario(alcatel
also has IES and VPLS running on it), but instead of a dslam or any other
relay agent i have to use the alcatel router only as the dhcp relay agent.

Also i would like to know what changes i have to make in the users file or
dhcp-static file or default file or radcheck, so as to do the client
authentication based on the cirucit id being generated. (I tried to make a
few changes but nothing works for me).

Goal is : Authentication of client from radius server on the basis of
circuit id and
assigning ip address to the client from the dhcp server.


Thanks in advance.


On Mon, Mar 10, 2014 at 10:23 AM, <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Authorise based on Calling Station ID ? (Alan DeKok)
>    2. Re: Authentication on the basis of circuit id and not mac
>       address (Alan DeKok)
>    3. Re: your mail (A.L.M.Buxey at lboro.ac.uk)
>    4. Re: Old school:  FreeRADIUS and NIS (Mark Haney)
>    5. Re: Old school:  FreeRADIUS and NIS (Alan DeKok)
>    6. Re: Old school:  FreeRADIUS and NIS (Phil Mayers)
>    7. Re: Old school:  FreeRADIUS and NIS (Mark Haney)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Mar 2014 08:10:31 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Authorise based on Calling Station ID ?
> Message-ID: <531DABB7.50105 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Darren Ward (darrward) wrote:
> > The mac address was sent by the wifi controller as the
> > calling-station-id but the question is how do I match that field against
> > the user to authorise them?
>
> $ man unlang
>
>   It tells you how to do if/then/else checks.
>
>   Perhaps you have a more specific question?
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Mar 2014 08:33:25 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Authentication on the basis of circuit id and not mac
>         address
> Message-ID: <531DB115.70109 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Mahima Kumar wrote:
> > I have used an Alcatel router as relay agent which gives the circuit id
> > and i can see that in the radius debug output, so the client is getting
> > authenticated on the basis of mac address and is getting the ip address
> > from the Dhcp server , now i want to authenticate the client based on
> > the circuit id provided by the relay agent in between,
>
>   First, does the circuit ID show up in a RADIUS packet?  If so, what
> attribute is it?
>
> > but the radius
> > server doesn't accept username as circuit id, it only authenticates
> > based on mac address of the client(i tried changing the users file), so
> > can anyone please guide me as to what changes i have to make for this to
> > be possible.
>
>   I'm not sure what you're trying to do, so I don't have a good answer
> for you.
>
>   What does debug output say?  What do you think it *should* say?
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Mar 2014 13:54:26 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: your mail
> Message-ID: <20140310135426.GC3021 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > I'd like to install on FreeBSD 9.2
> > FreeRadius2 with MySQL
>
> which bits of http://wiki.freeradius.org/guide/SQL-HOWTO did you
> follow, which bits didnt work?
>
> alan
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Mar 2014 10:03:55 -0400
> From: Mark Haney <mhaney at practichem.com>
> To: <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <531DC64B.4010806 at practichem.com>
> Content-Type: text/plain; charset="ISO-8859-1"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/07/14 16:00, Alan DeKok wrote:
>
> >> The only thing I've changed in the config files is to add the
> >> DEFAULT Auth-Type = System at the top of the users file.
> >
> > Which I don't recommend you do.
> >
> > Anyawyas, debug mode shows:
> >
> > ++[unix] returns notfound
> >
> > Which is pretty definitive.
>
> Okay, what would recommend then?  And the ++[unix] returns notfound is
> definitive of /what/?
>
> Since I'm setting up FreeRADIUS on my NIS master, I don't really need
> NIS integration, the user accounts are all in /etc/passwd (and
> /etc/shadow) so all I need is radiusd to check for local accounts and
> authenticate against them.  This /should/ simplify things, but
> apparently I'm missing something, and something probably relatively
> simple.  Question is, what?
>
>
> - --
> Mark Haney
> Network/Systems Administrator
> Practichem
> W: (919) 714-8428
> Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTHcZEAAoJEM/YzwEAv6e7VfIH+gLyCl0i8wJg8yrNRh93PUKG
> tuKKRyelWUur6p1Hem/G3LtEBkczbfPw1Mk1mD0McWmrH58lMoFccnFp3KF//QF7
> NNBBrbbtkFLq0gdEUr7vr7ICXDqRKnrSSSh+zjOFZ5DwG4pSjhexqwgRZNw34prg
> ddG6qsnVwktztIBuiXI05iWL1yqoTVveiXJCRcoOFMc1cKABt4tYR0y2/7QGmjT2
> DvfvhD3K+pDtO1HLwPOKay9D47AHSsRyvO64d1zfSVokt/7/FLbUuHtoZ9lXK5uH
> BjteP//mlE017d848wHF5PzmYXIPQhT3ANQ274TB/Q9wPalhx/7KMd+WN6CvHeA=
> =QgVT
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 10 Mar 2014 10:21:05 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <531DCA51.6070309 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Mark Haney wrote:
> >> ++[unix] returns notfound
> >
> >> Which is pretty definitive.
> >
> > Okay, what would recommend then?  And the ++[unix] returns notfound is
> > definitive of /what/?
>
>   Uh.... the module looks users up in /etc/passwd.  What could
> "notfound" possibly mean?
>
> > Since I'm setting up FreeRADIUS on my NIS master, I don't really need
> > NIS integration, the user accounts are all in /etc/passwd (and
> > /etc/shadow) so all I need is radiusd to check for local accounts and
> > authenticate against them.  This /should/ simplify things, but
> > apparently I'm missing something, and something probably relatively
> > simple.  Question is, what?
>
>   The user isn't in /etc/passwd.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 10 Mar 2014 14:33:55 +0000
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <531DCD53.9080402 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 10/03/14 14:03, Mark Haney wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> >
> > On 03/07/14 16:00, Alan DeKok wrote:
> >
> >>> The only thing I've changed in the config files is to add the
> >>> DEFAULT Auth-Type = System at the top of the users file.
> >>
> >> Which I don't recommend you do.
> >>
> >> Anyawyas, debug mode shows:
> >>
> >> ++[unix] returns notfound
> >>
> >> Which is pretty definitive.
> >
> > Okay, what would recommend then?  And the ++[unix] returns notfound is
> > definitive of /what/?
>
> rlm_unix has a flow like this:
>
>   r = getpwnam(username)
>   if not r:
>     return NOTFOUND
>   if not r.passwd or len(r.passwd) < 10:
>     s = getspnam(username)
>     if not s:
>       return NOTFOUND
>     passwd = s.passwd
>   else:
>     passwd = r.passwd
>
> So, either FreeRADIUS is getting no reply to getpwnam() or it's getting
> an empty or "x" value for the password hash at that stage, *then*
> calling getspnam() and getting no value.
>
> My NIS is rusty, but IIRC calling the getspnam() routines under NIS
> requires you being root? Most likely this is the problem.
>
> PAM has a suid-root helper for this; FreeRADIUS doesn't. So one possible
> alternative would be to use rlm_pam, and let PAM do the work of getting
> at the shadow data.
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 10 Mar 2014 12:23:29 -0400
> From: Mark Haney <mhaney at practichem.com>
> To: <freeradius-users at lists.freeradius.org>
> Subject: Re: Old school:  FreeRADIUS and NIS
> Message-ID: <531DE701.5090606 at practichem.com>
> Content-Type: text/plain; charset="ISO-8859-1"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 03/10/14 10:33, Phil Mayers wrote:
>
> >
> > rlm_unix has a flow like this:
> >
> > r = getpwnam(username) if not r: return NOTFOUND if not r.passwd or
> > len(r.passwd) < 10: s = getspnam(username) if not s: return
> > NOTFOUND passwd = s.passwd else: passwd = r.passwd
> >
> > So, either FreeRADIUS is getting no reply to getpwnam() or it's
> > getting an empty or "x" value for the password hash at that stage,
> > *then* calling getspnam() and getting no value.
> >
> > My NIS is rusty, but IIRC calling the getspnam() routines under
> > NIS requires you being root? Most likely this is the problem.
>
> Le me re-iterate.  Since I've installed FreeRADIUS on my NIS master, I
> no longer care so much about dealing with NIS.  At this stage, it's
> simply a matter of getting FR and rlm_unix to see and access my local
> user/pwd sitting in /etc/passwd and /etc/shadow.  Surely, setting up
> Fr for that is not /that/ complicated.  So, forget about NIS.  That is
> not a problem.
>
> So, now that I have that out of the way, it seems rlm_unix isn't able
> to read /etc/shadow.  I'm assuming the getspnam(username) call is
> trying to read /etc/shadow?  If so, how is the best way to fix this?
> I read somewhere that rlm_unix didn't need to copy the password files
> into a temp file with radwtmp unless there was a specific reason for
> it.  What exactly is that all about?
>
>
> - --
> Mark Haney
> Network/Systems Administrator
> Practichem
> W: (919) 714-8428
> Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTHeb2AAoJEM/YzwEAv6e7EtsH/1DSyXULTwGN2Y4x/lvq/5cj
> OYj585upGm0gZlNTEBjDYF1eJQw+S26bIhbogiaaWElBhnNE43K0iXnlJMxC3rwJ
> ZRdoT5dQHufyOAFpDrg0GvR4BsnlSUlRzckBDGdFSsEtHHUtH0UU/ajuKo8JgXxZ
> 4smQ1dl9dFY9A9xe7AI7MGMI76QAqTIuTREmEwfPVKl9HSsBHAFr64hzxsUc8TcE
> 5GEizfXQv3XvTLsYuDCPRF2SxZr5ZpLi3Yuu/GLlC6Vl88qpNHgbPVf5rKw1NVMl
> OhYFHSnz+pzgyAKJBg3Np5xoV1cvDYf0wQ3Kv0i1UwP3SF4r9RvdAPNjyyzjZJc=
> =mS2E
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 107, Issue 38
> *************************************************
>
>


-- 



Regards,

Mahima Kumar
1365962
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140310/caa70ac5/attachment-0001.html>

More information about the Freeradius-Users mailing list