Multi-tenancy setup

Ilavajuthy Palanisamy ilavajuthy at gmail.com
Thu Nov 6 23:15:17 CET 2014


Hello All,



As suggested in earlier replies I have modified the sql query and the
schema. We are trying to use NAS-Identifier to segregate the customers.

However I am running into an issue when trying to authenticate user using
PEAP MSCHAP.

While sending the tunneled request, its not containing the NAS-Identifier.
Is it possible to send the NAS-Identifier in the tunneled request?

I am using freeradius version 2.1.12

Please let me know if there is something wrong with my config.




FreeRadius LOG (i have removed many log output lines to reduce the size of
the mail)

--------------------------------------------------------------------------------------------------------------------


rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=154,
length=226

                Acct-Session-Id = "eaea9572-00000065"

                NAS-Port = 95

                NAS-Port-Type = Wireless-802.11

                NAS-Identifier = "CN3BD321SM"

                NAS-IP-Address = 192.168.1.62

                Framed-MTU = 1496

                User-Name = "radtest"

                Calling-Station-Id = "F0-25-B7-48-08-2C"

                Called-Station-Id = "A0-D3-C1-AB-71-62"

                Service-Type = Framed-User

                EAP-Message = 0x025a000c0172616474657374

                Colubris-AVPair = "ssid=tenant"

                Colubris-AVPair = "phytype=IEEE802dot11 "

                Colubris-Attr-250 = 0x00000000

                Colubris-Attr-249 = 0x00000000

                Message-Authenticator = 0xb9bfc73c2e480450d46170ae43dc7721

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 90 length 12

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

[sql]       expand: %{User-Name} -> radtest

[sql] sql_set_user escaped user --> 'radtest'

rlm_sql (sql): Reserving sql socket id: 3

[sql]       expand: SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op   FROM radcheck, nasgroup
WHERE Username = '%{SQL-User-Name}'   AND nasgroup.nasid =
'%{NAS-Identifier}'   AND nasgroup.groupname = radcheck.Groupname   ORDER
BY radcheck.id -> SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op   FROM radcheck, nasgroup
WHERE Username = 'radtest'   AND nasgroup.nasid = 'CN3BD321SM'   AND
nasgroup.groupname = radcheck.Groupname   ORDER BY radcheck.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 1 , fields = 5

[sql] User found in radcheck table

[sql]       expand: SELECT id, UserName, Attribute, Value, Op   FROM
radreply   WHERE Username = '%{SQL-User-Name}'   ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op   FROM radreply   WHERE Username = 'radtest'
  ORDER BY id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 1 , fields = 5

[sql]       expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='radtest' ORDER BY priority

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 1

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type md5

rlm_eap_md5: Issuing Challenge

++[eap] returns handled

Sending Access-Challenge of id 154 to 192.168.1.62 port 32953

                EAP-Message = 0x015b00160410c29fa2a1e7b48d23a6e801c718e9f7a7

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0x005655b7000d519bfcf3bbcabb4eb013

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=77,
length=238

                Acct-Session-Id = "eaea9572-00000065"

                NAS-Port = 95

                NAS-Port-Type = Wireless-802.11

                NAS-Identifier = "CN3BD321SM"

                NAS-IP-Address = 192.168.1.62

                Framed-MTU = 1496

                User-Name = "radtest"

                Calling-Station-Id = "F0-25-B7-48-08-2C"

                Called-Station-Id = "A0-D3-C1-AB-71-62"

                Service-Type = Framed-User

                EAP-Message = 0x025b00060319

                State = 0x005655b7000d519bfcf3bbcabb4eb013

                Colubris-AVPair = "ssid=tenant"

                Colubris-AVPair = "phytype=IEEE802dot11 "

                Colubris-Attr-250 = 0x00000000

                Colubris-Attr-249 = 0x00000000

                Message-Authenticator = 0x9815cb4c5cca3bcebc15d622c5f9e0f9

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 91 length 6

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[files] returns noop

[sql]       expand: %{User-Name} -> radtest

[sql] sql_set_user escaped user --> 'radtest'

rlm_sql (sql): Reserving sql socket id: 2

[sql]       expand: SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op   FROM radcheck, nasgroup
WHERE Username = '%{SQL-User-Name}'   AND nasgroup.nasid =
'%{NAS-Identifier}'   AND nasgroup.groupname = radcheck.Groupname   ORDER
BY radcheck.id -> SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op   FROM radcheck, nasgroup
WHERE Username = 'radtest'   AND nasgroup.nasid = 'CN3BD321SM'   AND
nasgroup.groupname = radcheck.Groupname   ORDER BY radcheck.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 1 , fields = 5

[sql] User found in radcheck table

[sql]       expand: SELECT id, UserName, Attribute, Value, Op   FROM
radreply   WHERE Username = '%{SQL-User-Name}'   ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op   FROM radreply   WHERE Username = 'radtest'
  ORDER BY id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 1 , fields = 5

[sql]       expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='radtest' ORDER BY priority

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 1

rlm_sql (sql): Released sql socket id: 2

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP NAK

[eap] EAP-NAK asked for EAP-Type/peap

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 77 to 192.168.1.62 port 32953

                EAP-Message = 0x015c00061920

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0x005655b7010a4c9bfcf3bbcabb4eb013

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=213,
length=440

                Acct-Session-Id = "eaea9572-00000065"

                NAS-Port = 95

                NAS-Port-Type = Wireless-802.11

                NAS-Identifier = "CN3BD321SM"

                NAS-IP-Address = 192.168.1.62

                Framed-MTU = 1496

                User-Name = "radtest"

                Calling-Station-Id = "F0-25-B7-48-08-2C"

                Called-Station-Id = "A0-D3-C1-AB-71-62"

                Service-Type = Framed-User

                EAP-Message =
0x025c00d01980000000c616030100c1010000bd0301545bede983c64b84e5579021f2c8c1bba854b49152249d40e262132606fb4d13000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011

                State = 0x005655b7010a4c9bfcf3bbcabb4eb013

                Colubris-AVPair = "ssid=tenant"

                Colubris-AVPair = "phytype=IEEE802dot11 "

                Colubris-Attr-250 = 0x00000000

                Colubris-Attr-249 = 0x00000000

                Message-Authenticator = 0x1981daace80a8b50b267b588801fa7c6

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 92 length 208

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 198

[peap] Length Included

[peap] eaptls_verify returned 11

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=247,
length=238

                Acct-Session-Id = "eaea9572-00000065"

                NAS-Port = 95

                NAS-Port-Type = Wireless-802.11

                NAS-Identifier = "CN3BD321SM"

                NAS-IP-Address = 192.168.1.62

                Framed-MTU = 1496

                User-Name = "radtest"

                Calling-Station-Id = "F0-25-B7-48-08-2C"

                Called-Station-Id = "A0-D3-C1-AB-71-62"

                Service-Type = Framed-User

                EAP-Message = 0x025d00061900

                State = 0x005655b7020b4c9bfcf3bbcabb4eb013

                Colubris-AVPair = "ssid=tenant"

                Colubris-AVPair = "phytype=IEEE802dot11 "

                Colubris-Attr-250 = 0x00000000

                Colubris-Attr-249 = 0x00000000

                Message-Authenticator = 0x3194e87ace606247da24d510ebdbb259

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 93 length 6

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake fragment handler

[peap] eaptls_verify returned 1

[peap] eaptls_process returned 13

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 94 length 144

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=3,
length=238

                Acct-Session-Id = "eaea9572-00000065"

                NAS-Port = 95

                NAS-Port-Type = Wireless-802.11

                NAS-Identifier = "CN3BD321SM"

                NAS-IP-Address = 192.168.1.62

                Framed-MTU = 1496

                User-Name = "radtest"

                Calling-Station-Id = "F0-25-B7-48-08-2C"

                Called-Station-Id = "A0-D3-C1-AB-71-62"

                Service-Type = Framed-User

                EAP-Message = 0x025f00061900

                State = 0x005655b704094c9bfcf3bbcabb4eb013

                Colubris-AVPair = "ssid=tenant"

                Colubris-AVPair = "phytype=IEEE802dot11 "

                Colubris-Attr-250 = 0x00000000

                Colubris-Attr-249 = 0x00000000

                Message-Authenticator = 0xf14dd2f6c72a4c3ceb5375a80413b223

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 95 length 6

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] Received TLS ACK

[peap] ACK handshake is finished

[peap] eaptls_verify returned 3

[peap] eaptls_process returned 3

[peap] EAPTLS_SUCCESS

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state TUNNEL ESTABLISHED

++[eap] returns handled

Sending Access-Challenge of id 3 to 192.168.1.62 port 32953

                EAP-Message =
0x0160002b190017030100206f520d286e0a8531cad4f96f3d16ff71290206fbd472476c97983544bf77ce37

                Message-Authenticator = 0x00000000000000000000000000000000

                State = 0x005655b705364c9bfcf3bbcabb4eb013

Finished request 5.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=137,
length=312

                Acct-Session-Id = "eaea9572-00000065"

                NAS-Port = 95

                NAS-Port-Type = Wireless-802.11

                NAS-Identifier = "CN3BD321SM"

                NAS-IP-Address = 192.168.1.62

                Framed-MTU = 1496

                User-Name = "radtest"

                Calling-Station-Id = "F0-25-B7-48-08-2C"

                Called-Station-Id = "A0-D3-C1-AB-71-62"

                Service-Type = Framed-User

                EAP-Message =
0x0260005019001703010020be7393b22523f27ba53a2a90ae5022b7e6ac7a1733cbb1d10ea97dc3871c60001703010020e0e4b12bd1ad0ad1918c19eb36449ea6e0a94e322f9aeacee86bf5db4613e7e1

                State = 0x005655b705364c9bfcf3bbcabb4eb013

                Colubris-AVPair = "ssid=tenant"

                Colubris-AVPair = "phytype=IEEE802dot11 "

                Colubris-Attr-250 = 0x00000000

                Colubris-Attr-249 = 0x00000000

                Message-Authenticator = 0xd3c41c6be1d9c598f08c4b289f092589

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 96 length 80

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7

[peap] Done initial handshake

[peap] eaptls_process returned 7

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state WAITING FOR INNER IDENTITY

[peap] Identity - radtest

[peap] Got inner identity 'radtest'

[peap] Setting default EAP type for tunneled EAP session.

[peap] Got tunneled request

                EAP-Message = 0x0260000c0172616474657374

server  {

[peap] Setting User-Name to radtest

Sending tunneled request

                EAP-Message = 0x0260000c0172616474657374

                FreeRADIUS-Proxied-To = 127.0.0.1

                User-Name = "radtest"

server inner-tunnel {

# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel

+- entering group authorize {...}

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "radtest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[control] returns noop

[eap] EAP packet type response id 96 length 12

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[sql]       expand: %{User-Name} -> radtest

[sql] sql_set_user escaped user --> 'radtest'

rlm_sql (sql): Reserving sql socket id: 1

[sql]       expand: SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op   FROM radcheck, nasgroup
WHERE Username = '%{SQL-User-Name}'   AND nasgroup.nasid =
'%{NAS-Identifier}'   AND nasgroup.groupname = radcheck.Groupname   ORDER
BY radcheck.id -> SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op   FROM radcheck, nasgroup
WHERE Username = 'radtest'   AND nasgroup.nasid = ''   AND
nasgroup.groupname = radcheck.Groupname   ORDER BY radcheck.id

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 5

[sql]       expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='radtest' ORDER BY priority

rlm_sql_postgresql: Status: PGRES_TUPLES_OK

rlm_sql_postgresql: query affected rows = 0 , fields = 1

rlm_sql (sql): Released sql socket id: 1

[sql] User radtest not found

++[sql] returns notfound

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

+- entering group authenticate {...}


----------------------------------------------------------------------------------------------------------------------------------------

Database schema changes -

----------------------------------------



A new table has been added called "nasgroup" and the radcheck table has
been modified to include an extra column called groupname -



radiusdb=# select * from nasgroup;

 id | groupname |   nasid

----+-----------+------------

  1 | test      | CN3BD321SM

  3 | temp      | XYZABDG





radiusdb=# select * from radcheck;

 id | username |     attribute      | op |  value  | groupname

----+----------+--------------------+----+---------+-----------

  1 | radtest  | Cleartext-Password | := | radtest | test

  2 | radtest  | Cleartext-Password | := | radtest | temp





Dialup.conf

---------------



"authorize_check_query" has been modified but "authorize_reply_query" has
not been changed.



authorize_check_query = "SELECT ${authcheck_table}.id,
${authcheck_table}.UserName, ${authcheck_table}.Attribute,
${authcheck_table}.Value, ${authcheck_table}.Op \

  FROM ${authcheck_table}, nasgroup \

  WHERE Username = '%{SQL-User-Name}' \

  AND nasgroup.nasid = '%{NAS-Identifier}' \

  AND nasgroup.groupname = ${authcheck_table}.Groupname \

  ORDER BY radcheck.id"



authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \

  FROM radreply \

  WHERE Username = '%{SQL-User-Name}' \

  ORDER BY id"




Thanks,

Ila.



On Mon, Oct 27, 2014 at 4:36 PM, Pshem Kowalczyk <pshem.k at gmail.com> wrote:

> Hi,
>
> One method that I used in the past is to create a virtual server per
> 'tenant' and then use the 'main' server to proxy to the correct virtual
> server based on the attributes in the requests.
>
> kind regards
> Pshem
>
>
> On 28 October 2014 07:09, Ilavajuthy Palanisamy <ilavajuthy at gmail.com>
> wrote:
>
>> Hi All,
>>
>> We are hosting an application in the cloud which is managing multiple
>> customers.
>> Customers will be authenticated using the FreeRadius server.
>> We are planning to use the user authentication through the
>> database(PostgreSQL).
>> I have configured the radcheck table and able to make the user
>> authentication successfully.
>>
>> In order to support multiple customers, what are all the options/design
>> available in FreeRadius.
>>
>> One option we are thinking is to modify the schema to introduce
>> customer-id and modify the sql module to support the new schema. If this is
>> possible, please provide pointers in achieving this.
>>
>> If there are other options available, please provide pointers.
>>
>> Thanks,
>> Ila.
>>
>>
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141106/1b9743fa/attachment-0001.html>


More information about the Freeradius-Users mailing list