How best to map users to domain name for login

yani at ecoco.co.uk yani at ecoco.co.uk
Thu Aug 24 18:53:08 CEST 2017


On 24/08/17 17:23, Alan DeKok wrote:

> On Aug 24, 2017, at 10:24 AM, yani at ecoco.co.uk wrote:
>> radiusd -v
>> radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 17 2017 at 18:49:55
>    I would suggest using 3.0.15.  It has a lot of fixes over 3.0.4.
>
>> I want to be able to authenticate users to my email service and manage
>> them according to the domain they belong to  so fred at domaina.com is not
>> the same as fred at domainb.com.  But in both cases the first part is the
>> login user name within the domain.
>    That's a pretty common requirement.
Yep
>
>> I have looked at freeradius virtual servers -
>    Virtual servers are largely for separating functionality.  i.e. WiFi rules in one virtual server, DSL rules in another, and VPN rules in a third virtual server.
>
>> and have  considered
>> using free radius realms dont see how either are actually the way forward -  It seems
>> that virtual servers will need a database system creating for every
>> instance( am i actually correct here)
>    No.
  good  suspected I was wrong, but needed confirmation.
>
>> and that realms are really for
>> forwarding requests to other free radius servers - when all i need at
>> the moment is a single server handling multiple domain based login
>> groups.
>    Realms are often used for forwarding, but they don't need to be.
>
>> I understand from the documentation that  I can create a local realm
>> like this
>>
>> realm domaina.com {
>>     type= radius
>>     authhost= LOCAL
>>     accthost= LOCAL
>    Yes.
>
>> I suspect I'm on the right track here - but haven't figured out how to
>> create users in the database/system  that reflect this
>>
>> Please advise on the most appropriate way of configuring
>> freeradius to achieve logins for multiple internet domains.
>    The bigger question is where are the users stored right now?  What kind of database contains the name / password for each user?  What is the schema used there?
>
>    Once you know that, you just configure FreeRADIUS to query the database.  It should be about 10 minutes work.
>
>    I wouldn't suggest creating users via the default SQL schema.  That's largely for ISP functionality, and will likely not work well for you.
>
>    For enterprises we just recommend that FreeRADIUS look at the existing enterprise DB.
>
>    i.e. you don't mangle your data to make FreeRADIUS happy.  That's a lot of work.  Instead, you configure 1-2 simple queries in FreeRADIUS, so that it pulls the correct information from your existing database.  That's *much* easier.
>
>    Alan DeKok.


Thank you for the quick reply,  I'm just a newbie with Freeradius,
trying to understand its modus operandi :)
I have come to the conclusion that I will need to modify the schema and
change the way in which the db is queried after seeing the output below
for a test user in the test domain domaina.com .


I'm using a mysql back end at the moment.  and this system is not live -
still in development. ( I've wanted to get radius working for years and
only just found the time.)

I suppose it's really only adding a realm field to the
radius.radcheckdb  and using that in the  subsequent queries. something
like :

EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and realm = {whatever_realm_is } ORDER BY id

if this is what you mean by mangling the data then I'm still missing
something - ie how to best relate users to realms/domains.





Received Access-Request Id 25 from 10.64.4.111:36127 to 10.64.3.44:1812
length 86
     User-Name = 'yani at domaina.com'
     User-Password = 'poppl'
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 0
     Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f
(11) Received Access-Request packet from host 10.64.4.111 port 36127,
id=25, length=86
(11)     User-Name = 'yani at domaina.com'
(11)     User-Password = 'poppl'
(11)     NAS-IP-Address = 127.0.1.1
(11)     NAS-Port = 0
(11)     Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11)   authorize {
(11)   filter_username filter_username {
(11)     if (!&User-Name)
(11)     if (!&User-Name)  -> FALSE
(11)     if (&User-Name =~ / /)
(11)     if (&User-Name =~ / /)  -> FALSE
(11)     if (&User-Name =~ /@.*@/ )
(11)     if (&User-Name =~ /@.*@/ )  -> FALSE
(11)     if (&User-Name =~ /\\.\\./ )
(11)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
-> FALSE
(11)     if (&User-Name =~ /\\.$/)
(11)     if (&User-Name =~ /\\.$/)   -> FALSE
(11)     if (&User-Name =~ /@\\./)
(11)     if (&User-Name =~ /@\\./)   -> FALSE
(11)   } # filter_username filter_username = notfound
(11)   [preprocess] = ok
(11)   [chap] = noop
(11)   [mschap] = noop
(11)   [digest] = noop
(11)  suffix : Checking for suffix after "@"
(11)  suffix : Looking up realm "domaina.com" for User-Name =
"yani at domaina.com"
(11)  suffix : Found realm "domaina.com"
(11)  suffix : Adding Stripped-User-Name = "yani"
(11)  suffix : Adding Realm = "domaina.com"
(11)  suffix : Authentication realm is LOCAL
(11)   [suffix] = ok
(11)  eap : No EAP-Message, not doing EAP
(11)   [eap] = noop
(11)   [files] = noop
(11)  sql : EXPAND %{User-Name}
(11)  sql :    --> yani at domaina.com
(11)  sql : SQL-User-Name set to 'yani at domaina.com'
rlm_sql (sql): Reserved connection (7)
(11)  sql : EXPAND SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(11)  sql :    --> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'yani at domaina.com' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'yani at domaina.com' ORDER BY id'
(11)  sql : User found in radcheck table
(11)  sql : Check items matched
(11)  sql : EXPAND SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(11)  sql :    --> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'yani at domaina.com' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'yani at domaina.com' ORDER BY id'
(11)  sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(11)  sql :    --> SELECT groupname FROM radusergroup WHERE username =
'yani at domaina.com' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'yani at domaina.com' ORDER BY priority'
(11)  sql : User not found in any groups
rlm_sql (sql): Released connection (7)
rlm_sql (sql): 0 of 3 connections in use.  Need more spares
rlm_sql (sql): Opening additional connection (8)
rlm_sql_mysql: Starting connect to MySQL server
(11)   [sql] = ok
(11)   [expiration] = noop
(11)   [logintime] = noop
(11)   [pap] = updated
(11)  } #  authorize = updated
(11) Found Auth-Type = PAP
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11)  Auth-Type PAP {
(11)  pap : Login attempt with password
(11)  pap : User authenticated successfully
(11)   [pap] = ok
(11)  } # Auth-Type PAP = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(11)   post-auth {
(11)  sql : EXPAND .query
(11)  sql :    --> .query
(11)  sql : Using query template 'query'
rlm_sql (sql): Reserved connection (8)
(11)  sql : EXPAND %{User-Name}
(11)  sql :    --> yani at domaina.com
(11)  sql : SQL-User-Name set to 'yani at domaina.com'
(11)  sql : EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(11)  sql :    --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'yani at domaina.com', 'poppl', 'Access-Accept',
'2017-08-24 17:23:57')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ( 'yani at domaina.com', 'poppl',
'Access-Accept', '2017-08-24 17:23:57')'
rlm_sql (sql): Released connection (8)
(11)   [sql] = ok
(11)   [exec] = noop
(11)   remove_reply_message_if_eap remove_reply_message_if_eap {
(11)     if (&reply:EAP-Message && &reply:Reply-Message)
(11)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)    else else {
(11)     [noop] = noop
(11)    } # else else = noop
(11)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11)  } #  post-auth = ok
(11) Sending Access-Accept packet to host 10.64.4.111 port 36127, id=25,
length=0
Sending Access-Accept Id 25 from 10.64.3.44:1812 to 10.64.4.111:36127
(11) Finished request



>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list