<div>> Date: Mon, 23 Mar 2009 11:22:22 -0400</div><div>> From: Josh Hiner <<a href="mailto:josh@remc1.org">josh@remc1.org</a>></div><div>> Subject: Help checking group membership with FreeRadius</div><div>> To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a></div>
<div>> Message-ID: <<a href="mailto:200903231522.n2NFMNxv077788@mxdrop218.xs4all.nl">200903231522.n2NFMNxv077788@mxdrop218.xs4all.nl</a>></div><div>> Content-Type: text/plain; charset=UTF-8</div><div><br></div>
<div>> Currently we have a radius server that performs authentication off our samba domain controller for wireless users. This works great. I would like to limit users so they must be a member of the wireless group in order to connect. Since the /etc/group file is on a different server I believe I cannot use the etc_group module. Also, in order to use that module the user must have a valid account on the radius server as well.</div>
<div><br></div><div>> Any ideas on checking group membership? I use ntlm_auth in the mschap module for authentication in Freeradius ver 2.1.3-1.</div><div><br></div><div>i had a similar problem a few days ago</div><div>
<br></div><div>run "getent passwd username" to see if you can get a line like:</div><div>smith:*:100:3243::/home/smith:/usr/bin/sh</div><div><br></div><div>if you do, '3243' is the principal group ID of the user</div>
<div><br></div><div>my solution:<br></div><div><br></div><div>use a perl script 'chkgrpmembership.pl'. to check the group membership of the user. the script set 'Group' attribute if the user is found.</div>
<div><br></div><div>1. chkgrpmembership.pl</div><div><br></div><div><div>use strict;</div><div># use ...</div><div># This is very important ! Without this script will not get the filled hashesh from main.</div><div>use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);</div>
<div>use Data::Dumper;</div><div><br></div><div># This is hash wich hold original request from radius</div><div>#my %RAD_REQUEST;</div><div># In this hash you add values that will be returned to NAS.</div><div>#my %RAD_REPLY;</div>
<div>#This is for check items</div><div>#my %RAD_CHECK;</div><div><br></div><div>#</div><div># This the remapping of return values</div><div>#</div><div> use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */</div>
<div> use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */</div><div> use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */</div><div> use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */</div>
<div> use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */</div><div> use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */</div>
<div> use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */</div><div> use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */</div><div> use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */</div>
<div> use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */</div><div><br></div></div><div><div># Function to handle authorize</div><div>sub authorize {</div><div> my $getentResult = qx(getent passwd $RAD_REQUEST{'User-Name'});</div>
<div> my @resultArray = split ":", $getentResult;</div><div> my $arraySize = scalar @resultArray;</div><div> # Group ID 11184 = staff</div><div> # Group ID 12705 = student</div>
<div> if ($arraySize != 0) {</div><div> my $groupID = $resultArray[3];</div><div> if ($groupID == 11184) {</div><div> $RAD_REPLY{'Group'} = "Staff";</div>
<div> }</div><div> elsif ($groupID == 12705) {</div><div> $RAD_REPLY{'Group'} = "Student";</div><div> }</div>
<div><br></div><div> else {</div><div> # We only allow Staff and Student group</div><div> return RLM_MODULE_REJECT;</div><div> }</div>
<div> }</div><div> else {</div><div> #user no found in AD</div><div> return RLM_MODULE_REJECT;</div><div> }</div><div> return RLM_MODULE_OK;</div>
<div>}</div><div><br></div></div><div><br></div><div>2.add the following lines to the modules section of radius.conf</div><div>perl {<br> module = /etc/freeradius/chkgrpmembership.pl<br> func_authorize = authorize<br><pre>
</pre><pre> }</pre><pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;">3. In the Authorize section, uncomment 'files'. Then add a line containing 'perl' after it.<br>
<br>In the Authentication section add<br><br>Auth-Type Perl { </span></pre><pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;">perl</span></pre><pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;"> }</span></pre>
<pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;"><br>4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap and/or ttls section) eap.conf</span></pre><pre>
<span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;">5. finally, you can a line to 'users' file</span></pre><pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;">DEFAULT Group != "wireless", Auth-Type := Reject</span></pre>
<pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;"><br></span></pre><pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; white-space: normal;">(Sorry for starting a new thread, i subscribed to the "digest" version of the mailing
list)</span></pre></div><div><br></div><div>Chris</div>