<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hello all :)<o:p></o:p></p>
<p class=MsoNormal>So after getting my testing box current with FR 2.1.5 I have
my config 97% there, but I am having a interesting situation occur that I am
hoping is fairly straight forward.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Overview of config.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>User accounts authenticated against Kerberos KDC (Working
100%)<o:p></o:p></p>
<p class=MsoNormal>User Account Attributes held in LDAP, LM Hash for PEAP,
Blacklist (if you are in there you are denied) (working 100%) I cannot
inject values into LDAP, would like to but cannot...<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So all that is left is a little authorization work. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>In my passwd module I have the following. (made sense to
have the group name appear as if it came from the authenticator... hence the ~)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal> passwd noc_group
{<o:p></o:p></p>
<p class=MsoNormal>
filename = /usr/local/etc/raddb/group<o:p></o:p></p>
<p class=MsoNormal>
format = "~Group-Name:*,User-Name"<o:p></o:p></p>
<p class=MsoNormal>
hashsize = 50<o:p></o:p></p>
<p class=MsoNormal>
ignorenislike = yes<o:p></o:p></p>
<p class=MsoNormal>
allowmultiplekeys = yes<o:p></o:p></p>
<p class=MsoNormal>
delimiter = ":"<o:p></o:p></p>
<p class=MsoNormal> }<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>the "Group" file is formatted<o:p></o:p></p>
<p class=MsoNormal>NOC:Usernamea,Usernameb etc<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here is where I get a touch lost. The noc_group
section appears to be working, when I look at the debug output it is properly
finding the usernames in the list and reports<o:p></o:p></p>
<p class=MsoNormal>[noc_group] Added Group-Name: 'NOC' to request_items<o:p></o:p></p>
<p class=MsoNormal>++[noc_group] returns ok<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Now where to go from here... Let me start by where I
would like to go... I would like to have a block of vendor specific radius
attributes sent back in the access accept (assuming they passed
authentication...) This way when folks log into network devices they are
granted the correct level of access (like with our switches... Some people are
granted read only access to verify certain aspects, and admins who get read
write, so while I am starting with the admin group there will be other groups with
different vendor specific attr's I would like to have sent for them.) I
am assuming unlang will be the way to go however when I attempt to utilize this
method I fail (Radius will not start as currently I am simply trying to append
a Reply message when NOC-Group scores a hit.<o:p></o:p></p>
<p class=MsoNormal>I have tried this in the post-auth section within default in
sites-enabled.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal> if
(%{request:Group-Name} == "NOC") {<o:p></o:p></p>
<p class=MsoNormal>
Reply-Message = 'Noc-Group Match'<o:p></o:p></p>
<p class=MsoNormal> }<o:p></o:p></p>
<p class=MsoNormal>I receive "Unknown action 'NOC-Group Match' and
radius does not load. (Error Initializing Modules)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So where should I be placing the unlang code and what
parameters does it understand and can pass to and from the daemon.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thank you<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Larry <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>