On 24/08/17 17:23, Alan DeKok wrote:
On Aug 24, 2017, at 10:24 AM, yani@ecoco.co.uk wrote:
radiusd -v radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 17 2017 at 18:49:55 I would suggest using 3.0.15. It has a lot of fixes over 3.0.4.
I want to be able to authenticate users to my email service and manage them according to the domain they belong to so fred@domaina.com is not the same as fred@domainb.com. But in both cases the first part is the login user name within the domain. That's a pretty common requirement. Yep
I have looked at freeradius virtual servers - Virtual servers are largely for separating functionality. i.e. WiFi rules in one virtual server, DSL rules in another, and VPN rules in a third virtual server.
and have considered using free radius realms dont see how either are actually the way forward - It seems that virtual servers will need a database system creating for every instance( am i actually correct here) No. good suspected I was wrong, but needed confirmation.
and that realms are really for forwarding requests to other free radius servers - when all i need at the moment is a single server handling multiple domain based login groups. Realms are often used for forwarding, but they don't need to be.
I understand from the documentation that I can create a local realm like this
realm domaina.com { type= radius authhost= LOCAL accthost= LOCAL Yes.
I suspect I'm on the right track here - but haven't figured out how to create users in the database/system that reflect this
Please advise on the most appropriate way of configuring freeradius to achieve logins for multiple internet domains. The bigger question is where are the users stored right now? What kind of database contains the name / password for each user? What is the schema used there?
Once you know that, you just configure FreeRADIUS to query the database. It should be about 10 minutes work.
I wouldn't suggest creating users via the default SQL schema. That's largely for ISP functionality, and will likely not work well for you.
For enterprises we just recommend that FreeRADIUS look at the existing enterprise DB.
i.e. you don't mangle your data to make FreeRADIUS happy. That's a lot of work. Instead, you configure 1-2 simple queries in FreeRADIUS, so that it pulls the correct information from your existing database. That's *much* easier.
Alan DeKok.
Thank you for the quick reply, I'm just a newbie with Freeradius, trying to understand its modus operandi :) I have come to the conclusion that I will need to modify the schema and change the way in which the db is queried after seeing the output below for a test user in the test domain domaina.com . I'm using a mysql back end at the moment. and this system is not live - still in development. ( I've wanted to get radius working for years and only just found the time.) I suppose it's really only adding a realm field to the radius.radcheckdb and using that in the subsequent queries. something like : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' and realm = {whatever_realm_is } ORDER BY id if this is what you mean by mangling the data then I'm still missing something - ie how to best relate users to realms/domains. Received Access-Request Id 25 from 10.64.4.111:36127 to 10.64.3.44:1812 length 86 User-Name = 'yani@domaina.com' User-Password = 'poppl' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f (11) Received Access-Request packet from host 10.64.4.111 port 36127, id=25, length=86 (11) User-Name = 'yani@domaina.com' (11) User-Password = 'poppl' (11) NAS-IP-Address = 127.0.1.1 (11) NAS-Port = 0 (11) Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) filter_username filter_username { (11) if (!&User-Name) (11) if (!&User-Name) -> FALSE (11) if (&User-Name =~ / /) (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@.*@/ ) (11) if (&User-Name =~ /@.*@/ ) -> FALSE (11) if (&User-Name =~ /\\.\\./ ) (11) if (&User-Name =~ /\\.\\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\\.$/) (11) if (&User-Name =~ /\\.$/) -> FALSE (11) if (&User-Name =~ /@\\./) (11) if (&User-Name =~ /@\\./) -> FALSE (11) } # filter_username filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix : Checking for suffix after "@" (11) suffix : Looking up realm "domaina.com" for User-Name = "yani@domaina.com" (11) suffix : Found realm "domaina.com" (11) suffix : Adding Stripped-User-Name = "yani" (11) suffix : Adding Realm = "domaina.com" (11) suffix : Authentication realm is LOCAL (11) [suffix] = ok (11) eap : No EAP-Message, not doing EAP (11) [eap] = noop (11) [files] = noop (11) sql : EXPAND %{User-Name} (11) sql : --> yani@domaina.com (11) sql : SQL-User-Name set to 'yani@domaina.com' rlm_sql (sql): Reserved connection (7) (11) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (11) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'yani@domaina.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'yani@domaina.com' ORDER BY id' (11) sql : User found in radcheck table (11) sql : Check items matched (11) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (11) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'yani@domaina.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'yani@domaina.com' ORDER BY id' (11) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (11) sql : --> SELECT groupname FROM radusergroup WHERE username = 'yani@domaina.com' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'yani@domaina.com' ORDER BY priority' (11) sql : User not found in any groups rlm_sql (sql): Released connection (7) rlm_sql (sql): 0 of 3 connections in use. Need more spares rlm_sql (sql): Opening additional connection (8) rlm_sql_mysql: Starting connect to MySQL server (11) [sql] = ok (11) [expiration] = noop (11) [logintime] = noop (11) [pap] = updated (11) } # authorize = updated (11) Found Auth-Type = PAP (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Auth-Type PAP { (11) pap : Login attempt with password (11) pap : User authenticated successfully (11) [pap] = ok (11) } # Auth-Type PAP = ok (11) # Executing section post-auth from file /etc/raddb/sites-enabled/default (11) post-auth { (11) sql : EXPAND .query (11) sql : --> .query (11) sql : Using query template 'query' rlm_sql (sql): Reserved connection (8) (11) sql : EXPAND %{User-Name} (11) sql : --> yani@domaina.com (11) sql : SQL-User-Name set to 'yani@domaina.com' (11) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (11) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'yani@domaina.com', 'poppl', 'Access-Accept', '2017-08-24 17:23:57') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'yani@domaina.com', 'poppl', 'Access-Accept', '2017-08-24 17:23:57')' rlm_sql (sql): Released connection (8) (11) [sql] = ok (11) [exec] = noop (11) remove_reply_message_if_eap remove_reply_message_if_eap { (11) if (&reply:EAP-Message && &reply:Reply-Message) (11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (11) else else { (11) [noop] = noop (11) } # else else = noop (11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (11) } # post-auth = ok (11) Sending Access-Accept packet to host 10.64.4.111 port 36127, id=25, length=0 Sending Access-Accept Id 25 from 10.64.3.44:1812 to 10.64.4.111:36127 (11) Finished request
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html