Chris Li, thanks a ton for your help. I can get this working for eap TLS but with eap-PEAPv0 I get this error: [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { PEAP: Setting User-Name to ISD\josh Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ISD\\josh" State = 0xa686dd06a78cc76c35334009429a07b1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [IPASS] No '/' in User-Name = "ISD\josh", looking up realm NULL [IPASS] No such realm "NULL" ++[IPASS] returns noop [suffix] No '@' in User-Name = "ISD\josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "ISD" for User-Name = "ISD\josh" [ntdomain] Found realm "ISD" [ntdomain] Adding Stripped-User-Name = "josh" [ntdomain] Adding Realm = "ISD" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "josh" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "josh" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 8 to 172.17.10.108 port 1033 EAP-Message = 0x010b00261900170301001b3604d13d0348525fc0da7fb57847a2e3e7c0995ef64dc26d03e5f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x18eefc7e11e5e513bc32a3648b8a8dfe Finished request 9. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1033, id=9, length=223 User-Name = "ISD\\josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:83:b9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-83-B9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020b00261900170301001bf8693c66e10727a640fdd7d4432aba5afcb58462b98042741be971 State = 0x18eefc7e11e5e513bc32a3648b8a8dfe Message-Authenticator = 0x406f661f705976d392674ede06796d3c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [IPASS] No '/' in User-Name = "ISD\josh", looking up realm NULL [IPASS] No such realm "NULL" ++[IPASS] returns noop [suffix] No '@' in User-Name = "ISD\josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "ISD" for User-Name = "ISD\josh" [ntdomain] Found realm "ISD" [ntdomain] Adding Stripped-User-Name = "josh" [ntdomain] Adding Realm = "ISD" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 11 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 2 cli 00-0E-35-B6-74-AF) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 9 to 172.17.10.108 port 1033 User-Name = "josh" MS-MPPE-Recv-Key = 0x9a9849388930a1ee1c9295db2e44143488cf68c70f335118b63ec9b9c8c34572 MS-MPPE-Send-Key = 0x3e38a97b67776c1fefba416dc6256ad27eeb7983a76f666bb1ed10985fe03cd0 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 10. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 255 with timestamp +41 Cleaning up request 1 ID 0 with timestamp +41 Cleaning up request 2 ID 1 with timestamp +41 Cleaning up request 3 ID 2 with timestamp +41 Cleaning up request 4 ID 3 with timestamp +41 Cleaning up request 5 ID 4 with timestamp +41 Cleaning up request 6 ID 5 with timestamp +41 Cleaning up request 7 ID 6 with timestamp +41 Cleaning up request 8 ID 7 with timestamp +41 Cleaning up request 9 ID 8 with timestamp +41 Cleaning up request 10 ID 9 with timestamp +41 Ready to process requests. And I think its right because the eap-username is ISD\josh and the returned user-name from the perl module is ISD\\josh. I did set use_tunneled reply in eap.conf. Any ideas? Thanks! -Josh Chris Li wrote:
Date: Mon, 23 Mar 2009 11:22:22 -0400 From: Josh Hiner <josh@remc1.org <mailto:josh@remc1.org>> Subject: Help checking group membership with FreeRadius To: freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org> Message-ID: <200903231522.n2NFMNxv077788@mxdrop218.xs4all.nl <mailto:200903231522.n2NFMNxv077788@mxdrop218.xs4all.nl>> Content-Type: text/plain; charset=UTF-8
Currently we have a radius server that performs authentication off our samba domain controller for wireless users. This works great. I would like to limit users so they must be a member of the wireless group in order to connect. Since the /etc/group file is on a different server I believe I cannot use the etc_group module. Also, in order to use that module the user must have a valid account on the radius server as well.
Any ideas on checking group membership? I use ntlm_auth in the mschap module for authentication in Freeradius ver 2.1.3-1.
i had a similar problem a few days ago
run "getent passwd username" to see if you can get a line like: smith:*:100:3243::/home/smith:/usr/bin/sh
if you do, '3243' is the principal group ID of the user
my solution:
use a perl script 'chkgrpmembership.pl'. to check the group membership of the user. the script set 'Group' attribute if the user is found.
1. chkgrpmembership.pl
use strict; # use ... # This is very important ! Without this script will not get the filled hashesh from main. use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper;
# This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK;
# # This the remapping of return values # use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */ use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */ use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */ use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */
# Function to handle authorize sub authorize { my $getentResult = qx(getent passwd $RAD_REQUEST{'User-Name'}); my @resultArray = split ":", $getentResult; my $arraySize = scalar @resultArray; # Group ID 11184 = staff # Group ID 12705 = student if ($arraySize != 0) { my $groupID = $resultArray[3]; if ($groupID == 11184) { $RAD_REPLY{'Group'} = "Staff"; } elsif ($groupID == 12705) { $RAD_REPLY{'Group'} = "Student"; }
else { # We only allow Staff and Student group return RLM_MODULE_REJECT; } } else { #user no found in AD return RLM_MODULE_REJECT; } return RLM_MODULE_OK; }
2.add the following lines to the modules section of radius.conf perl { module = /etc/freeradius/chkgrpmembership.pl func_authorize = authorize } 3. In the Authorize section, uncomment 'files'. Then add a line containing 'perl' after it.
In the Authentication section add
Auth-Type Perl { perl }
4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap and/or ttls section) eap.conf 5. finally, you can a line to 'users' file DEFAULT Group != "wireless", Auth-Type := Reject
(Sorry for starting a new thread, i subscribed to the "digest" version of the mailing list)
Chris ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html