Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed [suffix] Looking up realm "foo.edu" for User-Name = "sding@foo.edu"^M [suffix] Found realm "foo.edu"^M [suffix] Adding Stripped-User-Name = "sding"^M [suffix] Adding Realm = "foo.edu"^M [suffix] Authentication realm is LOCAL.^M ++[suffix] returns ok^M ++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" )^M ?? Evaluating (outer.request:EAP-Message) -> TRUE^M expand: local.MY.realm -> local.MY.realm^M WARNING: No such configuration item local.MY.realm^M expand: %{config:local.MY.realm} -> ^M ? Evaluating (Realm != "%{config:local.MY.realm}" ) -> TRUE^M ++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) -> TRUE^M ++- entering if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) {...}^M expand: Realm is '%{Realm}' on Inside -> Realm is 'foo.edu' on Inside^M +++[outer.reply] returns ok^M +++[reject] returns reject^M ++- if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) returns reject^M } # server auth^M Thanks, Schilling On Fri, Jan 21, 2011 at 3:49 AM, Alexander Clouter <alex@digriz.org.uk> wrote:
schilling <schilling2006@gmail.com> wrote:
Where should I put the perl script? I already have a perl module for another virtual server to use radscript.
I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } }
I cannot recommend more *not* to do your authorisation in the inner tunnel, and instead to pass it back on out. There are a number of reasons, clarity including, but especially you then can make use of the reject path...
Incase it helps, this is what we (a small-medium university in the UK) do. In our eap block we set (we use TTLS, however it should be the same for PEAP): ---- eap { ...
ttls { ... copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "auth" }
... }
Then we have a 'auth' virtual server: ---- server auth { authorize { if ((outer.request:EAP-Message)) { update outer.request { User-Name := "%{request:User-Name}" } update reply { User-Name := "%{request:User-Name}" } }
validate_username
suffix
if ((outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}") { update outer.reply { Reply-Message := "Realm is '%{Realm}' on Inside" } reject }
# if the password is passed to us use it, otherwise yank it from LDAP if ((outer.request:Cleartext-Password)) { update control { Cleartext-Password := "%{outer.request:Cleartext-Password}" } } else { ldap-login
# some accounts are glitched and do not have a UP :( if (ok && !(control:Cleartext-Password)) { update outer.reply { Reply-Message := "No eDirectory UP" } reject } }
pap chap mschap
update reply { Auth-Type := "%{control:Auth-Type}" } }
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MSCHAP { mschap } } } ----
We are 'blessed' with Novhell, so 'ldap-login' populated Cleartext-Password from eDirectory if present, your approach would be different (the interesting bit is if you set 'request:Cleartext-Password' in your outer layer before calling 'eap', which is a handy hook for a NAGIOS RADIUS hook (letting you test authentication with eapol_test[1] and remove the AD component from the equation.
Once the 'auth' virtual server finishes, you will find in the outer layer for *successful* authentications, 'reply:User-Name' is the inner username whilst for *failure* authentications you want to use 'request:User-Name'.
I did map something to fooEmployeeStatus in ldap.attrmaps Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors parsing post-auth section.
How can I reference User-Name in post-auth section of inner-tunnel?
In your outer post-auth section then I would recommend the following unlang (prime the defaults, and use the attributes to fixup what you want the final result to be): ---- post-auth { ...
# defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request
# Cisco only support a max of 65535 Session-Timeout := 64800
Acct-Interim-Interval := 3600 }
if ( User-Name =~ /@/ && (fooEmployeeStatus) ) { update reply { Tunnel-Private-Group-Id := "facstaff" } }
... } ----
If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.h...
Cheers
[1] http://deployingradius.com/scripts/eapol_test/
-- Alexander Clouter .sigmonster says: Never ask the barber if you need a haircut.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html