I built a new lab with Freeradius 1.x, Cisco ASA, RSA-OTP and RSARadius Box. All is working perfectly...because, Freeradius 1.x is parsing TWICE the authorize section (as it is said in the proxy.conf comment, once before the proxy request and one after). So it asks twice my LDAP server the attributes i need (Class+Framed-IP-Address). And with the second call, the Access-Accept contains all the reply attributes i need... Sending Access-Accept of id 226 to 192.168.1.2:1025 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP ==> Class = 0x646976696e666f ==> Framed-IP-Address = 1.2.3.4 Finished request 0 Going to the next request So, the thing i'd like to do with Freeradius v2.1 is to insert a "ldap" authorization in the post_proxy section of my config. and when i insert such a directive, it rejects me... /etc/freeradius/sites-enabled/default[470]: "LDAP" modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/freeradius/sites-enabled/default[456]: Errors parsing post-proxy section. Any idea/tip? Thanks in advance, rgds Paul. Paul TAVERNIER wrote:
Hi all,
I run with Freeradius 2.1, CiscoASA and RSASecurid "OTP"+RSARadius.
I set my CiscoASA to authenticate against freeradius. On this freeradius server, i created a realm "OTP" which proxy the request to a RSARadius (the only one who can ask RSAOTP Securid database). So when i authenticate with myuserlogin@OTP/Passcode with my CiscoVPNclient, the authentication is successful. No pb. Here's the log:
======(log) [suffix] Looking up realm "otp" for User-Name = "xxxxxxxxxx@otp" [suffix] Found realm "otp" [suffix] Adding Stripped-User-Name = "xxxxxxxxxx" [suffix] Adding Realm = "otp" [suffix] Proxying request from user xxxxxxxxxx to realm otp [suffix] Preparing to proxy authentication request to realm "otp" ++[suffix] returns updated ... rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=4, length=85 Class = x53425232434cd5a0c3accfca8fd9efc01180270180038198 Proxy-State = 0x313530 ======(end of log)
The second thing i want to do is to "import" the user's "policy group" (radiusClass) and its own IP Address (radiusFramedIPAddress). Those attributes are located in a LDAP directory server. So i decided to add the "ldap" module in the authorization section of my freeradius conf files. In the logs, i clearly see that freeradius is doing a great job (asking and receiving my ldap attrs)
======(log) [ldap] performing user authorization for xxxxxxxxxx WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=xxxxxxxxxx) expand: o=gouv,c=fr -> o=gouv,c=fr rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection ... rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=gouv,c=fr, with filter (uid=xxxxxxxxxx) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... rlm_ldap: radiusClass -> Class = 0x646976696e666f rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 1.2.3.4 WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user xxxxxxxxxxx authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ======(end of log)
My problem is that that finally i get 2 successful auth (i interpret it like these sorry...), and Freeradius "chooses" Auth-Type=Accept (ProxyRSARadius Response which doesn't contain my class and framedipaddress i need to push to my CiscoASA)
======(log) Found Auth-Type = LDAP Found Auth-Type = Accept Warning: Found 2 auth-types on request for user 'xxxxxxxxxxx' Auth-Type = Accept, accepting the user +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 150 to 192.168.1.2 port 1025 Class = 0x53425232434cd5a0c3accfca8fd9efc0118027018 Finished request 0. ======(end of log)
In other words (sorry for being so long), i would love to authenticate againt my OTP RSASecurid boxes and concatenate Radius attributes found in a LDAP directory...
Where should i go? post_proxy module?
Any help would be greatly appreciated.
Kind regards, Paul