schilling <schilling2006@gmail.com> wrote:
Where should I put the perl script? I already have a perl module for another virtual server to use radscript.
I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } }
I cannot recommend more *not* to do your authorisation in the inner tunnel, and instead to pass it back on out. There are a number of reasons, clarity including, but especially you then can make use of the reject path... Incase it helps, this is what we (a small-medium university in the UK) do. In our eap block we set (we use TTLS, however it should be the same for PEAP): ---- eap { ... ttls { ... copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "auth" } ... } Then we have a 'auth' virtual server: ---- server auth { authorize { if ((outer.request:EAP-Message)) { update outer.request { User-Name := "%{request:User-Name}" } update reply { User-Name := "%{request:User-Name}" } } validate_username suffix if ((outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}") { update outer.reply { Reply-Message := "Realm is '%{Realm}' on Inside" } reject } # if the password is passed to us use it, otherwise yank it from LDAP if ((outer.request:Cleartext-Password)) { update control { Cleartext-Password := "%{outer.request:Cleartext-Password}" } } else { ldap-login # some accounts are glitched and do not have a UP :( if (ok && !(control:Cleartext-Password)) { update outer.reply { Reply-Message := "No eDirectory UP" } reject } } pap chap mschap update reply { Auth-Type := "%{control:Auth-Type}" } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MSCHAP { mschap } } } ---- We are 'blessed' with Novhell, so 'ldap-login' populated Cleartext-Password from eDirectory if present, your approach would be different (the interesting bit is if you set 'request:Cleartext-Password' in your outer layer before calling 'eap', which is a handy hook for a NAGIOS RADIUS hook (letting you test authentication with eapol_test[1] and remove the AD component from the equation. Once the 'auth' virtual server finishes, you will find in the outer layer for *successful* authentications, 'reply:User-Name' is the inner username whilst for *failure* authentications you want to use 'request:User-Name'.
I did map something to fooEmployeeStatus in ldap.attrmaps Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors parsing post-auth section.
How can I reference User-Name in post-auth section of inner-tunnel?
In your outer post-auth section then I would recommend the following unlang (prime the defaults, and use the attributes to fixup what you want the final result to be): ---- post-auth { ... # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request # Cisco only support a max of 65535 Session-Timeout := 64800 Acct-Interim-Interval := 3600 } if ( User-Name =~ /@/ && (fooEmployeeStatus) ) { update reply { Tunnel-Private-Group-Id := "facstaff" } } ... } ---- If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.h... Cheers [1] http://deployingradius.com/scripts/eapol_test/ -- Alexander Clouter .sigmonster says: Never ask the barber if you need a haircut.