Selecting authentication based on NAS-IP-Address or Client IP Address
I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client. For example: If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah") If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda") If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx") I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client. I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites. Any help would be appreciated. Thanks for your help. JerLasVegas
Jeremiah Peterson wrote:
I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client.
For example:
If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah") If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda") If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx")
Most of this can be done via "unlang". It has if/then/else checks, just like you wrote above. You can even update the control items to have "Home-Server-Pool := xxx".
I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client.
You can select the *source* for authentication credentials. You can't select the authentication *method*. The client selects that. (PAP, CHAP, etc.)
I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites.
It's pretty simple: if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) { update control { Home-Server-Pool := "xxx" } } You can't edit the reply here, because it's set by the home server. You'll need to set the reply in post-auth. Alan DeKok.
Thanks Alan. I have been researching what you said and have seen from debug that the = code you gave me seems to be accepted by the server when it is = processed. I put the code in the authorize section of the = /etc/freeradius/sites-enabled/default. I get: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10 port 51690, id=3D9, = length=3D43 User-Name =3D "noo" User-Password =3D "smartcity123" # Executing section authorize from file = /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [IPASS] No '/' in User-Name =3D "noo", looking up realm NULL [IPASS] Found realm "DEFAULT" [IPASS] Adding Stripped-User-Name =3D "noo" [IPASS] Adding Realm =3D "DEFAULT" [IPASS] Proxying request from user noo to realm DEFAULT [IPASS] Preparing to proxy authentication request to realm "DEFAULT" ++[IPASS] returns updated ++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) expand: %{Packet-Src-IP-Address} -> 10.10.10.10 ? Evaluating (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE ++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE ++- entering if (Packet-Src-IP-Address =3D=3D 10.10.10.10) {...} +++[control] returns updated ++- if (Packet-Src-IP-Address =3D=3D 10.10.10.10) returns updated [suffix] Request already proxied. Ignoring. ++[suffix] returns ok WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 122 to 10.200.0.1 port 1812 User-Name =3D "noo" User-Password =3D "test" NAS-IP-Address =3D 10.10.10.10 Proxy-State =3D 0x3130 Proxying request 0 to home server 10.200.0.1 port 1812 Sending Access-Request of id 122 to 10.200.0.1 port 1812 User-Name =3D "noo" User-Password =3D "test" NAS-IP-Address =3D 10.10.10.10 Proxy-State =3D 0x3130 Going to the next request So it looks like it evaluates the unlang correctly, but it doesn't = change the home server pool to the intended pool. Is the unlang supposed to be in the authorize section as I suspect? = (NEWPOOL is the pool I want to choose) Here is some config (the relevant part anyway) root@FreeRADIUS:/etc/freeradius# cat sites-enabled/default authorize { preprocess IPASS if(Packet-Src-IP-Address =3D=3D 10.10.10.10) { update control { Home-Server-Pool =3D NEWPOOL } } suffix } ........................................ root@FreeRADIUS:/etc/freeradius# cat proxy.conf proxy server { default_fallback =3D no } home_server default { type =3D auth+acct ipaddr =3D 10.200.0.1 port =3D 1812 secret =3D gdsa } home_server primary { type =3D auth+acct ipaddr =3D 10.100.0.1 port =3D 1812 secret =3D secret } home_server_pool DEFAULT { home_server =3D default } home_server_pool NEWPOOL { home_server =3D primary } realm DEFAULT { auth_pool =3D DEFAULT } I am still learning and researching. I just can't find enough = documentation out there which is why I turned to the mailing list. = Thanks for your assistance. On May 18, 2013, at 5:36 AM, Alan DeKok-2 [via FreeRADIUS] <ml-node+s1045715n5720262h64@n5.nabble.com> wrote:
Jeremiah Peterson wrote:
I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client.
For example:
If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah") If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda") If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx")
Most of this can be done via "unlang". It has if/then/else checks, just like you wrote above. You can even update the control items to have "Home-Server-Pool := xxx".
I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client.
You can select the *source* for authentication credentials. You can't select the authentication *method*. The client selects that. (PAP, CHAP, etc.)
I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites.
It's pretty simple:
if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) { update control { Home-Server-Pool := "xxx" } }
You can't edit the reply here, because it's set by the home server. You'll need to set the reply in post-auth.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NA... To unsubscribe from FreeRADIUS, click here. NAML
Jeremiah Peterson wrote:
Thanks Alan.
I have been researching what you said and have seen from debug that the code you gave me seems to be accepted by the server when it is processed. I put the code in the authorize section of the /etc/freeradius/sites-enabled/default.
I get:
Well... it helps to read the debug output and think about what you've configured. I'll also note that the debug output shows you've made a *lot* of changes to the default configuration. So... it helps to understand the changes, before you make them. i.e. if you're not going to bother reading the debug output and thinking about it, I'm not going to bother doing that, either. Alan DeKok.
Well then I obviously have missed something in the debug output which should have been completely obvious but has not to this point been. I do appreciate your time and willingness to help. I have made a lot of changes to the default configuration because I am deploying a highly customized solution. I will go over the debug output again and see if I can figure out what I am missing and turn on a higher level of debugging. I was not trying to get a quick and easy solution without reading the debug output and I apologize if I came across that way. Thank you for the reply. Sent from my iPhone On May 21, 2013, at 5:06 PM, "Alan DeKok-2 [via FreeRADIUS]" < ml-node+s1045715n5720330h72@n5.nabble.com> wrote: Jeremiah Peterson wrote:
Thanks Alan.
I have been researching what you said and have seen from debug that the code you gave me seems to be accepted by the server when it is processed. I put the code in the authorize section of the /etc/freeradius/sites-enabled/default.
I get:
Well... it helps to read the debug output and think about what you've configured. I'll also note that the debug output shows you've made a *lot* of changes to the default configuration. So... it helps to understand the changes, before you make them. i.e. if you're not going to bother reading the debug output and thinking about it, I'm not going to bother doing that, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------------------------------ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NA... To unsubscribe from FreeRADIUS, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740692&code=Z2FtZXJqQGdtYWlsLmNvbXwyNzQwNjkyfC0xMjA3NTI4NDQ3> . NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
participants (2)
-
Alan DeKok -
Jeremiah Peterson