redirecting REJECTed users
I would like to send otherwise REJECTed users to a "suspended" ip pool and pass them. When things get rejected, it seems to abort processing (e.g. if I stick a perl module after pap, it doesn't get called if pap rejects), and it doesn't look like you can make them OK in the Post-Auth-Type REJECT section. Recommendations?
On 12 Feb 2016, at 12:53, Alan Batie <alan@peak.org> wrote:
I would like to send otherwise REJECTed users to a "suspended" ip pool and pass them. When things get rejected, it seems to abort processing (e.g. if I stick a perl module after pap, it doesn't get called if pap rejects), and it doesn't look like you can make them OK in the Post-Auth-Type REJECT section. Recommendations?
Do it in authenticate. You can override the priority/actions of return codes on a module call by module call basis e.g. authenticate { Auth-Type perl { perl { reject = 1 } if (reject) { # do extra things here } } } The NAS probably won't allow assignment unless you send back an accept though. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 2/12/16 1:03 PM, Arran Cudbard-Bell wrote:
authenticate { Auth-Type perl { perl { reject = 1 } if (reject) { # do extra things here } } }
The NAS probably won't allow assignment unless you send back an accept though.
Exactly, however it looks like Auth-Type has to be something in the dictionary from this error: Fri Feb 12 13:35:58 2016 : Auth: (0) Login incorrect (perl: Failed to create pair control:Auth-Type = Unknown-User): This perl module code does what I'm trying to do: sub authorize { if (!defined($RAD_CHECK{'Auth-Type'})) { &radiusd::radlog(L_DBG, "No Auth-Type,setting to Local to default to suspended pool"); $RAD_CHECK{'Auth-Type'} = 'Local'; } return RLM_MODULE_OK; } sub authenticate { # if user found, Auth-Type will be set to PAP if ($RAD_CHECK{'Auth-Type'} eq 'PAP') { # but if they give a bad password, put them in suspended pool if ($RAD_REQUEST{'User-Password'} ne $RAD_CHECK{'Cleartext-Password'}) { &radiusd::radlog(L_ERR, "Invalid password: " . $RAD_REQUEST{'User-Name'} . "/" . $RAD_REQUEST{'User-Password'}); $RAD_CHECK{'Pool-Name'} = "suspended"; } } else { # and if they don't even exist, put them in suspended pool too &radiusd::radlog(L_ERR, "Unknown user: " . $RAD_REQUEST{'User-Name'}); $RAD_CHECK{'Pool-Name'} = "suspended"; } return RLM_MODULE_OK; } with this in the site config: authorize { ... # pap perl } authenticate { Auth-Type PAP { perl } Auth-Type Local { perl } }
On Fri, Feb 12, 2016 at 02:03:14PM -0800, Alan Batie wrote:
On 2/12/16 1:03 PM, Arran Cudbard-Bell wrote:
authenticate { Auth-Type perl { perl { reject = 1 } if (reject) { # do extra things here } } }
The NAS probably won't allow assignment unless you send back an accept though.
Exactly, however it looks like Auth-Type has to be something in the dictionary from this error:
Auth-Type is an internal attribute. It's not sent back to the NAS. It should be 'Accept'. You need to send something else to your NAS to tell it to quarantine the user. For example it if is a switch you might set a different VLAN by sending back a different Tunnel-Private-Group-Id. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 2/12/16 2:12 PM, Matthew Newton wrote:
Auth-Type is an internal attribute. It's not sent back to the NAS. It should be 'Accept'.
You need to send something else to your NAS to tell it to quarantine the user. For example it if is a switch you might set a different VLAN by sending back a different Tunnel-Private-Group-Id.
That's what specifying a different ip pool does - it then gives the user a non-routable ip address (e.g. 10.99.x.x). At the moment, the main goal is keeping some misconfigured/suspended modems from spamming the logfile (they retry at relatively high rates on rejection), but eventually we'll use the mechanism to redirect users to a web site like most wireless hotspots do.
On 12 Feb 2016, at 14:34, Alan Batie <alan@peak.org> wrote:
On 2/12/16 2:12 PM, Matthew Newton wrote:
Auth-Type is an internal attribute. It's not sent back to the NAS. It should be 'Accept'.
You need to send something else to your NAS to tell it to quarantine the user. For example it if is a switch you might set a different VLAN by sending back a different Tunnel-Private-Group-Id.
That's what specifying a different ip pool does - it then gives the user a non-routable ip address (e.g. 10.99.x.x). At the moment, the main goal is keeping some misconfigured/suspended modems from spamming the logfile (they retry at relatively high rates on rejection), but eventually we'll use the mechanism to redirect users to a web site like most wireless hotspots do.
OK, then Matthew is correct. Just do everything in perl.authorize. The sections are mainly there as a basic framework. If your perl module does all the work, of authorization/authentication, and is never going to reject users, you can just do authorize { update control { Auth-Type := Accept } perl } and omit the authenticate section entirely. Sometimes it's better to ignore the standard progression of the server if what you're doing doesn't fit with the traditional AAA model. FreeRADIUS is pretty flexible in what it allows. There's almost always a way to alter the standard behaviour of the server at any given point, you just need to figure out what it is ;) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Alan Batie -
Arran Cudbard-Bell -
Matthew Newton