How to set User-Profile for roaming (proxied) users
Hi all, First an overview: - I'm running Freeradius 2.2.5 with local users in SQL database - We have roaming users utilizing our network infrastructure, but these users do not exist in our own local database and need to be proxied for authentication/accounting - normal proxying and authentication/accounting is going well. Setup: Roaming user <-> OUR_INFRA+RADIUS <-> ROAMING_RADIUS Since it's an international roaming agreement, I have configured a catch-all REALM which do not match our owns to be send their: realm "~.+$" { pool = ROAMING nostrip } I now want to assign a user-profile for these users so that I can pre-authorize them using our own policies. For example: 1) roaming is only allowed on weekends and weektime during evenings 2) per user, only 1 roaming session is allowed 3) per user volume limiting based on a user-profile for this roaming agreement (User-Profile := "roaming") I've tried both methods below to set this in the authorize section as follows: authorize{ ... sql if (notfound} update control { User-Profile := "roaming" } } realm "~.+$" { pool = ROAMING nostrip update control { User-Profile := "roaming" } } but none are working, i've also tried proxy-request and request as update statements. How can I assign profiles to roaming users who do not exist in our local database for authentication, but are accounted for locally. Thx, Jonathan
Some post-proxy action. I hope this isn't for eduroam! ;) alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Jonathan wrote:
- I'm running Freeradius 2.2.5 with local users in SQL database - We have roaming users utilizing our network infrastructure, but these users do not exist in our own local database and need to be proxied for authentication/accounting - normal proxying and authentication/accounting is going well.
That's all good.
Setup: Roaming user <-> OUR_INFRA+RADIUS <-> ROAMING_RADIUS
Since it's an international roaming agreement, I have configured a catch-all REALM which do not match our owns to be send their:
realm "~.+$" { pool = ROAMING nostrip }
Hmm... why? The DEFAULT realm exists for precisely this purpose. See raddb/proxy.conf.
I now want to assign a user-profile for these users so that I can pre-authorize them using our own policies.
OK. The User-Profile in FreeRADIUS isn't used for much. Maybe LDAP, IIRC.
For example:
1) roaming is only allowed on weekends and weektime during evenings 2) per user, only 1 roaming session is allowed 3) per user volume limiting based on a user-profile for this roaming agreement (User-Profile := "roaming")
I've tried both methods below to set this in the authorize section as follows:
authorize{ ... sql if (notfound} update control { User-Profile := "roaming" } }
What do you expect that to do? All it does is set an attribute. It doesn't do anything *else* with it.
realm "~.+$" { pool = ROAMING nostrip update control { User-Profile := "roaming" } }
That won't work. No documentation says you can put an "update" section into a "realm" configuration.
but none are working, i've also tried proxy-request and request as update statements.
Why?
How can I assign profiles to roaming users who do not exist in our local database for authentication, but are accounted for locally.
You don't assign "profiles", for one. You can't just set "User-Profile = roaming" and expect tons of things to magically start working. You have to configure each thing individually. Then, put them all together. i.e. if you don't use the "User-Profile" attribute for *local* users, setting it for roaming users won't do anything. So for your list above, you've got to check (1), in the "authorize" section, after the "suffix" module: if (realm == DEFAULT && time is weekend or evening) { reject } See "man unlang" for syntax. See the logintime module for how to check dates and time ranges. (2) Set "Simultaneous-Use = 1" for all the roaming users. (3) volume limiting isn't in standard RADIUS. See your NAS documentation for how to configure it. Alan DeKok.
realm "~.+$" { pool = ROAMING nostrip }
Hmm... why? The DEFAULT realm exists for precisely this purpose. See raddb/proxy.conf.
I started with using just the DEFAULT realm, but for some reason, Freeradius then decides not to correctly populate the REALM attribute anymore and just replaces any "@foobar value" with the "DEFAULT" keyword. The regex matchall seems to overcome this limitation
OK. The User-Profile in FreeRADIUS isn't used for much. Maybe LDAP, IIRC.
The user we are referring to in the User-Profile, namely "roaming" is existing in our SQL database and having specific check attributes. I'm just trying roaming users which are not local to our system to inherit specific check attributes for authorization. However, i'm not sure how to do this, I've also tried with setting the SQL-Group, but that isn't supported (setting a virtual attribute is not supported)
authorize{ ... sql if (notfound} update control { User-Profile := "roaming" } }
What do you expect that to do? All it does is set an attribute. It doesn't do anything *else* with it.
I was hoping that it actually would do something :)
realm "~.+$" { pool = ROAMING nostrip update control { User-Profile := "roaming" } }
That won't work. No documentation says you can put an "update" section into a "realm" configuration.
I found out that myself as well, I did this, because it would make it easy to have this: realm "bar" { } realm "foo" { } realm "~.+$" { # match whatever was not matched before as we know this would be roaming users. #We have no idea which realm they will have so from now on, we need a way to know who's roaming and who's not. update "something"... foobar } I didn't feel like matching all our local realms, You cannot match on Realm=LOCAL as if none is there, value will be NULL, and in case of "bar" + "foo" they will be that. Unless there is an easier way of differentiating?
(2) Set "Simultaneous-Use = 1" for all the roaming users.
(3) volume limiting isn't in standard RADIUS. See your NAS documentation for how to configure it.
I'm very well aware of that, but the RADIUS should not authorize the roaming user if he has exceeded his monthly volume profile Regards, Jonathan
Jonathan wrote:
I started with using just the DEFAULT realm, but for some reason, Freeradius then decides not to correctly populate the REALM attribute anymore and just replaces any "@foobar value" with the "DEFAULT" keyword. The regex matchall seems to overcome this limitation
OK.
The user we are referring to in the User-Profile, namely "roaming" is existing in our SQL database and having specific check attributes. I'm just trying roaming users which are not local to our system to inherit specific check attributes for authorization.
Do the SQL qeuries use the User-Profile attribute? Or the radcheck table checks for User-Profile?
What do you expect that to do? All it does is set an attribute. It doesn't do anything *else* with it.
I was hoping that it actually would do something :)
It does. But please be *helpful* with your questions. So far, it's been "I set User-Profile, but it doesn't work". Well... setting User-Profile does nothing more than set User-Profile. If you want something ELSE to happen, you've got to configure that. And it helps to explain WHAT you're trying to do. It's annoying to have to drag information out of people. "Oh, I didn't say... I'm already using User-Profile for a bunch of other stuff" We're not mind readers. We don't know what you've configured on your local system until you explain it.
That won't work. No documentation says you can put an "update" section into a "realm" configuration.
I found out that myself as well, I did this, because it would make it easy to have this:
I have no idea what that means. You're assuming that the server works a particular way (which it doesn't), and then trying to come up with "solutions" or proposals based on those assumptions. Please don't do that. The server behaves as documented. If there's no documentation saying you can do something, then you can't do it.
I didn't feel like matching all our local realms, You cannot match on Realm=LOCAL as if none is there, value will be NULL, and in case of "bar" + "foo" they will be that. Unless there is an easier way of differentiating?
I have no idea what that means.
(3) volume limiting isn't in standard RADIUS. See your NAS documentation for how to configure it.
I'm very well aware of that, but the RADIUS should not authorize the roaming user if he has exceeded his monthly volume profile
So.... write SQL queries to CHECK the total monthly volume for the user. Then, reject the user if the volume is higher than allowed. The pieces are all there, and documented. What is NOT documented is exactly how to configure FreeRADIUS for your specific system. Unfortunately, RADIUS is a *lot* more complicated than DNS or DHCP. So there is a lot more variation, and RADIUS admins have to do a lot more thinking than DNS or DHCP admins. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Jonathan