Hello. We're running freeradius 1.0.5 on SLES9, and are trying to set up FR to work against a cisco vpn concentrator. We're using rlm_passwd as backends, both crypt and mschapv2-hashes.(NT-Password) As we've got different groups in vpn, we need to set the Class -attribute in replies sent back to the NAS. This Class -attribute is based on with password file (rlm_passwd) that had the user in question. Previously I've just hacked this together with Exec-Program-Wait in the users -file and a shell script, but I'm now looking for a cleaner solution. Any help appriciated. -- Lasse
Lasse Karstensen wrote:
We're running freeradius 1.0.5
You should upgrade. http://freeradius.org/security.html
This Class -attribute is based on with password file (rlm_passwd) that had the user in question.
Ok...
Previously I've just hacked this together with Exec-Program-Wait in the users -file and a shell script, but I'm now looking for a cleaner solution.
The passwd module would work well. What's wrong with that? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok:
Lasse Karstensen wrote:
We're running freeradius 1.0.5 You should upgrade. http://freeradius.org/security.html
This is (hopefully) already patched by the SUSE Security team.
This Class -attribute is based on with password file (rlm_passwd) that had the user in question. Ok... Previously I've just hacked this together with Exec-Program-Wait in the users -file and a shell script, but I'm now looking for a cleaner solution. The passwd module would work well. What's wrong with that?
I probably was a bit unclear. radiusd.conf: """ passwd foo_smbpasswd { filename = /etc/raddb/var/foo-smbpasswd.ntlm format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" hashsize = 10000 ignorenislike = no allowmultiplekeys = no } passwd foo_passwd { filename = /etc/raddb/var/foo-passwd.crypt format = "*Stripped-User-Name:Crypt-Password:" hashsize = 10000 ignorenislike = no allowmultiplekeys = no } """ This exists both for foo and bar, ie there are two different sets of password files. Further down: """ authorize { suffix eap mschap files foo_passwd foo_smbpasswd bar_passwd bar_smbpasswd } """ In the users file: """ DEFAULT Exec-Program-Wait = "/usr/local/bin/deduceClass /etc/raddb/var/bar-passwd.crypt", Fall-Through = Yes """ deduceClass has the pseudocode: class=foo if user exists in bar-passwd.crypt: class = bar print "Class = $class" This seems to add the Class attribute to auth-accept packets. So. What I want, is to set the Class attribute to either 'foo' or 'bar', so that our vpn concentrator can differ between the two. -- Lasse
Lasse Karstensen wrote:
class=foo if user exists in bar-passwd.crypt: class = bar print "Class = $class"
See doc/configurable_failover. You can conditionally control which modules get executed, based on whether or not a user was found by another module. authorize { suffix eap mschap files group { foo_passwd { notfound = return } foo_files } ... } Where "foo_files" is a variant of the "files" module, which "users" file entries specifically to add Class for "foo". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Lasse Karstensen