Reply with group attribute
Hello all I'm terribly new to RADIUS, so please excuse my ignorance. What I'm looking for (and can't find in neither man nor wiki nor google) is how to send back the group an authenticated user is in together with the authentication result. I have a VPN gateway that authenticates users against freeradius, using the unix authentication scheme (the users are all real unix users on the freeradius server). All ok, works a charme. Now we have the requirement to apply different security settings to different user groups. The user groups are the unix groups the different users are in on the freeradius server. So I need the radius server to return the user's group information together with the Access-Accept. I'm sorry but for the life of me I can't find any information on how this is done. Could somebody please point me to the right direction? Thanks /markus
Hello all I found some hint on how the VPN gateway expects the group information from the RADIUS server to be presented: --- QUOTE --- To use RADIUS groups, you must define a return attribute on the RADIUS Server, in the RADIUS user profile. This RADIUS attribute is returned to the VPN gateway that contains the group name to which the user belongs. By default the Class attribute is used (IETF RADIUS attribute number 25), though other RADIUS attributes can be used. [...] Modify the RADIUS users to include a “class” RADIUS attribute on the users' Return list that corresponds to the Firewall user group they will be using for their access. [...] --- UNQUOTE --- So, the question is: How do I make freeradius return the users' group as a "class" attribute in the authentication reply? Thanks for any hint. /markus Markus Wernig wrote:
What I'm looking for (and can't find in neither man nor wiki nor google) is how to send back the group an authenticated user is in together with the authentication result.
Hi Ivan, thanks for your help Unfortunately I don't know where to put that line. If I put it into the users file, in the DEFAULT section like this: DEFAULT Auth-Type = System Class := "%{Group}", Fall-Through = 1 ... The reply looks like this (at least in the logfile): Packet-Type = Access-Accept Fri Mar 13 15:54:45 2009 Class := 0x So, afaict, the group attribute doesn't make it into the reply. Where should I put that line? Do I need to echo it? thx again /markus tnt@kalik.net wrote:
So, the question is: How do I make freeradius return the users' group as a "class" attribute in the authentication reply?
Like every other: Class:= whatever. In your case Class := "%{Group}".
Unfortunately I don't know where to put that line. If I put it into the users file, in the DEFAULT section like this:
DEFAULT Auth-Type = System Class := "%{Group}", Fall-Through = 1 ....
Are you using some ancient version?
The reply looks like this (at least in the logfile):
Packet-Type = Access-Accept Fri Mar 13 15:54:45 2009 Class := 0x
It did make it - but it's empty.
So, afaict, the group attribute doesn't make it into the reply. Where should I put that line? Do I need to echo it?
Use unlang afer unix in authorize. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Are you using some ancient version?
I was using 1.1.7 first, but have upgraded to 2.1.0 now. Still the same behaviour.
So, afaict, the group attribute doesn't make it into the reply. Where should I put that line? Do I need to echo it?
Use unlang afer unix in authorize. Sorry, I don't understand that. There is an authorize section in /etc/freeradius/sites-enabled/default. If I change it to unix { Class := "%{Group}" }
I get the following error when starting freeradius: Unknown action '%{Group}' /markus
Use unlang afer unix in authorize. Sorry, I don't understand that.
Reading man pages helps with that: http://freeradius.org/radiusd/man/unlang.html
There is an authorize section in /etc/freeradius/sites-enabled/default.
Yes, that's where it is in 2.x. I had a look at the unix module and it doesn't populate Group attribute (for some years now as it turnes out). You need to use passwd module to populate Group: http://freeradius.org/radiusd/man/rlm_passwd.html Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Yes, that's where it is in 2.x. I had a look at the unix module and it doesn't populate Group attribute (for some years now as it turnes out).
What a pity. I found this in modules/etc_group: "The Group-Name attribute is automatically created by the Unix module, and does checking against /etc/group automatically." This entry was already in the 1.1.7 modules/etc_group
You need to use passwd module to populate Group:
Is this possible on a system using shadow passwords? Thank you /markus
tnt@kalik.net wrote:
Are you using some ancient version?
1.1.7 (comes with ubuntu 8.04). I see that 2.1.3 is released, which seems quite a large difference.
Use unlang afer unix in authorize.
What do you mean by "after unix"? So I've put the following in radiusd.conf: authorize { ... unix update "reply" { Class := "%{Group}" } ... } Which gives the ERROR: "Cannot find a configuration entry for module "update"". Clear, update is not a module. But where does such a directive go? thx /markus
Markus Wernig wrote:
1.1.7 (comes with ubuntu 8.04). I see that 2.1.3 is released, which seems quite a large difference.
Use unlang afer unix in authorize.
What do you mean by "after unix"?
So I've put the following in radiusd.conf:
authorize { ... unix update "reply" {
This won't work in 1.1.7.
Class := "%{Group}" } ... }
Which gives the ERROR: "Cannot find a configuration entry for module "update"".
Clear, update is not a module. But where does such a directive go?
In a new version of the server. Alan DeKok.
tnt@kalik.net wrote:
Did you read rlm_passwd man page?
Of course So I put filename "/etc/group" { format = "My-Group-Name:::*,User-Name" } into /etc/freeradius/modules/passwd and ATTRIBUTE My-Group-Name 3000 string into /etc/freeradius/dictionary (btw. can't put in "Group-Name" because it seems to be already defined somewhere else, so I suppose I should somehow be able to access it ... ) Could not find a place where to initialise the passwd module. put update reply { Class := %{My-Group-Name}, Class += %{passwd:My-Group-Name}, Class += %{Group} } into post-auth under freeradius -X I still get ... expand: %{My-Group-Name} -> WARNING: Unknown module "passwd" in string expansion "%{passwd:My-Group-Name}" expand: %{passwd:My-Group-Name} -> expand: %{Group} -> ++[reply] returns noop ... Sending Access-Accept ..... Class = 0x Class = 0x Class = 0x /m
Did you read rlm_passwd man page?
Of course
I have posted the link to man unlang as well. It does say which quotes to use to expand the variable, which lists exist ...
update reply { Class := %{My-Group-Name}, Class += %{passwd:My-Group-Name}, Class += %{Group} } into post-auth
It's "%{control:My-Group-Name}". Quotes, list and all. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Did you read rlm_passwd man page?
It's "%{control:My-Group-Name}". Quotes, list and all.
Yes, that did it! Quotes were there, but the "control" list part wasn't. Thank you for your help! ps: It might be just me, but I was far from deducting that from the man page: " ... The "control" list is the list of attributes maintainted internally by the server that controls how the server processes the request. ..." mislead me totally.
Alan DeKok wrote:
Markus Wernig wrote:
Could not find a place where to initialise the passwd module.
You list it in the "authorize" section.
This lead to errors (from memory: no config found for passwd module). I then used the etc_group module from the example, listed _that_ in authorize - and all is well. Thank you very much!
Dear all, I'd appreciate if somebody could please explain me the meaning of certificates. I had a look at certs/README, but some things are still unclear. As far as I know there are 3 types of certificates on FreeRADIUS: * ROOT CA * Server * Client What is the purpose of each of them? I know that ROOT CA is required to allow EAP-TLS, PEAP or EAP-TTLS. Would not having ROOT CA imported on 802.1x supplicant mean that EAP will be just EAP or PEAP etc.? What does ROOT CA do? What is the purpose of server certificate? How is that linked with MSCHAP v2? I remember I could not authenticate xp host with users file without generating certificates first. And lastly Client certificate, would I need to install this on a client PC, what do I get with that? What are the benefits of using certificates? Thanks very much for your help.
hi, its all about being authenticated as a known part. if A knows B as a trusted part and B have issued a certificate for C then A will trust C. the server certificate is issued by the CA ( certificate authority. ) the client needs to have the certificate of the CA ( not the server certificate issued from the CA ) the mschap v2, tls,ttls, are methods of authentication(encryption). the eap-ttls doesnt requires that the client have a certificate on its own.so you need the ca certificate and the server certificate. 2009/3/23 Tomas <tomas.radius@googlemail.com>
Dear all, I'd appreciate if somebody could please explain me the meaning of certificates. I had a look at certs/README, but some things are still unclear. As far as I know there are 3 types of certificates on FreeRADIUS: * ROOT CA * Server * Client
What is the purpose of each of them? I know that ROOT CA is required to allow EAP-TLS, PEAP or EAP-TTLS. Would not having ROOT CA imported on 802.1x supplicant mean that EAP will be just EAP or PEAP etc.? What does ROOT CA do? What is the purpose of server certificate? How is that linked with MSCHAP v2? I remember I could not authenticate xp host with users file without generating certificates first. And lastly Client certificate, would I need to install this on a client PC, what do I get with that?
What are the benefits of using certificates?
Thanks very much for your help.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
an overview you can read is located at http://wildbill.nulldevice.net/presentations/sslpreso/ 2009/3/23 orion <meshkruaj@gmail.com>
hi, its all about being authenticated as a known part. if A knows B as a trusted part and B have issued a certificate for C then A will trust C.
the server certificate is issued by the CA ( certificate authority. )
the client needs to have the certificate of the CA ( not the server certificate issued from the CA )
the mschap v2, tls,ttls, are methods of authentication(encryption).
the eap-ttls doesnt requires that the client have a certificate on its own.so you need the ca certificate and the server certificate.
2009/3/23 Tomas <tomas.radius@googlemail.com>
Dear all,
I'd appreciate if somebody could please explain me the meaning of certificates. I had a look at certs/README, but some things are still unclear. As far as I know there are 3 types of certificates on FreeRADIUS: * ROOT CA * Server * Client
What is the purpose of each of them? I know that ROOT CA is required to allow EAP-TLS, PEAP or EAP-TTLS. Would not having ROOT CA imported on 802.1x supplicant mean that EAP will be just EAP or PEAP etc.? What does ROOT CA do? What is the purpose of server certificate? How is that linked with MSCHAP v2? I remember I could not authenticate xp host with users file without generating certificates first. And lastly Client certificate, would I need to install this on a client PC, what do I get with that?
What are the benefits of using certificates?
Thanks very much for your help.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig wrote:
In a new version of the server.
Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it populate the Group or Group-Name attribute. doh
It doesn't populate the Group attribute. One user may be in 10 or more groups. Maybe 100. That gets difficult to manage. The Group attribute is for comparison. Is the user in group X? Yes? Match. Or... don't match. Alan DeKok.
participants (5)
-
Alan DeKok -
Markus Wernig -
orion -
tnt@kalik.net -
Tomas