verifying "/" exists in User-Password field
I'm running FreeRadius 1.1 on two different ports, allowing slightly different auth methods on each port. On one of the ports, I would like to verify that the password sent contains a slash ("/") before attempting to authenticate the user. Why, you might ask? Well because on that port I'm actually just proxying the authentication requests. So, my users file entries look like: # Cisco NAS doing SSL authentication bob Huntgroup-Name=="Office", Hint==Port-1812, Auth-Type:=Accept Connect-Info="OFFICE_ACCESS" # Cisco NAS doing username/password authentication, proxied to another server bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS Connect-Info="OFFICE_ACCESS" My huntgroups file contains the "Office" to NAS-IP-Address mappings, and my hints file (which maps the UDP port the NAS connected on to one of the two above auth lines) looks like this: DEFAULT User-Name =~ "^(.*)$" Hint = "Port-%{request:Packet-Dst-Port}" What I need to do is figure out how to ensure that anyone authenticating with Hint==Port-1645 has a "/" in their User-Password attribute. People authenticating with Hint==Port-1812 will always have a User-Password attribute which matches their Username (but because SSL authentication is handled by the NAS, this area is authorization only, so we never check the User-Password attribute). I'm thinking this should be possible, but I'm just not sure the best way to handle it. Any advice is greatly appreciated.
Geoff Silver wrote: # Cisco NAS doing username/password authentication, proxied to another bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS Connect-Info="OFFICE_ACCESS" I take it these are PAP requests? If not, it can't be done. If so, this works for me: user User-Password=~".*/.*", Some-Stuff := whatever
Phil Mayers wrote:
Geoff Silver wrote:
# Cisco NAS doing username/password authentication, proxied to another bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS Connect-Info="OFFICE_ACCESS"
I take it these are PAP requests?
Yep
If not, it can't be done.
If so, this works for me:
user User-Password=~".*/.*", Some-Stuff := whatever
Cool. So is there an easy way to combine that with the dynamic hint I'm already creating, since I'm already applying a hint? If I change my hint to: DEFAULT User-Name =~ "^(.*)$", User-Password =~ ".*/.*" Hint = "Port-%{request:Packet-Dst-Port}" Then connections which use Port-1812 also require a / in the password (which will never appear, because when doing SSL authentication, the password is always the username). I tried to "chain" the hints, but that doesn't appear to work. For instance, DEFAULT User-Name =~ "^(.*)$" Hint = "Port-%{request:Packet-Dst-Port}" DEFAULT Hint = "Port-1645", User-Password =~ ".*/.*" Hint = "HasSlash" Appears to match the first hint, but not the second one (radius_xlat prints 'Port-1645' when running radiusd in debug mode, but the users file tries to match Hint==Port-1645, not Hint==HasSlash - all of which I actually expected to happen). I can kind of make it work by doing the following: DEFAULT User-Password =~ ".*/.*" Hint = "HasSlash" DEFAULT User-Name =~ "^(.*)$" Hint = "Port-%{request:Packet-Dst-Port}" and then *assuming* if the password has a / it must have also come in on UDP port 1645 as well, and if not then let the second rule apply, but that answer feels very unclean to me. All of this would be far easier if I could use the %{request:} macros on the LHS of a hint, of course. -- Geoff Silver http://www.bullrunmountain.org/
Geoff Silver wrote:
If so, this works for me:
user User-Password=~".*/.*", Some-Stuff := whatever
Cool. So is there an easy way to combine that with the dynamic hint I'm already creating, since I'm already applying a hint? If I change my hint to:
DEFAULT User-Name =~ "^(.*)$", User-Password =~ ".*/.*" Hint = "Port-%{request:Packet-Dst-Port}"
Then connections which use Port-1812 also require a / in the password (which will never appear, because when doing SSL authentication, the password is always the username). I tried to "chain" the hints, but
Yes, you can't do that annoyingly - the Fall-Through pseudo-attribute is not checked/honoured, and the hints processing code will ALWAYS break on first match. I don't think you'll be able to do it cleanly in hints. Your following solution was about as good as it will get.
Geoff Silver wrote: # Cisco NAS doing username/password authentication, proxied to another bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS Connect-Info="OFFICE_ACCESS" I take it these are PAP requests? If not, it can't be done. If so, this works for me: user User-Password=~".*/.*", Some-Stuff := whatever
participants (2)
-
Geoff Silver -
Phil Mayers