Defining an Auth-Type based on a realm
Is there a typical way to set an Auth-Type := Kerberos¹ when a user is part of a specific realm? For testing purposes, I am able to add this to the users¹ file: DEFAULT Auth-Type := Kerberos But, will need something based on realm in the future.
Mathew Rowley wrote:
Is there a typical way to set an ‘Auth-Type := Kerberos’ when a user is part of a specific realm? For testing purposes, I am able to add this to the ‘users’ file:
DEFAULT Auth-Type := Kerberos
But, will need something based on realm in the future.
You can do comparisons on the Realm, too. It's just another attribute. Alan DeKok.
My question was more of where that configuration should live. I can see that you can do attribute checks in the users file, but I am not sure the realm is being set to any attribute... I can see in the debug messages: rad_recv: Access-Request packet from host 127.0.0.1 port 53888, id=132, length=95 User-Name = "user@realm" User-Password = "password!" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 ... Tue Oct 12 07:38:54 2010 : Info: [IPASS] No '/' in User-Name = " user@realm", looking up realm NULL Tue Oct 12 07:38:54 2010 : Info: [IPASS] No such realm "NULL" Tue Oct 12 07:38:54 2010 : Info: ++[IPASS] returns noop Tue Oct 12 07:38:54 2010 : Info: [suffix] Looking up realm "realm" for User-Name = " user@realm" Tue Oct 12 07:38:54 2010 : Info: [suffix] No such realm "realm" Tue Oct 12 07:38:54 2010 : Info: ++[suffix] returns noop But I never see an attribute being set to the realm. Do I have to explicitly define that somewhere in order to do a check in the users file? Or, is there a better place to do this check (possibly in an IPASS configuration of suffix configuration)? From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Tue, 12 Oct 2010 01:08:14 -0400 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Defining an Auth-Type based on a realm Mathew Rowley wrote:
Is there a typical way to set an Auth-Type := Kerberos¹ when a user is part of a specific realm? For testing purposes, I am able to add this to the users¹ file:
DEFAULT Auth-Type := Kerberos
But, will need something based on realm in the future.
You can do comparisons on the Realm, too. It's just another attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mathew Rowley wrote:
My question was more of where that configuration should live. I can see that you can do attribute checks in the users file, but I am not sure the realm is being set to any attribute...
Read the debug output. The realm isn't being set because you didn't define one.
Tue Oct 12 07:38:54 2010 : Info: [suffix] Looking up realm "realm" for User-Name = " user@realm" Tue Oct 12 07:38:54 2010 : Info: [suffix] No such realm "realm"
Well.. that should be pretty obvious.
But I never see an attribute being set to the realm. Do I have to explicitly define that somewhere in order to do a check in the users file? Or, is there a better place to do this check (possibly in an IPASS configuration of suffix configuration)?
See raddb/proxy.conf for documentation on configuring realms. Alan DeKok.
Ah, I was misunderstanding the proxy functionality. I thought it was only used for proxying radius requests to other radius servers. I was having a problem with configuring the users file. Why will this set Auth-Type: DEFAULT Realm == "realm", Auth-Type := Kerberos And this will not: DEFAULT Realm == "realm" Auth-Type := Kerberos Looking through the examples in the users file, it seems like it should (assuming the examples work): DEFAULT Hint == "SLIP" Framed-Protocol = SLIP From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Tue, 12 Oct 2010 10:28:35 -0400 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Defining an Auth-Type based on a realm Mathew Rowley wrote:
My question was more of where that configuration should live. I can see that you can do attribute checks in the users file, but I am not sure the realm is being set to any attribute...
Read the debug output. The realm isn't being set because you didn't define one.
Tue Oct 12 07:38:54 2010 : Info: [suffix] Looking up realm "realm" for User-Name = " user@realm" Tue Oct 12 07:38:54 2010 : Info: [suffix] No such realm "realm"
Well.. that should be pretty obvious.
But I never see an attribute being set to the realm. Do I have to explicitly define that somewhere in order to do a check in the users file? Or, is there a better place to do this check (possibly in an IPASS configuration of suffix configuration)?
See raddb/proxy.conf for documentation on configuring realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 12/10/10 16:31, Mathew Rowley wrote:
Ah, I was misunderstanding the proxy functionality. I thought it was only used for proxying radius requests to other radius servers.
I was having a problem with configuring the users file. Why will this set Auth-Type:
DEFAULT Realm == "realm", Auth-Type := Kerberos
And this will not:
DEFAULT Realm == "realm" Auth-Type := Kerberos
Looking through the examples in the users file, it seems like it should (assuming the examples work): DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
No. Read the docs for the "users" file (man users). "users" syntax is: key [comparison to request list, assignments to control list] assignments to reply list #1, assignments to reply list #2, etc. Setting "Auth-Type := Kerberos" on the 1st line sets a control item. Setting it on the 2nd or subsequent lines sets it in the reply items, where it's meaningless.
participants (3)
-
Alan DeKok -
Mathew Rowley -
Phil Mayers