More documentation on Auth-Type
http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, great job putting the new book together. I have a configuration issue that I could use some direction to a solution. I am using rlm_sql for user database lookup, and it works when the user is found, but how do I define a catch all for users not found in the db so that the server knows to reject them... <debug output> Server rejecting request 2 due to failure to be told how to respond. WARNING: You did not configure the server to accept, or reject the user. Double-check Auth-Type. I would assume to put a line in the users file, that sets Auth-Type := Reject would be the answer, but my attempt at doing so matched all users. Thanks Duane Cox ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Thursday, August 03, 2006 1:47 PM Subject: More documentation on Auth-Type
http://deployingradius.com/documents/configuration/auth_type.html
Many web sites contain all sorts of recommendations about Auth-Type. This one is correct.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Duane Cox" <duanec@mail.illicom.net> wrote:
Alan, great job putting the new book together.
And you haven't seen the rest of the content... As an example, I've got 10 pages describing how dictionaries work, and how to create them. At this rate, the book will be 400 pages long.
I am using rlm_sql for user database lookup, and it works when the user is found, but how do I define a catch all for users not found in the db so that the server knows to reject them...
doc/configurable_failover In the "authorize" section, where you have the "sql" module listed, change the 1-line entry of "sql" to: sql { notfound = reject } And you're done.
<debug output> Server rejecting request 2 due to failure to be told how to respond. WARNING: You did not configure the server to accept, or reject the user. Double-check Auth-Type.
That works, too, but generates lots of warning messages. It's better to tell the server explicitely what to do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Thursday 03 August 2006 14:47, Alan DeKok wrote:
http://deployingradius.com/documents/configuration/auth_type.html
Many web sites contain all sorts of recommendations about Auth-Type. This one is correct.
Alan DeKok.
Looks great! The compatibility matrix is pretty handy as well. One thing I didn't see mentioned on the auth type page is the heavily used "Auth-Type := Local". Was that consciously omitted, or are you still adding content to that page? Kevin Bonner
Kevin Bonner <keb@pa.net> wrote:
Looks great! The compatibility matrix is pretty handy as well.
Thanks. Little touches like that help a lot.
One thing I didn't see mentioned on the auth type page is the heavily used "Auth-Type := Local". Was that consciously omitted, or are you still adding content to that page?
I'm adding content... check back soon! But as for "Auth-Type := Local", I didn't even think to address it, because I never use it, and don't think there's any need for it. What kind of discussion do you think is necessary? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Friday 04 August 2006 17:21, Alan DeKok wrote:
Kevin Bonner <keb@pa.net> wrote:
One thing I didn't see mentioned on the auth type page is the heavily used "Auth-Type := Local". Was that consciously omitted, or are you still adding content to that page?
I'm adding content... check back soon!
But as for "Auth-Type := Local", I didn't even think to address it, because I never use it, and don't think there's any need for it. What kind of discussion do you think is necessary?
Alan DeKok.
It's an auth method that some still have cluttering their users files. Perhaps just a small blurb stating that it was used in legacy versions of FR, but is no longer necessary. Local and System are the only 2 I can recall that I don't see on your page, but have been around for a long time. -Kevin
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP for each services. Even Autz-Type also need to be specified but some of the EAP won't work such as EAP-TTLS-PAP. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. Any comments? --haizam ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, August 04, 2006 2:47 AM Subject: More documentation on Auth-Type
http://deployingradius.com/documents/configuration/auth_type.html
Many web sites contain all sorts of recommendations about Auth-Type. This one is correct.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP
... which isn't authentication. You just described searching an LDAP tree for information. That's using LDAP for what it was designed to do best: database lookups. Once the information is found in LDAP, the RADIUS server can do CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle those authentication protocols, so you're stuck with using LDAP for DB lookups, and RADIUS for authentication.
normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list.
I don't recall seeing that, sorry. What was the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type & Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify Auth-Type & Autz-Type in users file, seems working but when up to EAP.. it's not working.... #################################################### ) users ===== DEFAULT ???? (not to set Auth-Type but need to direct to certain LDAP tree) ii) radiusd.conf ========== ldap adsl { basedn=ou=ADSL, ou=People... } ldap wifi { basedn=ou=wifi, ou=People... } Then .. in authenticate and authorize section :- authorize { eap Autz-Type=ADSL { adsl } Autz-Type=WIFI { wifi } } authenticate { Auth-Type=ADSL { adsl } Auth-Type=WIFI { wifi } eap } iii) eap.conf ... some config... ########################################## ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Monday, August 07, 2006 9:08 AM Subject: Re: More documentation on Auth-Type
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP
... which isn't authentication. You just described searching an LDAP tree for information. That's using LDAP for what it was designed to do best: database lookups.
Once the information is found in LDAP, the RADIUS server can do CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle those authentication protocols, so you're stuck with using LDAP for DB lookups, and RADIUS for authentication.
normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list.
I don't recall seeing that, sorry. What was the problem?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rohaizam Abu Bakar wrote:
Alan,
Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type & Autz-type specified in radiusd.conf. How can I set in users file to search for
Aside from setting Reject/Accept, that (use of >1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names.
which tree? Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify Auth-Type & Autz-Type in users file, seems working but when up to EAP.. it's not working....
That is probably because the EAP "inner" request does not have the NAS-Id and NAS-Port-Type attribute. Set "copy_request_to_tunnel = yes" on the EAP method(s) you're using.
Aside from setting Reject/Accept, that (use of >1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names.
I'm not quite understand above suggestion/comments..
That is probably because the EAP "inner" request does not have the NAS-Id and NAS-Port-Type attribute. Set "copy_request_to_tunnel = yes" on the EAP method(s) you're using.
I will try that one... thanks.. --haizam
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type & Autz-type specified in radiusd.conf. How can I set in users file to search for which tree?
Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Mon, 7 Aug 2006, Alan DeKok wrote:
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type & Autz-type specified in radiusd.conf. How can I set in users file to search for which tree?
Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think.
basedn is already xlated..
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? thanks.. --haizam ----- Original Message ----- From: "Kostas Kalevras" <kkalev@noc.ntua.gr> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, August 08, 2006 12:28 AM Subject: Re: More documentation on Auth-Type
On Mon, 7 Aug 2006, Alan DeKok wrote:
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type & Autz-type specified in radiusd.conf. How can I set in users file to search for which tree?
Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think.
basedn is already xlated..
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center kkalev@noc.ntua.gr National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like: modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = "%{reply:Tmp-String-1}" ... } } authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } } users: DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS DEFAULT Huntgroup-Name == "something", Autz-Type := VPN users_vpn: DEFAULT Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org" users_wireless: DEFAULT Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com" You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in "dictionary" ATTRIBUTE Tmp-String-1 3000 string Alternatively, 1.1.0 and up can do this I think? modules { ldap wireless_ldap { basedn = "ou=wireless,dc=domain,dc=com" set_auth_type = yes } ldap vpn_ldap { basedn = "ou=vpn,dc=example,dc=org" set_auth_type = yes } files { ... } } authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } } authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } } and in users: DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS Basically, what happens then is: 1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap" 5. authenticate run, appropriate LDAP module run
For the 2nd option.. already tried almost the same except the auth-type name... Previously tried autz & auth type using the same name... Will try it out as suggested... thx Phil --haizam ----- Original Message ----- From: "Phil Mayers" <p.mayers@imperial.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, August 08, 2006 6:28 PM Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = "%{reply:Tmp-String-1}" ... } }
authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } }
users:
DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
users_vpn:
DEFAULT Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
users_wireless:
DEFAULT Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in "dictionary"
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules { ldap wireless_ldap { basedn = "ou=wireless,dc=domain,dc=com" set_auth_type = yes } ldap vpn_ldap { basedn = "ou=vpn,dc=example,dc=org" set_auth_type = yes } files { ... } }
authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } }
authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } }
and in users:
DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap" 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just managed to try ur 2nd suggestion... but giving below error in debug logs.. refer debug logs. ERROR: Unknown value specified for Auth-Type. Cannot perform requested action modules { ldap ldap1 { basedn = "ou=RADIUS......" set_auth_type = yes } ldap ldapdialup1 { basedn = "ou=DIALUP......" set_auth_type = yes } authorize { Autz-Type LDAP { ldap1 } Autz-Type DIALUP { ldapdialup1 } } authenticate { Auth-Type ldap1 { ldap1 } Auth-Type ldapdialup1 { ldapdialup1 } } DEFAULT ldapdialup1-Ldap-Group == "REAL", Autz-Type := DIALUP DEFAULT Autz-Type := LDAP ############################################################# lm_ldap: performing user authorization for bacang radius_xlat: '(uid=bacang)' radius_xlat: 'ou=RADIUS,ou=People,.........' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to :389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,............./xxxxxxxxx to xxxxxxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=RADIUS,ou=People,..........., with filter (uid=bacang) rlm_ldap: checking if remote access for bacang is allowed by attrRoaming rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP & op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: user bacang authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [bacang] (from client sysadmin port 0) ----- Original Message ----- From: "Phil Mayers" <p.mayers@imperial.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, August 08, 2006 6:28 PM Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = "%{reply:Tmp-String-1}" ... } }
authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } }
users:
DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
users_vpn:
DEFAULT Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
users_wireless:
DEFAULT Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in "dictionary"
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules { ldap wireless_ldap { basedn = "ou=wireless,dc=domain,dc=com" set_auth_type = yes } ldap vpn_ldap { basedn = "ou=vpn,dc=example,dc=org" set_auth_type = yes } files { ... } }
authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } }
authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } }
and in users:
DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap" 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Rohaizam Abu Bakar" <haizam@myjaring.net> wrote:
modcall[authorize]: module "ldap1" returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP"
You're probably running 1.0.x, rather than 1.1.x. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (6)
-
Alan DeKok -
Duane Cox -
Kevin Bonner -
Kostas Kalevras -
Phil Mayers -
Rohaizam Abu Bakar