anyone, please? -------- Original Message -------- Subject: rlm_passwd & realms Date: Wed, 01 Jun 2005 16:34:56 +0300 From: Edgars <edzix19@inbox.lv> To: Freeradius List <freeradius-users@lists.freeradius.org> Hello, 1)can i make so that each separate proxy.conf realm uses different rlm_passwd file? At the moment it works in a simply way - using one passwd file. 2)Is it possible to separate Reply attributes from passwd file, i mean - passwd contains only username, but some other file (users(?)) is used for giving back reply attributes? Regards, Edgars
ok, configured the 2nd step. But the problem Nr 1 is opened. Maybe there is a way somehow to rename passwd file variable depending on Nas-IP-Address. But in this case i would have to check also for the accordance beween realm attribute and IP of the NAS (to prevent situation when someone is connecting to some NAS with different realm than assigned to thi NAS) right ? Waiting for the advice! Thanks! Edgars Edgars wrote:
Hello,
1)can i make so that each separate proxy.conf realm uses different rlm_passwd file? At the moment it works in a simply way - using one passwd file.
2)Is it possible to separate Reply attributes from passwd file, i mean - passwd contains only username, but some other file (users(?)) is used for giving back reply attributes?
Regards, Edgars
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edgars <edzix19@inbox.lv> wrote:
1)can i make so that each separate proxy.conf realm uses different rlm_passwd file?
Huh? I have no idea what you mean by this.
2)Is it possible to separate Reply attributes from passwd file, i mean - passwd contains only username, but some other file (users(?)) is used for giving back reply attributes?
Yes. Di dyou try it? Alan DeKok.
1)can i make so that each separate proxy.conf realm uses different rlm_passwd file?
Huh? I have no idea what you mean by this.
i had a thought that I could make so that all my users would have an access to different servers (realms) with possibility to have different passwords. So, I have no idea how to make this except the thought I wrote in one of my today e-mails (about if statement).
2)Is it possible to separate Reply attributes from passwd file, i mean - passwd contains only username, but some other file (users(?)) is used for giving back reply attributes?
Yes. Di dyou try it?
yes, this is successfully done!Works great with two passwd files. I know that i could use also rlm_attr module.. Edgars
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Saldaa, saldaa dziive! http://travel.inbox.lv
Edgars <edzix19@inbox.lv> wrote:
i had a thought that I could make so that all my users would have an access to different servers (realms) with possibility to have different passwords. So, I have no idea how to make this except the thought I wrote in one of my today e-mails (about if statement).
It's hard, and it's problematic. I would not recommend doing this. Alan DeKok.
Alan or Kevin, found this possible to be done with Autz-Type. First, I have one passwd file which should check the following things: passwd edg_check { filename = /etc/freeradius/pass_check format = "*Realm:~NAS-IP-Address:Autz-Type" } The name of this passwd I have put in authorize section. In the same section I have also created an Autz-Type, like follows: authorzie{ preprocess mschap chap suffix edg_check Autz-Type mt { edg_pass edg_pass_group } } So the content of the 'edg_check' is 'mt:10.5.8.102:mt'. Seems that somewhere is mistake caus' receiving in the debug screen the following information (pay attention to "rlm_passwd: *Unable to create Autz-Type: mt*". What could it mean?): ......................... rlm_realm: Looking up realm "mt" for User-Name = "edg@mt" rlm_realm: Found realm "mt" rlm_realm: Adding Stripped-User-Name = "edg" rlm_realm: Proxying request from user edg to realm mt rlm_realm: Adding Realm = "mt" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_passwd: *Unable to create Autz-Type: mt* rlm_passwd: Added NAS-IP-Address: '10.5.8.102' to request_items modcall[authorize]: module "edg_check" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [edg/edg] (from client lalala port 0 cli 10.5.8.106) Thanks a lot, Edgars Alan DeKok wrote:
Edgars <edzix19@inbox.lv> wrote:
i had a thought that I could make so that all my users would have an access to different servers (realms) with possibility to have different passwords. So, I have no idea how to make this except the thought I wrote in one of my today e-mails (about if statement).
It's hard, and it's problematic. I would not recommend doing this.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edgars <edzix19@inbox.lv> wrote:
Seems that somewhere is mistake caus' receiving in the debug screen the following information (pay attention to "rlm_passwd: *Unable to create Autz-Type: mt*". What could it mean?):
You didn't list "mt" as a VALUE for Autz-Type in the dictionaries. Alan DeKok.
ok, thanks for the tip. Now receiving the following in debug screen (something with Auth-Type, but can't figure out what exactly): 1)with PAP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "mt" for User-Name = "edgars@mt" rlm_realm: Found realm "mt" rlm_realm: Adding Stripped-User-Name = "edgars" rlm_realm: Proxying request from user edgars to realm mt rlm_realm: Adding Realm = "mt" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_passwd: Added Autz-Type: 'mt' to config_items rlm_passwd: Added NAS-IP-Address: '10.5.8.103' to request_items modcall[authorize]: module "edg_check" returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_passwd: Added Autz-Type: 'mt' to config_items rlm_passwd: Added NAS-IP-Address: '10.5.8.103' to request_items modcall[authorize]: module "edg_check" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [edgars/edgars] (from client lalala port 2436 cli 1.1.1.2) 2)with mschap rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for edg@mt with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [edg/<no User-Password attribute>] (from client lalala port 2437 cli 1.1.1.2) Edgars Alan DeKok wrote:
Edgars <edzix19@inbox.lv> wrote:
Seems that somewhere is mistake caus' receiving in the debug screen the following information (pay attention to "rlm_passwd: *Unable to create Autz-Type: mt*". What could it mean?):
You didn't list "mt" as a VALUE for Autz-Type in the dictionaries.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edgars <edzix19@inbox.lv> wrote:
Now receiving the following in debug screen (something with Auth-Type, but can't figure out what exactly):
Try configuring Auth-Type.
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password.
And you didn't tell the server what password to use. Alan DeKok.
Now receiving the following in debug screen (something with Auth-Type, but can't figure out what exactly):
Try configuring Auth-Type.
the same effect.
rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password.
And you didn't tell the server what password to use.
I did. The problem actually is that the passwd file is always accepting the request not depending on all attributes it should check. The only situation it's comparing all attributes is in file where User-Password is defined (in my case 'edg_pass'). Why it is so? What I am interested to achieve is that one passwd file (edg_check) would compare Realm, NAS-IP-Address and Autz-Type. And then if first two exists, go the the Autz-Type, specified in this file, and do the rest comparisions (Stripped-User-Name and User-Password). #works perfectly passwd edg_pass { filename = /etc/freeradius/pass format = "*Stripped-User-Name:User-Password" #doesn't check all values passwd edg_check { filename = /etc/freeradius/pass_check format = "*Realm:~NAS-IP-Address:Autz-Type" } .................. edg_check Autz-Type mt { edg_pass } } Edgars
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Edgars -
Kevin Bonner