multiple users with different service flows
Hello all, I am Cristian NOVAC and I work to a Wimax project. I have to perform some tests where I need multiple users to authenticate, each of them having different service flows. I mention that I use Service-Flow-Descriptor and QoS-Descriptor VS ATTRIBUTES (defined in a WiMAX FreeRadius Dictionary) to configure the user's service flows. For now I have successfully run tests only if I've written these attributes into a DEFAULT reply of the "users" file. But this "technique" make all users having the same service flows. If I try to add the two attributes to a specific user's reply list of items(in users file) it doesn't work.(the attributes are not sent in Radius ACCESS-ACCEPT message). The same problem I encountered when I used the 3GPP2-Service-Option-Profile VSA (from freeradius dictionary.3gpp2) to set user's service flows. I am using EAP-TTLS authentication method. Could you please help, telling me what radius configurations to make, as you may have already encountered similar problems? Thanks!! BR, Cristian Novac.
Cristian Novac wrote:
For now I have successfully run tests only if I've written these attributes into a DEFAULT reply of the "users" file. But this "technique" make all users having the same service flows. If I try to add the two attributes to a specific user's reply list of items(in users file) it doesn't work.(the attributes are not sent in Radius ACCESS-ACCEPT message).
Run the server in debugging mode to see what it's doing. Post samples from your "users" file here. Odds are the server is matching a "DEFAULT" early in the file, and you listed a user later in the file. If the DEFAULT doesn't have "Fall-Through", later entries won't be matched. See "man users" for details. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello, I've provided you my users file attached in this mail; If I use this users file, the users call and platf8 are authenticated but the corresponding radius ACCES-ACCEPT message contains the Service-Flow-Descriptor and QoS-Descriptor values from the DEFAULT entry. If I use the users.wrong file as users file then the ACCESS ACCEPT message doesn't contain any Service-Flow-Descriptor and QoS-Descriptor. Maybe you could help me somehow. Thanks. Alan DeKok wrote:
Cristian Novac wrote:
For now I have successfully run tests only if I've written these attributes into a DEFAULT reply of the "users" file. But this "technique" make all users having the same service flows. If I try to add the two attributes to a specific user's reply list of items(in users file) it doesn't work.(the attributes are not sent in Radius ACCESS-ACCEPT message).
Run the server in debugging mode to see what it's doing.
Post samples from your "users" file here. Odds are the server is matching a "DEFAULT" early in the file, and you listed a user later in the file. If the DEFAULT doesn't have "Fall-Through", later entries won't be matched.
See "man users" for details.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
@zyxel.com Auth-Type := Local, User-Password == "alcatel" Framed-MTU = 3795, Service-Flow-Descriptor += 0x01060000000102040001040303050304060301070301080302, QoS-Descriptor += 0x01030104030205030006060001f4000c0302, QoS-Descriptor += 0x0103020403020503000606000fa0000c0302404000c01, Fall-Through = Yes #call Auth-Type := Local, User-Password == "alcatel" # Session-Time-Out = 30, # Termination-Action = 0, # Service-Flow-Descriptor += 0x01060000000102040001040303050304060301070301080302, # QoS-Descriptor += 0x01030104030205030006060001f4000c0302, # QoS-Descriptor += 0x0103020403020503000606000fa0000c0302404000c01, # Fall-Through = Yes #call Auth-Type := System call Auth-Type := Local, User-Password == alcatel Session-Timeout = 3600, Termination-Action = 1, Class = 0x1234567890, User-Name = "accounting", # 3GPP2-Service-Option-Profile = 0x000000010104a501, Service-Flow-Descriptor += 0x000104000102040001040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060001f4000c0302, QoS-Descriptor += 0x000103020403020503000606000fa0000c0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d0400140e03c8 platf8 Auth-Type := Local, User-Password == alcatel Session-Timeout = 3600, Termination-Action = 1, Class = 0x1234567890, User-Name = "accounting", # 3GPP2-Service-Option-Profile = 0x000000010104a501, Service-Flow-Descriptor += 0x000104000102040001040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060001f4000c0302, QoS-Descriptor += 0x000103020403020503000606000fa0000c0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d0400140e03c8 # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' # # # For a list of RADIUS attributes, and links to their definitions, # see: # # http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve Auth-Type := Local, User-Password == "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #Deg Auth-Type := Local, User-Password == "ge55ged" # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = "9,5551212", # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk Auth-Type := Local, User-Password == "callme" # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULT Suffix == ".shell", Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP DEFAULT Auth-Type = System Session-Timeout = 3600, Termination-Action = 1, 3GPP2-Service-Option-Profile = 0x000000010104a501, Service-Flow-Descriptor += 0x00010400a5020400a6040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060003e8000c0302, QoS-Descriptor += 0x0001030204030205030006060007d0000c0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d0400140e03c8, Fall-Through = Yes # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access. @zyxel.com Auth-Type := Local, User-Password == "alcatel" Framed-MTU = 3795, Service-Flow-Descriptor += 0x01060000000102040001040303050304060301070301080302, QoS-Descriptor += 0x01030104030205030006060001f4000c0302, QoS-Descriptor += 0x0103020403020503000606000fa0000c0302404000c01, Fall-Through = Yes #call Auth-Type := Local, User-Password == "alcatel" # Session-Time-Out = 30, # Termination-Action = 0, # Service-Flow-Descriptor += 0x01060000000102040001040303050304060301070301080302, # QoS-Descriptor += 0x01030104030205030006060001f4000c0302, # QoS-Descriptor += 0x0103020403020503000606000fa0000c0302404000c01, # Fall-Through = Yes #call Auth-Type := System call Auth-Type := Local, User-Password == alcatel Session-Timeout = 3600, Termination-Action = 1, Class = 0x1234567890, User-Name = "accounting", # 3GPP2-Service-Option-Profile = 0x000000010104a501, Service-Flow-Descriptor += 0x000104000102040001040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060001f4000c0302, QoS-Descriptor += 0x000103020403020503000606000fa0000c0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d0400140e03c8 platf8 Auth-Type := Local, User-Password == alcatel Session-Timeout = 3600, Termination-Action = 1, Class = 0x1234567890, User-Name = "accounting", # 3GPP2-Service-Option-Profile = 0x000000010104a501, Service-Flow-Descriptor += 0x000104000102040001040303050304060301070301080302, QoS-Descriptor += 0x0001030104030205030006060001f4000c0302, QoS-Descriptor += 0x000103020403020503000606000fa0000c0302, Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d0400140e03c8 # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' # # # For a list of RADIUS attributes, and links to their definitions, # see: # # http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve Auth-Type := Local, User-Password == "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #Deg Auth-Type := Local, User-Password == "ge55ged" # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = "9,5551212", # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk Auth-Type := Local, User-Password == "callme" # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULT Suffix == ".shell", Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP #DEFAULT Auth-Type = System # Session-Timeout = 3600, # Termination-Action = 1, # 3GPP2-Service-Option-Profile = 0x000000010104a501, # Service-Flow-Descriptor += 0x00010400a5020400a6040303050304060301070301080302, # QoS-Descriptor += 0x0001030104030205030006060003e8000c0302, # QoS-Descriptor += 0x0001030204030205030006060007d0000c0302, # Service-Flow-Descriptor += 0x000104000302040003040303050301060301070304, # QoS-Descriptor += 0x0001030404030606060001d4c0070600015f900906000000140a06000000190c03010d0400140e03c8, # Fall-Through = Yes # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access.
Cristian Novac wrote:
Hello, I've provided you my users file attached in this mail;
Please run the server in debugging mode, as suggested in the FAQ, README, INSTALL, etc. It will tell you which "users" file entries are being matched. Do NOT use "Auth-Type := Local". I have no idea why people still do this. Where you have: user Auth-Type := Local, User-Password == "foo" Change it to: user Cleartext-Password := "foo". make that change before doing anything else. Then, run the server in debugging mode, and send the output here. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Cristian Novac