Hey guys, (Using freeradius-1.1.2 on Ubuntu Linux, with MySQL backend) I'm setting up an HTTP based download service and we are looking to authenticate users to download a specific object only. So, I'm looking for a way to authenticate based on username, password and url. Now, I can extend the radcheck table to include the URL and add that into the sql query as defined in mysql.conf, but how do I get freeradius to authenticate on the triple? Any ideas? My search in the mailing list for URL and authenticate strangely turned up a lot of results ;-) Thanks. -- joe. Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
Oops, should point out that I'm currently using the following line to get the URL into the access-request: echo "User-Name = joe, Password = testing, incoming-req-uri = http:// www.blibble.net/path_to" | ./radclient 127.0.0.1 auth testing123 This puts it into the access-request and the radius server sees it rad_recv: Access-Request packet from host 127.0.0.1:32770, id=106, length=79 User-Name = "joe" User-Password = "testing" incoming-req-uri = "http://www.blibble.net/path_to" Processing the authorize section of radiusd.conf Thanks. -- joe. On 1 Aug 2006, at 13:39, Joe Warren-Meeks wrote:
Hey guys,
(Using freeradius-1.1.2 on Ubuntu Linux, with MySQL backend)
I'm setting up an HTTP based download service and we are looking to authenticate users to download a specific object only. So, I'm looking for a way to authenticate based on username, password and url.
Now, I can extend the radcheck table to include the URL and add that into the sql query as defined in mysql.conf, but how do I get freeradius to authenticate on the triple?
Any ideas? My search in the mailing list for URL and authenticate strangely turned up a lot of results ;-)
Thanks.
-- joe.
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
Alan: why is it that with the recent -head cvs behaves like so. <radiusd.conf> log_file = /${logdir}/radiusd log_destination = files when rlm_sql is loaded, this gets printed to stdout (or maybe not stdout because I can not seem to redirect it) but when log is setup to use syslog, then the output is put to syslog as told. I would think that when told to use files, it should go there. <rlm_sql.c> radlog(L_INFO, "rlm_sql (%s): Driver %s (module %s) loaded and linked", inst->config->xlat_name, inst->config->sql_driver, inst->module->name); radlog(L_INFO, "rlm_sql (%s): Attempting to connect to %s@%s:%s/%s", inst->config->xlat_name, inst->config->sql_login, <radiusd -f (output to screen)> Tue Aug 1 10:30:21 2006 : Info: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked Tue Aug 1 10:30:21 2006 : Info: rlm_sql (sql): Attempting to connect to ....
"Duane Cox" <duanec@mail.illicom.net> wrote:
when rlm_sql is loaded, this gets printed to stdout (or maybe not stdout because I can not seem to redirect it) but when log is setup to use syslog, then the output is put to syslog as told.
Many log messages are printed before the "log_destination" entry is parsed. This can be fixed, but requires a "first pass" through the configuration file, to pick out the log destination before doing anything else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Anyone got any ideas on this? I'm a little stuck as to where to start.. -- joe. On 1 Aug 2006, at 13:42, Joe Warren-Meeks wrote:
Oops, should point out that I'm currently using the following line to get the URL into the access-request:
echo "User-Name = joe, Password = testing, incoming-req-uri = http://www.blibble.net/path_to" | ./radclient 127.0.0.1 auth testing123
This puts it into the access-request and the radius server sees it rad_recv: Access-Request packet from host 127.0.0.1:32770, id=106, length=79 User-Name = "joe" User-Password = "testing" incoming-req-uri = "http://www.blibble.net/path_to" Processing the authorize section of radiusd.conf
Thanks.
-- joe.
On 1 Aug 2006, at 13:39, Joe Warren-Meeks wrote:
Hey guys,
(Using freeradius-1.1.2 on Ubuntu Linux, with MySQL backend)
I'm setting up an HTTP based download service and we are looking to authenticate users to download a specific object only. So, I'm looking for a way to authenticate based on username, password and url.
Now, I can extend the radcheck table to include the URL and add that into the sql query as defined in mysql.conf, but how do I get freeradius to authenticate on the triple?
Any ideas? My search in the mailing list for URL and authenticate strangely turned up a lot of results ;-)
Thanks.
-- joe.
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
-List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
Joe Warren-Meeks wrote:
Anyone got any ideas on this? I'm a little stuck as to where to start..
I don't know how you'd do it with a database, but with the users file, it'd be something like: username incoming-req-uri != "http://foo.com/bar", Auth-Type := Reject Reply-Message = "You can't access this URL" Fall-Through = No username User-Password := "pass" Basically, there are lots of ways of doing what you want to do. From what I remember about the SQL backend, it should just be a case of putting: insert into radchech (username,attribute,op,value) values ( 'username', 'incoming-req-uri', '==', 'http://foo.com/bar' ); ...and it should work.
-- joe.
On 1 Aug 2006, at 13:42, Joe Warren-Meeks wrote:
Oops, should point out that I'm currently using the following line to get the URL into the access-request:
echo "User-Name = joe, Password = testing, incoming-req-uri = http://www.blibble.net/path_to" | ./radclient 127.0.0.1 auth testing123
This puts it into the access-request and the radius server sees it rad_recv: Access-Request packet from host 127.0.0.1:32770, id=106, length=79 User-Name = "joe" User-Password = "testing" incoming-req-uri = "http://www.blibble.net/path_to" Processing the authorize section of radiusd.conf
Thanks.
-- joe.
On 1 Aug 2006, at 13:39, Joe Warren-Meeks wrote:
Hey guys,
(Using freeradius-1.1.2 on Ubuntu Linux, with MySQL backend)
I'm setting up an HTTP based download service and we are looking to authenticate users to download a specific object only. So, I'm looking for a way to authenticate based on username, password and url.
Now, I can extend the radcheck table to include the URL and add that into the sql query as defined in mysql.conf, but how do I get freeradius to authenticate on the triple?
Any ideas? My search in the mailing list for URL and authenticate strangely turned up a lot of results ;-)
Thanks.
-- joe.
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 3 Aug 2006, at 11:50, Phil Mayers wrote: Hey Phil,
Basically, there are lots of ways of doing what you want to do. From what I remember about the SQL backend, it should just be a case of putting:
insert into radchech (username,attribute,op,value) values ( 'username', 'incoming-req-uri', '==', 'http://foo.com/bar' );
...and it should work.
Wow! that just worked! Amazing, thanks guys. -- joe. Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd. M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP: 361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC
This puts it into the access-request and the radius server sees it rad_recv: Access-Request packet from host 127.0.0.1:32770, id=106, length=79 User-Name = "joe" User-Password = "testing" incoming-req-uri = "http://www.blibble.net/path_to" Processing the authorize section of radiusd.conf
Now, I can extend the radcheck table to include the URL and add that into the sql query as defined in mysql.conf, but how do I get freeradius to authenticate on the triple?
This is simple to implement in the users file (files module) and should be easy as well in the mysql backend (though I don't have experience on this one). You'll have to define specific rules that check both authentication and your attribute for your Cisco 'web device'. I propose to define a Huntgroup for your cisco web devices and then you can add rules like these ones: DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri != "http://www.blibble.net/path_to", Auth-Type := Reject Fall-Through = no DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri == "http://www.blibble.net/path_to" Fall-Through = no In order to implement these rules directly in mysql see the doc/rlm_sql file. If this does not work, stop the radius server and then run it in debug mode: /etc/init.d/radiusd stop radiusd -X ... Then run your Radius authentication request and send the debug log to the list. HTH, Thibault
participants (5)
-
Alan DeKok -
Duane Cox -
Joe Warren-Meeks -
Phil Mayers -
Thibault Le Meur