Freeradius, PostgreSQL and One-Time-Password backends
Hello. I am trying to replace an old Cisco Secure ACS with Freeradius. My idea is to use PostgreSQL as a database where all information is added (users, nases etc), but instead of passwords i want Freeradius to ask a backend One-Time Password system (safeword) if a users profile contains a value. For instance: Auth-database = safeword or Auth-database=Portwise Is this possible to do and if so can you give some info how to configure this? Regards M -- View this message in context: http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backend... Sent from the FreeRadius - User mailing list archive at Nabble.com.
mikoi wrote:
I am trying to replace an old Cisco Secure ACS with Freeradius.
That's always a good idea.
My idea is to use PostgreSQL as a database where all information is added (users, nases etc), but instead of passwords i want Freeradius to ask a backend One-Time Password system (safeword) if a users profile contains a value. For instance: Auth-database = safeword or Auth-database=Portwise Is this possible to do and if so can you give some info how to configure this?
How does FreeRADIUS talk to the database? Alan DeKok.
Hello. I´m still in the designphase of this and new to Freeradius. Freeradius and postgresql installed on the same box. Connection through sql.conf was my thought. Tables in the database: users usergroups Authentication-server (proxy-to server) naslist huntgroups (for combining aaa-clients) For each user i would like to be able to choose values from these tables. Regards Mika -- View this message in context: http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backend... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I´m still in the designphase of this and new to Freeradius. Freeradius and postgresql installed on the same box. Connection through sql.conf was my thought.
The question was "how does freeradius talk to authentication database". What does it send to it and what does it get back? Ivan Kalik Kalik Informatika ISP
The question was "how does freeradius talk to authentication database". What does it send to it and what does it get back? I´ll do my best to explain. Access-Request packet from NAS/AAA-client contains: User-Name User-Password (One-Time-Password) NAS-IP-Address FreeRadius checks with SQL: Is user allowed to access through this (NAS-IP-Address)? Check User-Name / profile. To which server do i proxy authentication request? Access-Request packet sent to authentication server (OTP system). Is User-name/User-Password ok? Authentication server responds: Access-Accept/Reject. If Access-Accept. Reply goes to FreeRadius. FreeRadius checks with SQL. What Reply attributes to send to NAS/AAA-client. IETF (attribute 25, Class). etc.. Does this answer your question? I need to know if FreeRadius can do the above things and if so how do i proceed. This is what our ACS does at the moment. Regards Mika -- View this message in context: http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backend... Sent from the FreeRadius - User mailing list archive at Nabble.com.
mikoi wrote:
The question was "how does freeradius talk to authentication database". What does it send to it and what does it get back?
No. *Your* question was about using Safeword authentication with FreeRADIUS. When we asked you how FreeRADIUS talked to the Safeword system, you responded "postgresql". Do you want to configure the server to use PostgreSQL, or Safeword, or both?
I´ll do my best to explain. .. Access-Request packet sent to authentication server (OTP system). Is User-name/User-Password ok?
Is FreeRADIUS proxying RADIUS packets to the OTP system? If so, just configure the OTP system as a home server. The documentation for how to do this is in raddb/proxy.conf. Alan DeKok.
The question was "how does freeradius talk to authentication database". What does it send to it and what does it get back?
I´ll do my best to explain.
Access-Request packet from NAS/AAA-client contains: User-Name User-Password (One-Time-Password) NAS-IP-Address
FreeRadius checks with SQL: Is user allowed to access through this (NAS-IP-Address)? Check User-Name / profile.
OK, that can all be done in radcheck/radgroupcheck perhaps (sql)huntgroups as well.
To which server do i proxy authentication request?
This is probaly stored in user sql entry? You will probably need to use unlang switch statement to set Proxy-To-Realm attribute. Create realms for authentication servers in proxy.conf.
Access-Request packet sent to authentication server (OTP system). Is User-name/User-Password ok?
Authentication server responds: Access-Accept/Reject. If Access-Accept. Reply goes to FreeRadius.
That will all work by default.
FreeRadius checks with SQL. What Reply attributes to send to NAS/AAA-client. IETF (attribute 25, Class). etc..
That can be sorted in post-auth or post-proxy section. You can list sql.authorize there and get reply attributes at that stage. Ivan Kalik Kalik Informatika ISP
OK. So it seems to be possible. So i start by adding the section to proxy.conf --proxy.conf realm Safeword { type = radius authhost = <ip>:1645 accthost = <ip>:1646 secret = <secret> } realm Portwise { type = radius authhost = <ip>:1645 accthost = <ip>:1646 secret = <secret> } But how do i configure users file so that it does query the SQL-database? Let´s say every user-record contains information in the table Authentication-Server (Safeword or Portwise). Regards Mika -- View this message in context: http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backend... Sent from the FreeRadius - User mailing list archive at Nabble.com.
So i start by adding the section to proxy.conf
--proxy.conf realm Safeword { type = radius authhost = <ip>:1645 accthost = <ip>:1646 secret = <secret> }
realm Portwise { type = radius authhost = <ip>:1645 accthost = <ip>:1646 secret = <secret> }
But how do i configure users file so that it does query the SQL-database?
You don't. Use unlang.
Let´s say every user-record contains information in the table Authentication-Server (Safeword or Portwise).
update control { Proxy-To-Realm := %{sql:"SELECT...FROM Authentication-Server WHERE...} } Ivan Kalik Kalik Informatika ISP
You don't. Use unlang.
Let´s say every user-record contains information in the table Authentication-Server (Safeword or Portwise).
update control { Proxy-To-Realm := %{sql:"SELECT...FROM Authentication-Server WHERE...} } Hello again. Sorry, i am new to unlang. Can you please provide me a more precise example of unlang with the above configuration with server-ip and secret? And does this configuration go into the sites-available/default file? Regards Mika -- View this message in context: http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backend... Sent from the FreeRadius - User mailing list archive at Nabble.com.
You don't. Use unlang.
Let´s say every user-record contains information in the table Authentication-Server (Safeword or Portwise).
update control { Proxy-To-Realm := %{sql:"SELECT...FROM Authentication-Server WHERE...} }
Can you please provide me a more precise example of unlang
Like the one above? All you need to do is complete the SQL statement - all the unlang is there.
with the above configuration with server-ip and secret?
Those go into proxy.conf. Name of that realm will be pulled from the database.
And does this configuration go into the sites-available/default file?
Yes, authorize section. Ivan Kalik Kalik Informatika ISP
OK. I just misunderstood earlier about proxy.conf. Thank you for the answers. Regards Mika -- View this message in context: http://www.nabble.com/Freeradius%2C-PostgreSQL-and-One-Time-Password-backend... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
Ivan Kalik -
mikoi