Can FreeRADIUS retry authentication with another Active Directory after Post-Auth-Type REJECT
Hi, I'm looking for a different kind of fall-through. Is it possible for FreeRadius to fall-through to another Active Directory after Post-Auth-Type Reject? Thanks, Peter.
why so late in the process? just use another AD in the Authenticate section instead.... read the unlang to see how you can call another mschap module if the first one is failing... (i've done this to transition from one AD to another). alan On 8 June 2018 at 21:14, Peter Drucker <druckers@gmail.com> wrote:
Hi,
I'm looking for a different kind of fall-through.
Is it possible for FreeRadius to fall-through to another Active Directory after Post-Auth-Type Reject?
Thanks, Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Thanks for the quick response. I have a "policy" module that can determine
the AD to use for authentication as well as post-auth attributes to send in
the response.
So I can't directly enter the AD in the authentication section. Here's a
sample of my configuration.
server nac-server {
listen {
type = auth
ipaddr = 10.10.120.103
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = acct
ipaddr = 10.10.120.103
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
update control {
Load-Balance-Key = "%{Calling-Station-Id}"
}
policy
chap
mschap
eap {
ok = return
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
acct_unique
policy
}
accounting {
policy
}
session {
radutmp
}
post-auth {
policy
Post-Auth-Type REJECT {
attr_filter.access_reject
policy
ok
}
}
pre-proxy {
policy
}
post-proxy {
policy
eap
Post-Proxy-Type Fail-Authentication {
policy
}
}
}
On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
> why so late in the process?
>
> just use another AD in the Authenticate section instead.... read the
> unlang to see how you can call another mschap module
> if the first one is failing...
> (i've done this to transition from one AD to another).
>
> alan
>
> On 8 June 2018 at 21:14, Peter Drucker <druckers@gmail.com> wrote:
>
> > Hi,
> >
> > I'm looking for a different kind of fall-through.
> >
> > Is it possible for FreeRadius to fall-through to another Active
> > Directory after Post-Auth-Type Reject?
> >
> > Thanks,
> > Peter.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
Hi
What's the policy module doing? (Since you didn't share) and how is it
being called?
Auth-Type MS-CHAP {
mschap
}
You just need to extend and change that bit, as documented in the module
failover section.
alan
On Sat, 9 Jun 2018, 04:44 Peter Drucker, <druckers@gmail.com> wrote:
> Thanks for the quick response. I have a "policy" module that can determine
> the AD to use for authentication as well as post-auth attributes to send in
> the response.
>
> So I can't directly enter the AD in the authentication section. Here's a
> sample of my configuration.
>
> server nac-server {
> listen {
> type = auth
> ipaddr = 10.10.120.103
> port = 1812
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
>
> listen {
> type = acct
> ipaddr = 10.10.120.103
> port = 1813
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
>
>
> authorize {
> update control {
> Load-Balance-Key = "%{Calling-Station-Id}"
> }
> policy
> chap
> mschap
> eap {
> ok = return
> }
> pap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> eap
> }
> preacct {
> acct_unique
> policy
> }
> accounting {
> policy
> }
> session {
> radutmp
> }
> post-auth {
> policy
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> policy
> ok
> }
> }
> pre-proxy {
> policy
> }
> post-proxy {
> policy
> eap
> Post-Proxy-Type Fail-Authentication {
> policy
> }
> }
> }
>
> On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
>
> > why so late in the process?
> >
> > just use another AD in the Authenticate section instead.... read the
> > unlang to see how you can call another mschap module
> > if the first one is failing...
> > (i've done this to transition from one AD to another).
> >
> > alan
> >
> > On 8 June 2018 at 21:14, Peter Drucker <druckers@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I'm looking for a different kind of fall-through.
> > >
> > > Is it possible for FreeRadius to fall-through to another Active
> > > Directory after Post-Auth-Type Reject?
> > >
> > > Thanks,
> > > Peter.
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Policy module determines which AD to use and then and mschap module uses
the AD info to run ntlm_auth. The assumption being that "redundant" will
unnecessarily iterates through each AD if I put all AD info in the config.
If auth module fails authentication, policy module will determine whether
the request should fall-through to another AD. If yes, then mschap can auth
against the new AD.
And if auth succeeds, then policy module can also determine the outbound
values to send back to NAS.
-Peter
On Saturday, June 9, 2018, Alan Buxey <alan.buxey@gmail.com> wrote:
> Hi
>
> What's the policy module doing? (Since you didn't share) and how is it
> being called?
> Auth-Type MS-CHAP {
> mschap
> }
>
> You just need to extend and change that bit, as documented in the module
> failover section.
>
> alan
>
>
> On Sat, 9 Jun 2018, 04:44 Peter Drucker, <druckers@gmail.com> wrote:
>
> > Thanks for the quick response. I have a "policy" module that can
> determine
> > the AD to use for authentication as well as post-auth attributes to send
> in
> > the response.
> >
> > So I can't directly enter the AD in the authentication section. Here's a
> > sample of my configuration.
> >
> > server nac-server {
> > listen {
> > type = auth
> > ipaddr = 10.10.120.103
> > port = 1812
> > limit {
> > max_connections = 16
> > lifetime = 0
> > idle_timeout = 30
> > }
> > }
> >
> > listen {
> > type = acct
> > ipaddr = 10.10.120.103
> > port = 1813
> > limit {
> > max_connections = 16
> > lifetime = 0
> > idle_timeout = 30
> > }
> > }
> >
> >
> > authorize {
> > update control {
> > Load-Balance-Key = "%{Calling-Station-Id}"
> > }
> > policy
> > chap
> > mschap
> > eap {
> > ok = return
> > }
> > pap
> > }
> > authenticate {
> > Auth-Type PAP {
> > pap
> > }
> > Auth-Type CHAP {
> > chap
> > }
> > Auth-Type MS-CHAP {
> > mschap
> > }
> > eap
> > }
> > preacct {
> > acct_unique
> > policy
> > }
> > accounting {
> > policy
> > }
> > session {
> > radutmp
> > }
> > post-auth {
> > policy
> > Post-Auth-Type REJECT {
> > attr_filter.access_reject
> > policy
> > ok
> > }
> > }
> > pre-proxy {
> > policy
> > }
> > post-proxy {
> > policy
> > eap
> > Post-Proxy-Type Fail-Authentication {
> > policy
> > }
> > }
> > }
> >
> > On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
> >
> > > why so late in the process?
> > >
> > > just use another AD in the Authenticate section instead.... read the
> > > unlang to see how you can call another mschap module
> > > if the first one is failing...
> > > (i've done this to transition from one AD to another).
> > >
> > > alan
> > >
> > > On 8 June 2018 at 21:14, Peter Drucker <druckers@gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I'm looking for a different kind of fall-through.
> > > >
> > > > Is it possible for FreeRadius to fall-through to another Active
> > > > Directory after Post-Auth-Type Reject?
> > > >
> > > > Thanks,
> > > > Peter.
> > > > -
> > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > > list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
Finally I've got my laptop to add more details.
My environment has multiple AD domains which will be replaced with a new
domain after the merger is complete. Until then, I've users coming from all
these various domains and my policy module will determine whether to
fall-through or not. Since my policy module also does some other things
that're configurable, I cannot completely eliminate it from the picture
and solely depend on the conditional fail-over supported by unlang.
I need the auth modules upon failure, to be able to invoke policy module
and decide whether to fail-over or not. So is it possible to do this using
the config file or I'll have to insert code in the mschap code which I
would like to avoid if possible.
What I'm trying to do is something like this. Obviously it's not working
with the error as:
/home/users/radius/raddb/sites-enabled/nac-server[63]: Subsection of module
instance call not allowed
/home/users/radius/raddb/sites-enabled/nac-server[62]: Failed to parse
"mschap" subsection.
authenticate {
Auth-Type MS-CHAP {
mschap { ==> line 62
if (notfound) { ==> line 63
policy {
if (handled) {
mschap
}
}
}
else if (reject) {
policy {
if (handled) {
mschap
}
}
}
}
}
}
On Sat, Jun 9, 2018 at 7:07 PM, Peter Drucker <druckers@gmail.com> wrote:
> Policy module determines which AD to use and then and mschap module uses
> the AD info to run ntlm_auth. The assumption being that "redundant" will
> unnecessarily iterates through each AD if I put all AD info in the config.
>
> If auth module fails authentication, policy module will determine whether
> the request should fall-through to another AD. If yes, then mschap can auth
> against the new AD.
>
> And if auth succeeds, then policy module can also determine the outbound
> values to send back to NAS.
>
>
> -Peter
>
> On Saturday, June 9, 2018, Alan Buxey <alan.buxey@gmail.com> wrote:
>
>> Hi
>>
>> What's the policy module doing? (Since you didn't share) and how is it
>> being called?
>> Auth-Type MS-CHAP {
>> mschap
>> }
>>
>> You just need to extend and change that bit, as documented in the module
>> failover section.
>>
>> alan
>>
>>
>> On Sat, 9 Jun 2018, 04:44 Peter Drucker, <druckers@gmail.com> wrote:
>>
>> > Thanks for the quick response. I have a "policy" module that can
>> determine
>> > the AD to use for authentication as well as post-auth attributes to
>> send in
>> > the response.
>> >
>> > So I can't directly enter the AD in the authentication section. Here's a
>> > sample of my configuration.
>> >
>> > server nac-server {
>> > listen {
>> > type = auth
>> > ipaddr = 10.10.120.103
>> > port = 1812
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> >
>> > listen {
>> > type = acct
>> > ipaddr = 10.10.120.103
>> > port = 1813
>> > limit {
>> > max_connections = 16
>> > lifetime = 0
>> > idle_timeout = 30
>> > }
>> > }
>> >
>> >
>> > authorize {
>> > update control {
>> > Load-Balance-Key = "%{Calling-Station-Id}"
>> > }
>> > policy
>> > chap
>> > mschap
>> > eap {
>> > ok = return
>> > }
>> > pap
>> > }
>> > authenticate {
>> > Auth-Type PAP {
>> > pap
>> > }
>> > Auth-Type CHAP {
>> > chap
>> > }
>> > Auth-Type MS-CHAP {
>> > mschap
>> > }
>> > eap
>> > }
>> > preacct {
>> > acct_unique
>> > policy
>> > }
>> > accounting {
>> > policy
>> > }
>> > session {
>> > radutmp
>> > }
>> > post-auth {
>> > policy
>> > Post-Auth-Type REJECT {
>> > attr_filter.access_reject
>> > policy
>> > ok
>> > }
>> > }
>> > pre-proxy {
>> > policy
>> > }
>> > post-proxy {
>> > policy
>> > eap
>> > Post-Proxy-Type Fail-Authentication {
>> > policy
>> > }
>> > }
>> > }
>> >
>> > On Fri, Jun 8, 2018 at 5:34 PM, Alan Buxey <alan.buxey@gmail.com>
>> wrote:
>> >
>> > > why so late in the process?
>> > >
>> > > just use another AD in the Authenticate section instead.... read the
>> > > unlang to see how you can call another mschap module
>> > > if the first one is failing...
>> > > (i've done this to transition from one AD to another).
>> > >
>> > > alan
>> > >
>> > > On 8 June 2018 at 21:14, Peter Drucker <druckers@gmail.com> wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > I'm looking for a different kind of fall-through.
>> > > >
>> > > > Is it possible for FreeRadius to fall-through to another Active
>> > > > Directory after Post-Auth-Type Reject?
>> > > >
>> > > > Thanks,
>> > > > Peter.
>> > > > -
>> > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> > > > list/users.html
>> > > -
>> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> > > list/users.html
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
On Jun 9, 2018, at 8:40 PM, Peter Drucker <druckers@gmail.com> wrote:
What I'm trying to do is something like this. Obviously it's not working with the error as:
/home/users/radius/raddb/sites-enabled/nac-server[63]: Subsection of module instance call not allowed /home/users/radius/raddb/sites-enabled/nac-server[62]: Failed to parse "mschap" subsection.
See "man unlang". You can't just out random things in the config and expect them to do what you want.
authenticate { Auth-Type MS-CHAP { mschap { ==> line 62
mschap is a module. If you do "mschap { ...}" the *only* allowed contents of the {...} block are failure codes and priorities.
if (notfound) { ==> line 63
Instead of explaining what you've done, maybe you can explain what you're trying to do. i.e. what you *want* to happen.
policy { if (handled) { mschap
So "mschap" is inside of the "mschap" section? That doesn't make sense... Alan DeKok.
This is what I want to 'happen': if any of the 'authenticate' modules 'reject' or 'notfound', check is 'policy' module says 'handled'. If it says 'handled', then - retry 'authentication' with fall-through AD. - 'fall-through' AD info is supplied by 'policy' module. If 'policy' module says 'reject' - come out of 'authenticate' On Sat, Jun 9, 2018 at 10:43 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 9, 2018, at 8:40 PM, Peter Drucker <druckers@gmail.com> wrote:
What I'm trying to do is something like this. Obviously it's not working with the error as:
/home/users/radius/raddb/sites-enabled/nac-server[63]: Subsection of module instance call not allowed /home/users/radius/raddb/sites-enabled/nac-server[62]: Failed to parse "mschap" subsection.
See "man unlang". You can't just out random things in the config and expect them to do what you want.
authenticate { Auth-Type MS-CHAP { mschap { ==> line 62
mschap is a module. If you do "mschap { ...}" the *only* allowed contents of the {...} block are failure codes and priorities.
if (notfound) { ==> line 63
Instead of explaining what you've done, maybe you can explain what you're trying to do. i.e. what you *want* to happen.
policy { if (handled) { mschap
So "mschap" is inside of the "mschap" section?
That doesn't make sense...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 9, 2018, at 11:01 PM, Peter Drucker <druckers@gmail.com> wrote:
This is what I want to 'happen':
if any of the 'authenticate' modules 'reject' or 'notfound', check is 'policy' module says 'handled'. If it says 'handled', then - retry 'authentication' with fall-through AD. - 'fall-through' AD info is supplied by 'policy' module.
How? AD queries are done via ntlm_auth, or via the winbind module. What "info" is being supplied here?
If 'policy' module says 'reject' - come out of 'authenticate'
The main issue there is that modules like MS-CHAP will return MS-CHAP error attributes. So you can't just "fall through" to trying something else. You also need to delete the MS-CHAP error attributes. Honestly, it's always better to do the right thing, and only the right thing. It's bad to do something wrong, and then try to do the right thing. So *why* are you failing over to a different AD server? Why not just try that AD server in the first place? If you want to catch the "reject" return code from a module, read this page: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuratio... It has examples for how to do configurable failover. Alan DeKok.
On Sun, Jun 10, 2018 at 12:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 9, 2018, at 11:01 PM, Peter Drucker <druckers@gmail.com> wrote:
This is what I want to 'happen':
if any of the 'authenticate' modules 'reject' or 'notfound', check is 'policy' module says 'handled'. If it says 'handled', then - retry 'authentication' with fall-through AD. - 'fall-through' AD info is supplied by 'policy' module.
How? AD queries are done via ntlm_auth, or via the winbind module. What "info" is being supplied here?
Yes, we use ntlm_auth and the AD domain info is passed dynamically.
If 'policy' module says 'reject' - come out of 'authenticate'
The main issue there is that modules like MS-CHAP will return MS-CHAP error attributes. So you can't just "fall through" to trying something else. You also need to delete the MS-CHAP error attributes.
Yes, this is the issue that I noticed when I tried to call 'rad_authenticate()' again in 'Post-Auth REJECT' work flow.
Honestly, it's always better to do the right thing, and only the right thing. It's bad to do something wrong, and then try to do the right thing.
So *why* are you failing over to a different AD server? Why not just try that AD server in the first place?
I have few AD servers at this time with some data being synchronized but not all. So I've few users common between these AD's but I also have some servers info that's not yet synchronized. So instead of simply using redundant to automatically fall-through, I would like this to be configurable based on some other characteristics from the policy module.
If you want to catch the "reject" return code from a module, read this page:
https://github.com/FreeRADIUS/freeradius-server/ blob/v3.0.x/doc/configuration/configurable_failover.rst
It has examples for how to do configurable failover.
I tried this. authenticate { Auth-Type MS-CHAP { mschap if (reject) policy reject = return }
I can see mschap returning reject, but it's not honoring the if condition. Does it only handle just the return codes and not the 'if' statement in authenticate flow? Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
On Jun 10, 2018, at 10:31 PM, Peter Drucker <druckers@gmail.com> wrote:
I tried this. authenticate { Auth-Type MS-CHAP { mschap if (reject)
Which means you didn't read the link I posted.
policy reject = return }
I can see mschap returning reject, but it's not honoring the if condition. Does it only handle just the return codes and not the 'if' statement in authenticate flow?
Read the documentation. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Peter Drucker