Proxying to a virtual server through unlang?
Hi All, I'm trying to get into the unlang world since it seems really powerful but I can't get my hands around a simple virtual server switching scenario. I basically want to switch to a virtual server based on some attributes, Service-Type for instance. This is because on some network hardware I can't add a radius server for every type of authentication. So everything (802.1x, mac-auth, prompt auth goes to the same server) I found a thread suggesting to do the following: (http://freeradius.1045715.n5.nabble.com/virtual-servers-tt2769141.html) authorize { switch "Service-Type" { #MAC authentication case 'Call-Check' { update control { server[mac-auth] } } #NAS console authentication case 'NAS-Prompt-User' { update control { server[mac-auth] } } } } This works as the debug logs shows: # Executing section authorize from file /etc/freeradius/sites-enabled/nas-auth However it only executes the authorize section of the nas-auth virtual server. I could create realms for the virtual servers and proxy to them by using Proxy-To-Realm := "mac-auth" instead of the server[] directive. But I kind of liked the minimal unlang approach. Is there any good way of accomplishing this purely with unlang or is it still best to use the proxying approach using realms? Here's a log of the process. As you can see it only issues the authorize section of the nas-auth virtual server as apposed to going through the full server when using Proxy-To-Realm. rad_recv: Access-Request packet from host 10.6.254.62 port 1025, id=152, length=95 User-Name = "testusr" User-Password = "testpwd" NAS-IP-Address = 10.6.254.62 NAS-Identifier = "ST-AN07258-412" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Message-Authenticator = 0x63ee5e1b0f7b81e883780f9e57c2941c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering switch Service-Type {...} +++- entering case NAS-Prompt-User {...} server nas-auth { # nested call # Executing section authorize from file /etc/freeradius/sites-enabled/nas-auth +- entering group authorize {...} ++? if (Service-Type == 'NAS-Prompt-User') ? Evaluating (Service-Type == 'NAS-Prompt-User') -> TRUE ++? if (Service-Type == 'NAS-Prompt-User') -> TRUE ++- entering if (Service-Type == 'NAS-Prompt-User') {...} [edir-ldap] performing user authorization for testusr [edir-ldap] expand: %{Stripped-User-Name} -> [edir-ldap] ... expanding second conditional [edir-ldap] expand: %{User-Name} -> testusr [edir-ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testusr) [edir-ldap] expand: ou=users,o=radius -> ou=users,o=radius [edir-ldap] ldap_get_conn: Checking Id: 0 [edir-ldap] ldap_get_conn: Got Id: 0 [edir-ldap] performing search in ou=users,o=radius, with filter (cn=testusr) [edir-ldap] checking if remote access for testusr is allowed by cn [edir-ldap] Added the eDirectory password testpwd in check items as Cleartext-Password [edir-ldap] No default NMAS login sequence [edir-ldap] looking for check items in directory... [edir-ldap] looking for reply items in directory... [edir-ldap] user testusr authorized to use remote access [edir-ldap] ldap_release_conn: Release Id: 0 +++[edir-ldap] returns ok ++- if (Service-Type == 'NAS-Prompt-User') returns ok ++ ... skipping else for request 4: Preceding "if" was taken } # server nas-auth with nested call ++++[server[nas-auth]] returns ok +++- case NAS-Prompt-User returns ok ++- switch Service-Type returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [testusr] (from client primary-network port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop ++? if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) expand: %{request:Calling-Station-Id} -> ? Evaluating ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) -> FALSE ++? if ("%{request:Calling-Station-Id}" =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) -> FALSE ++[callingstationid2vlanid] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++[reply] returns notfound Sending Access-Accept of id 152 to 10.6.254.62 port 1025 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "132" Rg, Arnaud-- Stichting z25.org Concordiastraat 67A 3551 EM Utrecht The Netherlands +31-(0)6-41861063
On 01/03/2012 07:40 AM, Arnaud Loonstra wrote:
However it only executes the authorize section of the nas-auth virtual server.
Yes. That is how that feature works.
I could create realms for the virtual servers and proxy to them by using Proxy-To-Realm := "mac-auth" instead of the server[] directive.
Do this. It's works much closer to what you want, AFAICT.
But I kind of liked the minimal unlang approach. Is there any good way of accomplishing this purely with unlang or is it still best to use the proxying approach using realms?
On 01/03/2012 10:14 AM, Phil Mayers wrote:
On 01/03/2012 07:40 AM, Arnaud Loonstra wrote:
However it only executes the authorize section of the nas-auth virtual server.
Yes. That is how that feature works.
I could create realms for the virtual servers and proxy to them by using Proxy-To-Realm := "mac-auth" instead of the server[] directive.
Do this. It's works much closer to what you want, AFAICT.
[snip] Ok, thanks for the feedback. I'll stick with realm proxying when I have to process lots of different radius requests (== more complex setup). In my current case I only need to do NAS-prompt login, MAC-Auth and the rest is just handled default (802.1x, general auth, accounting). I'm going to do just some unlang fu in authorize and post-auth. I reckon it's more efficient than proxying... Rg, Arnaud
participants (2)
-
Arnaud Loonstra -
Phil Mayers