Hi all We have a radius setup that we use to authenticate our own adsl users as well as proxying radius to 2 other sources. Our own radius entries use a realm after each username, a typical entry is: ############ user1@arealm.com Password == secret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.3, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ########### Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm? Obviously if the realm is one that we proxy then it should be proxied as such and any that aren't in the proxy.conf file authenticated locally. This may sound like an odd request but in the case of users typing the realm incorrect but the username is Ok they can be authenticated still. Since we only get sent authentication requests from realms that belong to us or the people we proxy for locally it doesn't really matter what the realm is, the user still has to have the correct password to authenticate. In the case the user is one we proxy and the user types the realm incorrect then they just won't be authenticated since it wouldn't be proxied and the username would not exist in our radius users file, this is fine. I've tried adding "strip" to the LOCAL entry in proxy.conf and also just adding the entry: ############ user1 Password == secret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.3, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ########### to the radius users file but it won't authenticate. Thanks Tony
"TS" <tony@thewordzone.co.uk> wrote:
Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm?
Yes, but you have to edit the "users" file to get rid of the "@realm" portion, and configure the realms as LOCAL ones.
Obviously if the realm is one that we proxy then it should be proxied as such and any that aren't in the proxy.conf file authenticated locally.
That's what LOCAL is for. See proxy.conf.
I've tried adding "strip" to the LOCAL entry in proxy.conf and also just adding the entry: ... to the radius users file but it won't authenticate.
What does debugging mode say? What has to be updated in the documentation to convince people to run the server in debugging mode, and to read the output? Alan DeKok.
Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm?
Yes, but you have to edit the "users" file to get rid of the "@realm" portion, and configure the realms as LOCAL ones.
The object is to not to have to configure any realms as local. So that Radius will try to auth any realm that isn't to be proxied. If I have a user whose username is user1@arealm.com I can easily specify arealm.com as local. But if by mistake the user types the username as user1@brealm.com auth will just fail because the realm isn't specified in proxy.conf.
What does debugging mode say?
Exactly what you'd expect it to say if the realm isn't in proxy.conf: ##### rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = "user1@arealm.com" User-Password = "acc355" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "arealm.com" for User-Name = "user1@arealm.com" rlm_realm: No such realm "arealm.com" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns ok for request 2 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [user1@arealm.com/acc355] (from client localhost port 1645) Delaying request 2 for 1 seconds Finished request 2 ###### The user doesn't exist as the entry in users just has the username as "user1" and the request is sending user1@arealm.com. I want radius to first check to see if the request needs to be proxied. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Tony
"TS" <tony@thewordzone.co.uk> wrote:
The object is to not to have to configure any realms as local.
That conflicts directly with your requirement to allow users to log in as "user" or "user@realm".
If I have a user whose username is user1@arealm.com I can easily specify arealm.com as local. But if by mistake the user types the username as user1@brealm.com auth will just fail because the realm isn't specified in proxy.conf.
Then you can't use realms. You've got to configure a module to strip out everything after the "@" sign. The 'realms" module, and proxy.conf are meant to deal with known realms. If you want to deal with unknown realms, you have to use something else.
If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username.
Then configure it to do that, but you can't use realms. You'll have to use another module to re-write the username for the packets that aren't proxied. The simplest thing for you to do might be to create a wildcard realm by modifying rlm_realm. Alan DeKok.
On Tuesday 25 April 2006 01:43, TS wrote:
What does debugging mode say?
Exactly what you'd expect it to say if the realm isn't in proxy.conf:
##### rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = "user1@arealm.com" User-Password = "acc355" ...
The user doesn't exist as the entry in users just has the username as "user1" and the request is sending user1@arealm.com.
The original users example you posted had the username of "user1@arealm.com" with a password of "secret". Here you say the users file has just "user1". Which is correct?
I want radius to first check to see if the request needs to be proxied.
It will do this if you have a realm module listed in the authorize section. The suffix realm module is listed in the default config.
If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username.
Alan's hint to use LOCAL is still correct. If you know the realms people will be using, you can list them in the proxy.conf file. If you want to catch any realm not already defined and send that to local auth, that is pretty easy to accomplish. Please read doc/proxy for a better understanding of how realms work with proxying, and also how the 2 special realms work. If you're still stumped, post back with your questions. Kevin Bonner
participants (3)
-
Alan DeKok -
Kevin Bonner -
TS