Hi, I have configured freeradius server to authenticate & authorize user with the supplied username and password against active directory. Till this stage; The user can be authenticated and authorized successfully with credentials provided. For this purpose; user is just authenticated and authorized depending upon the filter of LDAP module which I have set. My LDAP module filter configuration is as: filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" But Now, I want to go deep on authenticating and authorizing user to allow or reject VPN or Wifi access, etc. For this purpose I have created extension attribute in Active directory and has assigned the value as "VPN" , "Wifi", etc..... Now my question is: How can I set the filter in Ldap module of FreeRadius to just allow the user belonging to VPN or wifi ? Should I need to add the extension attribute filter to the above mentioned filter? OR should I need to define 2 filters: the above one and another for extension attribute? I tried defining 2 filters separately; it didn't work. I know some people use the concept of "Group" for this purpose. In my case, I can't use Group. I just have to authenticate and authorize user just using Active Directory attribute. I don't know whether this is way to do or not. Any idea would be really helpful. This forum has really helped a lot to the beginner like me to reach till this stage. Thanks everyone............ -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 03/01/12 16:55, suggestme wrote:
Hi,
I have configured freeradius server to authenticate& authorize user with the supplied username and password against active directory. Till this stage; The user can be authenticated and authorized successfully with credentials provided. For this purpose; user is just authenticated and authorized depending upon the filter of LDAP module which I have set. My LDAP module filter configuration is as:
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
But Now, I want to go deep on authenticating and authorizing user to allow or reject VPN or Wifi access, etc. For this purpose I have created extension attribute in Active directory and has assigned the value as "VPN" , "Wifi", etc..... Now my question is: How can I set the filter in Ldap module of FreeRadius to just allow the user belonging to VPN or wifi ? Should I need to add the extension attribute filter to the above mentioned filter? OR
Yes. Since the filter is dynamically expanded you can set: filter = "(&(extensionAttrX=%{control:Tmp-String-0})(..original..))" ...and then: authorize { ... if (Some-Condition == Some-Value) { update control { Tmp-String-0 := VPN } } else { update control { Tmp-String-0 := Wifi } } ldap if (notfound) { reject } ... }
should I need to define 2 filters: the above one and another for extension attribute? I tried defining 2 filters separately; it didn't work.
No. 2 filters won't work - "filter" is a singleton config item of the "ldap" module.
I know some people use the concept of "Group" for this purpose. In my case, I can't use Group. I just have to authenticate and authorize user just using Active Directory attribute.
The *other* option is to query the attribute from the LDAP directory, then check it in FreeRADIUS, like so: authorize { ... ldap update request { Tmp-String-0 := "%{ldap:///%{Ldap-UserDN}?extensionAttrX?base?objectClass=*}" } if ((Tmp-String-0 == Wifi) && (...)) { ... } } Which is best will depend on your tastes and needs. The first might be slightly quicker, because it will only use 1 LDAP query instead of 2.
Phil, I modified the LDAP module configuration as you suggested: filter = "(&(extensionAttribute10=%{control:Tmp-String-0}) (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" Also I did change in authorize section of my configuration of "default" and "inner-tunnel" files; But I got confused with the conditional part: if (Some-Condition == Some-Value). I don't know where this should be defined or supplied while doing user testing using radtest. where should this condition be defined or passed? After configuration changes, I run server in debug mode as *radiusd -X*; and run *radtest username password localhost 0 testing123* which just supplies username and password; where to supply extension attribute value check during radtest or where should condition be defined. OR how server knows to check extension attribute for the username and password supplied during radtest? Can you please make me clear? In extensionAttribute10 of my active directory I have just put the values for Wifi and VPN to test. The configuration modification I have done as you suggested as: #Not sure of if (Some-Condition == Some-Value) part so; tried putting if (value == 0) which didn't work *if (Some-Condition == Some-Value)* { update control{ Tmp-String-0 := Wifi } } else{ update control{ Tmp-String-0 := VPN } } ldap if(notfound){ reject } I am really sorry if this is the simple question. Thanks for the reply -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, I had implemented the idea given by Phil for authorizing the users of Active directory to use VPN or Wifi or whatever for which they are for depending upon the value of Active directory's "extensionAttribute10" attribute as: ## /usr/local/etc/raddb/modules/ldap: filter = "(&(extensionAttribute10=%{control:Tmp-String-0})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" I have used extensionAttribute10 for storing values as VPN,wifi depending upon the users. ## /usr/local/etc/raddb/sites-enabled/default ## I tried using Called-Station-Id to check the condition; which is ok for now for testing ; but which I guess is not feasible if there are thousands of NAS devices. I don't know what would be best test condition for this. authorize { ... if (Called-Station-Id == .......) { update control { Tmp-String-0 := VPN } } else { update control { Tmp-String-0 := Wifi } } ldap if (notfound) { reject } ... } And also, I have implemented the idea of returning filter-id for the users of Active directory looking at "OU" of domain as: ldap if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) update control { Tmp-String-1 := "%{1}" } And returning the value of Filter-Id through users file as: DEFAULT Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" But now I am facing the problem that I can't use more than one If conditions inside unlang to test the conditions inside Ldap module. (If I am correct on my understanding) And, also using the filter defined as above inside Ldap module some user of active directory which doesn't have extensionAttribute10 might get rejected. These users should get default acceptance; but should be granted to access VPN, or wifi if value is assigned to them on extensionAttribute10. If don't have attribute defined still get accepted as default user. If I just use: filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" This allows all the users in Active Directory get accepted (doesn't reject if there is no extensionAttribute10 also); But how to get the goal of granting the authorization for VPN, wifi users accordingly if I use this? Is there any easy way to check condition for the particular attribute of active directory? And I don't know where to check this, If I am already using If conditional statement for returning the Filter-Id inside Ldap module. In my understanding; people use to check this type of condition for the users that are defined in "users" file as; bob User-Password == "testing", Connection-Type := "VPN" But I am not sure how to check like this eventhough If I define in ldap.attrmap as: checkItem Connection-Type extensionAttribute10 I don't know; whether I am confused or I am not getting how to achieve this. Your valuable idea would be really appreciated. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 01/26/2012 02:41 PM, suggestme wrote:
## I tried using Called-Station-Id to check the condition; which is ok for now for testing ; but which I guess is not feasible if there are thousands of NAS devices. I don't know what would be best test condition for this.
There are many options. You could match on Client-Shortname with the following client def: client VPN-1 { ipaddr = 192.0.2.1 secret = ... } ...and then in authorize: authorize { ... if (Client-Shortname =~ /^VPN/) { .. } } Or use Huntgroup-Name and huntgroups.
But now I am facing the problem that I can't use more than one If conditions inside unlang to test the conditions inside Ldap module. (If I am correct on my understanding)
Sorry, I don't understand what you mean here.
And, also using the filter defined as above inside Ldap module some user of active directory which doesn't have extensionAttribute10 might get rejected. These users should get default acceptance; but should be granted to access VPN, or wifi if value is assigned to them on extensionAttribute10. If don't have attribute defined still get accepted as default user.
Well, you need to write your LDAP filter correctly. I suggest you read the LDAP filter syntax. Another option, which you've almost figured out, is to pull the data from LDAP then do the decisions in unlang.
Is there any easy way to check condition for the particular attribute of active directory? And I don't know where to check this, If I am already using If conditional statement for returning the Filter-Id inside Ldap module.
In my understanding; people use to check this type of condition for the users that are defined in "users" file as;
bob User-Password == "testing", Connection-Type := "VPN"
But I am not sure how to check like this eventhough If I define in ldap.attrmap as:
checkItem Connection-Type extensionAttribute10
Ok, several steps: 1. Define your attribute in /etc/raddb/dictionary e.g. ATTRIBUTE My-Extension10 3010 string 2. Define the LDAP -> RADIUS mapping in ldap.attrmap checkItem My-Extension10 extensionAttribute10 3. Run the LDAP module, then compare the attribute. Note - because you've mapped the item to check/control lists, you can't use a "users" file - you must use unlang, like so: authorize { ... ldap if (My-Extension10 == VPN) { .. } } ...or more likely: authorize { .. ldap if (Client-Shortname =~ /^VPN/) { if (My-Extension10 == VPN) { # permit } else { reject } } ... } HTH
On 01/26/2012 04:42 PM, Phil Mayers wrote:
3. Run the LDAP module, then compare the attribute. Note - because you've mapped the item to check/control lists, you can't use a "users" file - you must use unlang, like so:
Damn, sorry, this should be: authorize { ... ldap if (control:My-Extension10 == VPN) { ... } ... }
Thanks a lot again for showing me the direction. Everything works perfect except the conditional checking for Client-Shortname. I tried using: *if (Client-Shortname =~ /^localhost/) {* It didn't work saying Client-Shortname as unknown attribute. Again I tried using: * if ("%{client: shortname}" =~ /^localhost/) {* It also showed the following test result: I am testing it with localhost; In the debug mode output it shows: +++? if ("%{client: shortname}" =~ /^localhost/) expand: %{client: shortname} -> ? Evaluating ("%{client: shortname}" =~ /^localhost/) -> FALSE +++? if ("%{client: shortname}" =~ /^localhost/) -> FALSE Why is the condition checking for localhost is evaluated as FALSE? In my clients.conf I have just listed the default FreeRadius configuration for localhost as: client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype = other } Can't it be tested using localhost shortname; should I need to use client in real environment testing instead of localhost ? OR is there any silly thing I am missing again.......... For just trial purpose I used NAS-IP-Address and supplied my localhost IP address inside "If" condition; it is works. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
Everything works perfect except the conditional checking for Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
It didn't work saying Client-Shortname as unknown attribute.
Again I tried using:
* if ("%{client: shortname}" =~ /^localhost/) {*
thats wrong too - why have you put a space in it? %{client:shortname} alan
On 01/26/2012 09:46 PM, Alan Buxey wrote:
Hi,
Everything works perfect except the conditional checking for Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
Really? That's my fault then - I had the impression that Client-Shortname was one of the virtual attribute thingies. I'm sure I've seen reference to it on the wiki somewhere. Oh well.
Yes, using: *%{client:shortname}* (without space) has solved this issue. Thanks for suggesting. You guys are great!!!!!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Alan Buxey -
Phil Mayers -
suggestme -
suggestme