Check on ADSL-Agent-Remote-Id instead of username
Hello freeradius, We’ve been using freeradius for a couple of years now and have expanded to connectiong users via PPPoE. Currently we give our customers a username and password whether they are authorized to connect. We want to change this to ADSL-Agent-Remote-Id, an attribute we see in the Access-Request packet. We are using this version of freeradius: root@server1:~# freeradius -v freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03 We will upgrade to a version beyond 3.x.x soon. I have been searching the web for this, but can’t find something other than modifying the scripts used by freeradius on its mysql backend. Anyone who can help me in the right direction? Met vriendelijke groet \ With kind regards, Marijn van Gool
On Apr 11, 2018, at 10:53 AM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
We’ve been using freeradius for a couple of years now and have expanded to connectiong users via PPPoE. Currently we give our customers a username and password whether they are authorized to connect. We want to change this to ADSL-Agent-Remote-Id, an attribute we see in the Access-Request packet.
That should be simple... if (ADSL-Agent-Remote-Id == ...) { update control { Auth-Type := Accept } } Thought to be honest, it's probably best to just put those remote IDs into an SQL table, and just use a SELECT to match it. if ("%{sql:SELECT agent_remote_id FROM table WHERE agent_remote_id = %{ADSL-Agent-Remote-Id}}" != "") { update control { Auth-Type := Accept } } You'll have to edit the SQL query, of course.
We are using this version of freeradius:
root@server1:~# freeradius -v freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
We will upgrade to a version beyond 3.x.x soon.
You should be able to upgrade to 2.2.10 without any configuration changes. That version has many, many, fixes over 2.1.12. Alan DeKok.
Right so I would be just editing some sql query files.. The reason I’m asking is because I would not just edit them right away as I might break something. I would be editing this file right? —> /etc/freeradius/sql/mysql/dialup.conf
Thought to be honest, it's probably best to just put those remote IDs into an SQL table, and just use a SELECT to match it.
Good idea. Met vriendelijke groet \ With kind regards, Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com> +31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On 11 Apr 2018, at 17:08, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 11, 2018, at 10:53 AM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
We’ve been using freeradius for a couple of years now and have expanded to connectiong users via PPPoE. Currently we give our customers a username and password whether they are authorized to connect. We want to change this to ADSL-Agent-Remote-Id, an attribute we see in the Access-Request packet.
That should be simple...
if (ADSL-Agent-Remote-Id == ...) { update control { Auth-Type := Accept } }
Thought to be honest, it's probably best to just put those remote IDs into an SQL table, and just use a SELECT to match it.
if ("%{sql:SELECT agent_remote_id FROM table WHERE agent_remote_id = %{ADSL-Agent-Remote-Id}}" != "") { update control { Auth-Type := Accept } }
You'll have to edit the SQL query, of course.
We are using this version of freeradius:
root@server1:~# freeradius -v freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
We will upgrade to a version beyond 3.x.x soon.
You should be able to upgrade to 2.2.10 without any configuration changes. That version has many, many, fixes over 2.1.12.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 11, 2018, at 12:27 PM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
Right so I would be just editing some sql query files..
No. You can put the "if" statement into the "authorize" section of the virtual server. You just add a new SQL table containing the ADSL-Agent-Remote-Id information. You don't need to modify any of the existing queries. Alan DeKok.
Is it maybe an option/possibility to: - within the user table make the username equal to the remote-id - somewhere in the radius config make the username equal to the remote-id (then the further processing within freeradius should remain as it is and based upon username) wkr rene On Wed, Apr 11, 2018 at 6:37 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 11, 2018, at 12:27 PM, Marijn van Gool < marijn.vangool@comsave.com> wrote:
Right so I would be just editing some sql query files..
No.
You can put the "if" statement into the "authorize" section of the virtual server.
You just add a new SQL table containing the ADSL-Agent-Remote-Id information.
You don't need to modify any of the existing queries.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Apr 11, 2018, at 12:48 PM, Rene Stoutjesdijk <r.stoutjesdijk@gmail.com> wrote:
Is it maybe an option/possibility to: - within the user table make the username equal to the remote-id - somewhere in the radius config make the username equal to the remote-id (then the further processing within freeradius should remain as it is and based upon username)
It's easier to just update the "key" in raddb/modules/files Alan DeKok.
It's easier to just update the "key" in raddb/modules/files
Great, this is what I was looking for. For freeradius to match on Remote-ID just change (and uncomment) #key = "%{Stripped-User-Name:-%{User-Name}}” to #key = "%{Stripped-User-Name:-%{ADSL-Agent-Remote-Id}}” or #key = "%{ADSL-Agent-Remote-Id:-%{User-Name}}” ? I’ve got clients connecting via the Remote ID AND clients connecting with the username. How would I accomplish that? I need both to work. Met vriendelijke groet \ With kind regards, Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com> +31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On 11 Apr 2018, at 18:50, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 11, 2018, at 12:48 PM, Rene Stoutjesdijk <r.stoutjesdijk@gmail.com> wrote:
Is it maybe an option/possibility to: - within the user table make the username equal to the remote-id - somewhere in the radius config make the username equal to the remote-id (then the further processing within freeradius should remain as it is and based upon username)
It's easier to just update the "key" in raddb/modules/files
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 13, 2018, at 7:57 AM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
It's easier to just update the "key" in raddb/modules/files
Great, this is what I was looking for.
For freeradius to match on Remote-ID just change (and uncomment)
#key = "%{Stripped-User-Name:-%{User-Name}}”
to
#key = "%{Stripped-User-Name:-%{ADSL-Agent-Remote-Id}}” or #key = "%{ADSL-Agent-Remote-Id:-%{User-Name}}”
Well, you *do* have to uncomment it for the change to take effect.
I’ve got clients connecting via the Remote ID AND clients connecting with the username. How would I accomplish that? I need both to work.
Write rules to do that. Use if / then / else. i.e. ask *good* questions. "I need to do stuff" is a bad question. You should sit down and write what the server receives, what you want it to do, and where the various bits of data are stored. Use simple english for this, like a little story. Once you've done that, you will discover that the "unlang" statements become pretty obvious to write. And that way you *understand* the solution, instead of just throwing up your hands and expecting to get spoon-fed answers. Alan DeKok.
You can put the "if" statement into the "authorize" section of the virtual server.
Where do I find this? I would need some more guidance here to find the things you mean. RIght, but eventually I need to return stuff like Framed-IP-Address and Framed-Netmask attributes back into the Access-Accept packet. All queries I find select these values based on the username.
You just add a new SQL table containing the ADSL-Agent-Remote-Id information.
Sure, will do that. Met vriendelijke groet \ With kind regards, Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com> +31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On 11 Apr 2018, at 18:37, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 11, 2018, at 12:27 PM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
Right so I would be just editing some sql query files..
No.
You can put the "if" statement into the "authorize" section of the virtual server.
You just add a new SQL table containing the ADSL-Agent-Remote-Id information.
You don't need to modify any of the existing queries.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 11, 2018, at 1:32 PM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
You can put the "if" statement into the "authorize" section of the virtual server.
Where do I find this? I would need some more guidance here to find the things you mean.
The server comes with documentation. See "man unlang".
RIght, but eventually I need to return stuff like Framed-IP-Address and Framed-Netmask attributes back into the Access-Accept packet. All queries I find select these values based on the username.
Read the "raddb/modules/sql/mysql/main.conf" file. This is documented. Alan DeKok.
Hi Marijn,
Where do I find this? I would need some more guidance here to find the things you mean. if you only have one server on your (presumably virtual) machine, it is called default and its config resides in /etc/freeradius/sites-available/default To call it to life, there's a symlink of the same name in /etc/[freeradius|raddb]/sites-enable/ See https://wiki.freeradius.org/config/Virtual-server If this reminds you of an Apache config, you're right: https://wiki.freeradius.org/config/Sites-configuration
I’ve got clients connecting via the Remote ID AND clients connecting with the username. How would I accomplish that? I need both to work. RIght, but eventually I need to return stuff like Framed-IP-Address and Framed-Netmask attributes back into the Access-Accept packet. All queries I find select these values based on the username.
Since you need both, Rene's suggestion might be the way to go: Transfer the contents of ADSL-Agent-Remote-Id into User-Name, and leave the "key" in [freeradius|raddb]/modules/files as it is. To achieve this, place an appropriate unlang statement in config file mentioned above. http://networkradius.com/doc/3.0.10/unlang/home.html Looks like a good starting point. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Hi Martin, Thanks a lot for your answer. I was looking around a bit more and started experimenting with the SQL query Alan provided me earlier: if ("%{sql:SELECT agent_remote_id FROM table WHERE agent_remote_id = '%{ADSL-Agent-Remote-Id}}" != "") { update control { Auth-Type := Accept } } I do receive the remote ID: (285) ADSL-Agent-Remote-Id = 0x31323639314d563338 As you can see it’s hex encoded.. I believe this one will work once I know how to convert the ADSL-Agent-Remote-Id HEX encoded string to regular STRING hat I receive in the Access-Request packet. I’ve googled around a bit and haven;t been able to find a solution to this. Can I unhex it at freeradius level or do I have to look at the NAS sending / relaying the packet (it’s a Juniper MX router). Or even put the hex string in the radius server..
Since you need both, Rene's suggestion might be the way to go: Transfer the contents of ADSL-Agent-Remote-Id into User-Name, and leave the "key" in [freeradius|raddb]/modules/files as it is. To achieve this, place an appropriate unlang statement in config file mentioned above. http://networkradius.com/doc/3.0.10/unlang/home.html Looks like a good starting point.
Alright, will try this! Met vriendelijke groet \ With kind regards, Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com> +31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On 16 Apr 2018, at 11:12, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
Hi Marijn,
Where do I find this? I would need some more guidance here to find the things you mean. if you only have one server on your (presumably virtual) machine, it is called default and its config resides in /etc/freeradius/sites-available/default To call it to life, there's a symlink of the same name in /etc/[freeradius|raddb]/sites-enable/ See https://wiki.freeradius.org/config/Virtual-server If this reminds you of an Apache config, you're right: https://wiki.freeradius.org/config/Sites-configuration
I’ve got clients connecting via the Remote ID AND clients connecting with the username. How would I accomplish that? I need both to work. RIght, but eventually I need to return stuff like Framed-IP-Address and Framed-Netmask attributes back into the Access-Accept packet. All queries I find select these values based on the username.
Since you need both, Rene's suggestion might be the way to go: Transfer the contents of ADSL-Agent-Remote-Id into User-Name, and leave the "key" in [freeradius|raddb]/modules/files as it is. To achieve this, place an appropriate unlang statement in config file mentioned above. http://networkradius.com/doc/3.0.10/unlang/home.html Looks like a good starting point.
Cheers, Martin
-- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 16, 2018, at 6:19 AM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
Thanks a lot for your answer. I was looking around a bit more and started experimenting with the SQL query Alan provided me earlier:
if ("%{sql:SELECT agent_remote_id FROM table WHERE agent_remote_id = '%{ADSL-Agent-Remote-Id}}" != "") { update control { Auth-Type := Accept } }
I do receive the remote ID: (285) ADSL-Agent-Remote-Id = 0x31323639314d563338 As you can see it’s hex encoded..
It's supposed to be hex. It *might* be a string, but you have no guarantees.
I believe this one will work once I know how to convert the ADSL-Agent-Remote-Id HEX encoded string to regular STRING hat I receive in the Access-Request packet.
update request { Tmp-String-0 := "%{string:&ADSL-Agent-Remote-Id}" } That should help. Alan DeKok.
update request { Tmp-String-0 := "%{string:&ADSL-Agent-Remote-Id}" } yep, and unlang is not a language except it has if/then, fancy type conversions and lots of other stuff built in for just about every processing need ... Very nice understatement, this name :-))
-- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
The only thing I did now is this: server { authorize { if ("%{sql:SELECT agent_remote_id FROM radremoteid WHERE agent_remote_id = '%{string:ADSL-Agent-Remote-Id}'}" != "") { update request { User-Name := "%{string:&ADSL-Agent-Remote-Id}" } } } } For this I had to populate the radcheck table where I added the ADSL-Agent-Remote-Id | Auth-Type | := | Accept. Would I only do this: update control { Auth-Type := Accept } I noticed that the SELECT query on the radreply table gets skipped. Is it necessary to make a ADSL-Agent-Remote-Id table at all. I could just populate tables radcheck, radreply, radgroupcheck and radgroupreply. Your thoughts on this? Met vriendelijke groet \ With kind regards, Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com> +31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On 16 Apr 2018, at 17:52, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
update request { Tmp-String-0 := "%{string:&ADSL-Agent-Remote-Id}" } yep, and unlang is not a language except it has if/then, fancy type conversions and lots of other stuff built in for just about every processing need ... Very nice understatement, this name :-))
-- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I was wondering if there is a better suggestion to what I’m doing here. I could very well do the following by setting the username equal to the Agent Remote Id. I would be then only using the radcheck table setting the Auth-Type to Accept and the radreply table for returning the IP address.
if ("%{sql:SELECT username FROM radcheck WHERE username = '%{string:ADSL-Agent-Remote-Id}'}" != "") { update request { User-Name := "%{string:&ADSL-Agent-Remote-Id}" } }
When I do this:
update control { Auth-Type := Accept }
the check on radreply table gets skipped and nothing is returned int the Access-Accept packet. Any idea why? Everything is done at the authorize section in the virtual server. Met vriendelijke groet \ With kind regards, Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com> +31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On 16 Apr 2018, at 21:53, Marijn van Gool <marijn.vangool@comsave.com> wrote:
The only thing I did now is this:
server { authorize { if ("%{sql:SELECT agent_remote_id FROM radremoteid WHERE agent_remote_id = '%{string:ADSL-Agent-Remote-Id}'}" != "") { update request { User-Name := "%{string:&ADSL-Agent-Remote-Id}" } } } }
For this I had to populate the radcheck table where I added the ADSL-Agent-Remote-Id | Auth-Type | := | Accept.
Would I only do this:
update control { Auth-Type := Accept }
I noticed that the SELECT query on the radreply table gets skipped.
Is it necessary to make a ADSL-Agent-Remote-Id table at all. I could just populate tables radcheck, radreply, radgroupcheck and radgroupreply. Your thoughts on this?
Met vriendelijke groet \ With kind regards,
Marijn van Gool NOC Network Engineer noc@comsave.com <mailto:noc@comave.com>
+31 88 999 5555 marijn.vangool@comsave.com <mailto:marijn.vangool@comsave.com> www.comsave.nl <http://www.comsave.nl/>
On Apr 19, 2018, at 3:28 AM, Marijn van Gool <marijn.vangool@comsave.com> wrote:
I was wondering if there is a better suggestion to what I’m doing here.
I could very well do the following by setting the username equal to the Agent Remote Id.
Don't do that. Just change the SQL queries to use the remote ID *or* User-Name. See SQL-User-Name in the configuration.
I would be then only using the radcheck table setting the Auth-Type to Accept and the radreply table for returning the IP address.
Yes.
if ("%{sql:SELECT username FROM radcheck WHERE username = '%{string:ADSL-Agent-Remote-Id}'}" != "") { update request { User-Name := "%{string:&ADSL-Agent-Remote-Id}" } }
When I do this:
update control { Auth-Type := Accept }
the check on radreply table gets skipped and nothing is returned int the Access-Accept packet. Any idea why?
Probably because you configured it to not run the SQL module if that happens. As always, read the debug output to see what it's doing. We can't make detailed solutions if we're given vague descriptions of the problem. Alan DeKok.
participants (4)
-
Alan DeKok -
Marijn van Gool -
Martin Pauly -
Rene Stoutjesdijk