Realm parsing and \r => =0D
I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam. Within a day, I had the configuration I wanted, or so I thought. Empty stanzas for realms user@carleton.edu, ADS\user, and bare username get authenticated with mschapv2. Otherwise, regex realm *@*.* gets routed to the eduroam upstream radius hierarchy. I configured bufffered-sql for logging. It all "works." Except... I noticed that my entries appeared in SQL-land as ADS=0Dgraves. So, it seems that the ADS\ realm is recognized (successfully authenticated locally, not sent to eduroam), but not stripped. Worse, the \r in ADS\rgraves is interpreted as a carriage return by the time it gets to SQL-User-Name. I guess my conclusion is that I am very confused about where realms get configured, and which entries in the example config files are examples and which are metareferences to other code. Is the "realm ntdomain" that appears in modules/realm, with a commented-out reference in sites-available/default, an example of handling an example NT Domain named "ntdomain," or is it a directive analogous to format = suffix? I was sure of the former, but am less sure now. "suffix" is overloaded as both a format type and as a example realm that happens to be of type suffix, right? I'm pretty sure that I need ADS, carleton.edu, and null to be recognized in proxy.conf, to distinguish what goes to inner-tunnel from what does to eduroam upstream; and I am pretty sure that I need carleton.edu stripped in or before inner-tunnel. MSCHAPv2 will accept both ADS\username and username, so it's not critical to strip the former. However, it seems critical that ADS\ be stripped or more thoroughly escaped before or during transformation of sql_user_name to SQL-User-Name, because rendering ADS\rgraves as ADS=0Dgraves is just wrong. I am also very confused about whether and where I want "ignore-null = yes." It's mentioned in the shipped modules/realms but not in proxy.conf. The realm stanzas I have thus far are below. inner-tunnel, default, and buffered-sql are pretty much as shipped, except for the obvious DB configuration. realm ADS { format = prefix delimiter = '\\' accthost = LOCAL authhost = LOCAL } realm carleton.edu { format = suffix delimiter = "@" accthost = LOCAL authhost = LOCAL } realm "~.*\\..*" { { format = suffix delimiter = "@" accthost = eduroam1.ns.utk.edu authhost = eduroam1.ns.utk.edu secret = notpostedhere nostrip } # This could probably just be realm NULL realm DEFAULT { type = radius accthost = LOCAL authhost = LOCAL } At the point where I realized I was turning things on and off just to see if radiusd -X would run, I decided that I should stick with clear, simple things like sendmail.cf, and ask for pointers. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Rich Graves <rgraves@carleton.edu> wrote:
I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam.
Within a day, I had the configuration I wanted, or so I thought.
Empty stanzas for realms user@carleton.edu, ADS\user, and bare username get authenticated with mschapv2. Otherwise, regex realm *@*.* gets routed to the eduroam upstream radius hierarchy.
If you are going 'eduroam' you really need to reject *everything* eduroam SSID/802.1X related that is not of the form user@realm. If you permit combinations then you will find users can use 'eduroam' locally with no problems but then when they go roaming, their workstation does not tell the visited site the realm (in the form '@example.edu') and so can only reject it. The result, very unhappy users. If you reject *today* NULL, then your helpdesk *have* to configure people correctly. These are the words from a bitten before eduroam sysadmin :) As for your realm fun, this is what we do: ---- templates.conf ---- templates { # PROXY eduroam-proxy { type = auth+acct port = 1812 require_message_authenticator = yes status_check = status-server } eduroam-proxy6 { src_ipaddr = ${local.MY.addr.v6} $template eduroam-proxy } eduroam-proxy4 { src_ipaddr = ${local.MY.addr.v4} $template eduroam-proxy } } ---- proxy.conf ---- ## eduroam # roaming0.ja.net home_server jrs.0.v6 { ipv6addr = ${local.jrs.0.addr.v6} secret = ${local.jrs.0.secret} $template eduroam-proxy6 } home_server jrs.0.v4 { ipaddr = ${local.jrs.0.addr.v4} secret = ${local.jrs.0.secret} $template eduroam-proxy4 } # roaming1.ja.net home_server jrs.1.v6 { ipv6addr = ${local.jrs.1.addr.v6} secret = ${local.jrs.1.secret} $template eduroam-proxy6 } home_server jrs.1.v4 { ipaddr = ${local.jrs.1.addr.v4} secret = ${local.jrs.1.secret} $template eduroam-proxy4 } # roaming2.ja.net home_server jrs.2.v6 { ipv6addr = ${local.jrs.2.addr.v6} secret = ${local.jrs.2.secret} $template eduroam-proxy6 } home_server jrs.2.v4 { ipaddr = ${local.jrs.2.addr.v4} secret = ${local.jrs.2.secret} $template eduroam-proxy4 } home_server_pool eduroam { type = keyed-balance home_server = jrs.0.v6 home_server = jrs.0.v4 home_server = jrs.1.v6 home_server = jrs.1.v4 home_server = jrs.2.v6 home_server = jrs.2.v4 } realm NULL { } realm LOCAL { } realm soas.ac.uk { } realm auth.virtual { virtual_server = auth } realm DEFAULT { pool = eduroam nostrip } # blackhole routing realm myabc.com { nostrip } realm "~\\.3gppnetwork\\.org$" { nostrip } ---- The virtual server looks vaguely like (for *all* users onsite, the 'our users visiting elsewhere' is simpler): ---- authorize { preprocess suffix # detail rewrite.called_station_id rewrite.calling_station_id update request { Operator-Name := "1%{config:local.MY.realm}" } eap { ok = return } # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } elsif (Calling-Station-Id =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update control { Local-MAC-Address := "%{1}%{2}%{3}%{4}%{5}%{6}" } } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } validate_username # handle realmless authentications if ((EAP-Message) && Realm == NULL) { update reply { Reply-Message := "No Realm" } reject } # handle blackhole'd realms if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "%{config:local.MY.realm}") { update reply { Reply-Message := "Realm Blackholed" } reject } # [snipped local MAC-Auth hooks] # workaround crappy load-balancing if (Realm == DEFAULT) { update control { Load-Balance-Key := "%{User-Name} %{Calling-Station-Id}" } handled } Autz-Type Status-Server { ok } } post-auth { Post-Auth-Type Reject { redundant { sql.dot1x ok } attr_filter.access_reject eap-has-no-reply-message # detail } # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if ((EAP-Message) && !(Ldap-UserDn)) { cache_ldap-userdn } if (Realm == "DEFAULT") { update reply { Tunnel-Private-Group-Id := "eduroam" } } # to be removed once we register personal workstations elsif (Realm == "%{config:local.MY.realm}") { update reply { Tunnel-Private-Group-Id := "users-unmanaged" } } if (reply:Tunnel-Private-Group-Id != "unauthorised") { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } } redundant { sql.dot1x ok } attr_filter.soas-auth eap-has-no-reply-message } ---- If enough people pester me I might get around to 'generalising' this. There is already some effort in this space, Arran Cudbard-Bell(@freeradius.net) used to work in Academentia over in Rightpondia and put together a slightly different approach (without a focus around proxy.conf that I use, it's pretty much what the rest of the .ac.uk sector use I think, I of course have to be different): http://www.ja.net/services/authentication-and-authorisation/janet-roaming/do... http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-st... "FreeRADIUS v2.0.2 Implementation to support eduroam at the University of Sussex". It's all good stuff though. Pick the approach that makes the most sense to you and more naturally fits your needs. I like priming FreeRADIUS with the realm->proxy mapping and leaving it to it's devices, others prefer to explicitly use unlang in authorize{}. Do contact me off list if you want some help and think this could be getting off topic; although there are a *lot* of eduroam'ers here on the list. Cheers -- Alexander Clouter .sigmonster says: DIDI ... is that a MARTIAN name, or, are we in ISRAEL?
I found the documentation of what needs to be done to support both NTDOMAIN\ and @realm styles in the same vhost. In sites-available/inner-tunnel, it says: # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. What this fails to say is where ignore_null needs to be set. Despite the comments to the effect that modules/suffix is deprecated and no longer used by freeradius 2, editing modules/suffix appears to work. Is there a non-deprecated fix?
Rich Graves wrote:
I found the documentation of what needs to be done to support both NTDOMAIN\ and @realm styles in the same vhost. In sites-available/inner-tunnel, it says:
# If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked.
What this fails to say is where ignore_null needs to be set. Despite the comments to the effect that modules/suffix is deprecated and no longer used by freeradius 2, editing modules/suffix appears to work. Is there a non-deprecated fix?
It should be set in the configuration of the "realm" module. Where does it say that "suffix" is deprecated? Alan DeKok.
It should be set in the configuration of the "realm" module. Where does it say that "suffix" is deprecated?
Sorry, my misread again! # As of 2.0. the old-style "realms" file is deprecated, and is not # used by FreeRADIUS. Having never used freeradius 1, I thought this referred to /etc/raddb/modules/realm(without the s), and so I tried to avoid it. Editing proxy.conf to add ignore_null to just my specific realms appeared not to override the default behavior of suffix, which is to thunk to null, giving ntdomain no chance. So I went to modules/realm. All better now, thanks. The downstream behavior, whereby DOMAIN\realname and probably DOMAIN\name got turned into CRLF when passed to buffered-[my]sql, might still merit consideration, but the right fix is in realm(without the s).
participants (3)
-
Alan DeKok -
Alexander Clouter -
Rich Graves