RE: Multiple Authentication REALMS - I hope in Plain Text
From what you've provided, I believe what is happening is that your requests that you *want* to go to local LDAP are still being proxied to your IAS server, and for some reason IAS isn't sending an Access-Reject so you get that error about a "dead request".
Realm "NULL" is a special realm that means "there is no realm as part of the username as per any definitions of the realm module in radiusd.conf". It appears from your debug output that you have the realm for @ defined (suffix realm, anything after an @ symbol is the realm). Since your new Called-Station-Id still has a user with no realm, it's proxied to NULL as your debug shows: rlm_realm: No '@' in User-Name = "unextest20", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "unextest20" rlm_realm: Proxying request from user unextest20 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Preparing to proxy authentication request to realm "NULL" I *believe* the behaviour you truly want is something more like this: DEFAULT Called-Station-Id == "<a telephone number>",Proxy-To-Realm := "msias" Fall-Through = Yes DEFAULT Called-Station-Id == "<another telephone number>",Proxy-To-Realm := "msias" Fall-Through = Yes DEFAULT Called-Station-Id == "<yet another number>",Proxy-To-Realm := "localldap" Fall-Through = Yes And in proxy.conf: realm msias { type = radius authhost = radiusserver.some.domain:1645 accthost = radiusserver.some.domain:1646 Secret = radiussecret } realm localldap { type = radius authhost = LOCAL accthost = LOCAL } Also, I'd just make sure what line in your users file is being matched. Your debug output says a DEFAULT entry at line 90. Check your IAS event log to see if it's getting proxied requests. I usually run radiusd with -Xxx for extra debuging when a request gets proxied, you should see something like this: Fri Jun 10 15:02:47 2005 : Debug: proxy: creating 0d02a8c0:1812 Fri Jun 10 15:02:47 2005 : Debug: proxy: allocating 0d02a8c0:1812 0 Sending Access-Request of id 0 to a.b.c.d:1812 And a list of attributes. Hope this helps. -Shawn ~~~~~~~~~~~~~~~~~~~~~~~~~ Shawn O'Shea Network Engineer Airpath Wireless, Inc. "Clearing the Way" 781-250-3500-office 781-250-3535-direct 781-250-3503-fax shawno@airpath.com http://www.airpath.com ~~~~~~~~~~~~~~~~~~~~~~~~~ CONFIDENTIALITY STATEMENT This electronic message contains information from Airpath Wireless, Inc., and may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately by reply e-mail shawno@airpath.com or telephone at (781) 250-3500.
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Shepherd, Dave Sent: Tuesday, June 14, 2005 9:49 AM To: freeradius-users@lists.freeradius.org Subject: Multiple Authentication REALMS - I hope in Plain Text
Hi,
It's been a long time, as the freeRADIUS software I've being using for the last 3 years hasn't needed looking at since installation.
So a big thank you to the development team J
However, as with most things it's so good I've now got to redesign and re-implement to encompass more of our infrastructure, and I'm having problems.
I have a number of settings in the _users_ file that are based on the _Called_Station_ID_ then proxy the requests to a specified REALM.
i.e.
DEFAULT Called-Station-Id == "<a telephone number>", Proxy-To-Realm := "NULL" Fall-Through = Yes
DEFAULT Called-Station-Id == "<another telephone number>", Proxy-To-Realm := "NULL" Fall-Through = Yes
DEFAULT Called-Station-Id == "<yet another number>", Proxy-To-Realm := "SPECIAL" Fall-Through = Yes
Now, the NULL realm is defined in the proxy.conf file as:
realm NULL { type = radius authhost = radiusserver.some.domain:1645 accthost = radiusserver.some.domain:1646 Secret = radiussecret }
This works and actually points to a MS IAS server going against an NT4 Domain.
Now I need to authenticate a different set of users (who dial a different number) against an LDAP repository, so as you can see from my _users_ file I direct them at the "SPECIAL" realm, which I have set as follows in proxy.conf:
realm SPECIAL { type = radius authhost = LOCAL accthost = LOCAL }
My plan was for this to then use the local radius server, which has an _ldap_ module configure, which from what I can make out is working:
ldap { server = "127.0.0.1" basedn = "dc=some,dc=domain,dc=co,dc=uk" filter = "(uid=%u)" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 }
And then in the authorize and authenticate sections simply include _ldap_
authorize { preprocess chap eap ldap files mschap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type { mschap } unix ldap eap }
Now all I see when using NTRadping, and sending the additional _Called_Station_Id_ attribute set to the required number is the following in my _radius.log_
Error: Dropping packet from client Dave_Test:2328 - ID: 2 due to dead request 5018
When I run the radiusd with the -X flag (bearing in mind it's an Production Service) I can make out the call being made to my LDAP server and a "rlm_ldap authorize", but then the request just finishes without giving me and Access-Accept packet, and the relevant settings from the _radreply_ table in the Postgres Database?
rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4, length=62 User-Name = "unextest20" User-Password = "nexus" Called-Station-Id = "xxxxxxxxxx" rad_lowerpair: User-Name now 'unextest20' modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "eap" returns noop for request 14 rlm_realm: No '@' in User-Name = "unextest20", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "unextest20" rlm_realm: Proxying request from user unextest20 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 14 radius_xlat: 'unextest20' rlm_sql (sql): sql_set_user escaped user --> 'unextest20' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 8 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 8 modcall[authorize]: module "sql" returns ok for request 14 rlm_ldap: - authorize rlm_ldap: performing user authorization for unextest20 radius_xlat: '(uid=unextest20)' radius_xlat: 'dc=some,dc=domain,dc=co,dc=uk' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=some,dc=domain,dc=co,dc=uk, with filter (uid=unextest20) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user unextest20 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 14 users: Matched DEFAULT at 90 modcall[authorize]: module "files" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 modcall: group authorize returns updated for request 14 Finished request 14
I'm kinda lost and going round in circles at the minute.
If one of you guys has had to do something similar, or can see any glaring omissions in my config (which I seem to think there is) could you please point me in the right direction.
TIA
Dave Shepherd
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (1)
-
Shawn K. O'Shea