Hi All, We are hosting an application in the cloud which is managing multiple customers. Customers will be authenticated using the FreeRadius server. We are planning to use the user authentication through the database(PostgreSQL). I have configured the radcheck table and able to make the user authentication successfully. In order to support multiple customers, what are all the options/design available in FreeRadius. One option we are thinking is to modify the schema to introduce customer-id and modify the sql module to support the new schema. If this is possible, please provide pointers in achieving this. If there are other options available, please provide pointers. Thanks, Ila.
Ilavajuthy Palanisamy wrote:
In order to support multiple customers, what are all the options/design available in FreeRadius.
A lot. That's why the queries are customizable.
One option we are thinking is to modify the schema to introduce customer-id and modify the sql module to support the new schema. If this is possible, please provide pointers in achieving this.
Don't modify the SQL module source code. It's not necessary. Modify the schema to add a column of customer ID. Modify the SQL queries to add a WHERE clause that matches the customer ID. It should be pretty simple. Alan DeKok.
Hi, One method that I used in the past is to create a virtual server per 'tenant' and then use the 'main' server to proxy to the correct virtual server based on the attributes in the requests. kind regards Pshem On 28 October 2014 07:09, Ilavajuthy Palanisamy <ilavajuthy@gmail.com> wrote:
Hi All,
We are hosting an application in the cloud which is managing multiple customers. Customers will be authenticated using the FreeRadius server. We are planning to use the user authentication through the database(PostgreSQL). I have configured the radcheck table and able to make the user authentication successfully.
In order to support multiple customers, what are all the options/design available in FreeRadius.
One option we are thinking is to modify the schema to introduce customer-id and modify the sql module to support the new schema. If this is possible, please provide pointers in achieving this.
If there are other options available, please provide pointers.
Thanks, Ila.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello All, As suggested in earlier replies I have modified the sql query and the schema. We are trying to use NAS-Identifier to segregate the customers. However I am running into an issue when trying to authenticate user using PEAP MSCHAP. While sending the tunneled request, its not containing the NAS-Identifier. Is it possible to send the NAS-Identifier in the tunneled request? I am using freeradius version 2.1.12 Please let me know if there is something wrong with my config. FreeRadius LOG (i have removed many log output lines to reduce the size of the mail) -------------------------------------------------------------------------------------------------------------------- rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=154, length=226 Acct-Session-Id = "eaea9572-00000065" NAS-Port = 95 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "CN3BD321SM" NAS-IP-Address = 192.168.1.62 Framed-MTU = 1496 User-Name = "radtest" Calling-Station-Id = "F0-25-B7-48-08-2C" Called-Station-Id = "A0-D3-C1-AB-71-62" Service-Type = Framed-User EAP-Message = 0x025a000c0172616474657374 Colubris-AVPair = "ssid=tenant" Colubris-AVPair = "phytype=IEEE802dot11 " Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0xb9bfc73c2e480450d46170ae43dc7721 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 90 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> radtest [sql] sql_set_user escaped user --> 'radtest' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id -> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 154 to 192.168.1.62 port 32953 EAP-Message = 0x015b00160410c29fa2a1e7b48d23a6e801c718e9f7a7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x005655b7000d519bfcf3bbcabb4eb013 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=77, length=238 Acct-Session-Id = "eaea9572-00000065" NAS-Port = 95 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "CN3BD321SM" NAS-IP-Address = 192.168.1.62 Framed-MTU = 1496 User-Name = "radtest" Calling-Station-Id = "F0-25-B7-48-08-2C" Called-Station-Id = "A0-D3-C1-AB-71-62" Service-Type = Framed-User EAP-Message = 0x025b00060319 State = 0x005655b7000d519bfcf3bbcabb4eb013 Colubris-AVPair = "ssid=tenant" Colubris-AVPair = "phytype=IEEE802dot11 " Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x9815cb4c5cca3bcebc15d622c5f9e0f9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 91 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> radtest [sql] sql_set_user escaped user --> 'radtest' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id -> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 77 to 192.168.1.62 port 32953 EAP-Message = 0x015c00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x005655b7010a4c9bfcf3bbcabb4eb013 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=213, length=440 Acct-Session-Id = "eaea9572-00000065" NAS-Port = 95 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "CN3BD321SM" NAS-IP-Address = 192.168.1.62 Framed-MTU = 1496 User-Name = "radtest" Calling-Station-Id = "F0-25-B7-48-08-2C" Called-Station-Id = "A0-D3-C1-AB-71-62" Service-Type = Framed-User EAP-Message = 0x025c00d01980000000c616030100c1010000bd0301545bede983c64b84e5579021f2c8c1bba854b49152249d40e262132606fb4d13000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 State = 0x005655b7010a4c9bfcf3bbcabb4eb013 Colubris-AVPair = "ssid=tenant" Colubris-AVPair = "phytype=IEEE802dot11 " Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x1981daace80a8b50b267b588801fa7c6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 92 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=247, length=238 Acct-Session-Id = "eaea9572-00000065" NAS-Port = 95 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "CN3BD321SM" NAS-IP-Address = 192.168.1.62 Framed-MTU = 1496 User-Name = "radtest" Calling-Station-Id = "F0-25-B7-48-08-2C" Called-Station-Id = "A0-D3-C1-AB-71-62" Service-Type = Framed-User EAP-Message = 0x025d00061900 State = 0x005655b7020b4c9bfcf3bbcabb4eb013 Colubris-AVPair = "ssid=tenant" Colubris-AVPair = "phytype=IEEE802dot11 " Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0x3194e87ace606247da24d510ebdbb259 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 93 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 94 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=3, length=238 Acct-Session-Id = "eaea9572-00000065" NAS-Port = 95 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "CN3BD321SM" NAS-IP-Address = 192.168.1.62 Framed-MTU = 1496 User-Name = "radtest" Calling-Station-Id = "F0-25-B7-48-08-2C" Called-Station-Id = "A0-D3-C1-AB-71-62" Service-Type = Framed-User EAP-Message = 0x025f00061900 State = 0x005655b704094c9bfcf3bbcabb4eb013 Colubris-AVPair = "ssid=tenant" Colubris-AVPair = "phytype=IEEE802dot11 " Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0xf14dd2f6c72a4c3ceb5375a80413b223 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 95 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.1.62 port 32953 EAP-Message = 0x0160002b190017030100206f520d286e0a8531cad4f96f3d16ff71290206fbd472476c97983544bf77ce37 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x005655b705364c9bfcf3bbcabb4eb013 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=137, length=312 Acct-Session-Id = "eaea9572-00000065" NAS-Port = 95 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "CN3BD321SM" NAS-IP-Address = 192.168.1.62 Framed-MTU = 1496 User-Name = "radtest" Calling-Station-Id = "F0-25-B7-48-08-2C" Called-Station-Id = "A0-D3-C1-AB-71-62" Service-Type = Framed-User EAP-Message = 0x0260005019001703010020be7393b22523f27ba53a2a90ae5022b7e6ac7a1733cbb1d10ea97dc3871c60001703010020e0e4b12bd1ad0ad1918c19eb36449ea6e0a94e322f9aeacee86bf5db4613e7e1 State = 0x005655b705364c9bfcf3bbcabb4eb013 Colubris-AVPair = "ssid=tenant" Colubris-AVPair = "phytype=IEEE802dot11 " Colubris-Attr-250 = 0x00000000 Colubris-Attr-249 = 0x00000000 Message-Authenticator = 0xd3c41c6be1d9c598f08c4b289f092589 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 96 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - radtest [peap] Got inner identity 'radtest' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0260000c0172616474657374 server { [peap] Setting User-Name to radtest Sending tunneled request EAP-Message = 0x0260000c0172616474657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radtest" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "radtest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 96 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> radtest [sql] sql_set_user escaped user --> 'radtest' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id -> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = '' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 1 [sql] User radtest not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} ---------------------------------------------------------------------------------------------------------------------------------------- Database schema changes - ---------------------------------------- A new table has been added called "nasgroup" and the radcheck table has been modified to include an extra column called groupname - radiusdb=# select * from nasgroup; id | groupname | nasid ----+-----------+------------ 1 | test | CN3BD321SM 3 | temp | XYZABDG radiusdb=# select * from radcheck; id | username | attribute | op | value | groupname ----+----------+--------------------+----+---------+----------- 1 | radtest | Cleartext-Password | := | radtest | test 2 | radtest | Cleartext-Password | := | radtest | temp Dialup.conf --------------- "authorize_check_query" has been modified but "authorize_reply_query" has not been changed. authorize_check_query = "SELECT ${authcheck_table}.id, ${authcheck_table}.UserName, ${authcheck_table}.Attribute, ${authcheck_table}.Value, ${authcheck_table}.Op \ FROM ${authcheck_table}, nasgroup \ WHERE Username = '%{SQL-User-Name}' \ AND nasgroup.nasid = '%{NAS-Identifier}' \ AND nasgroup.groupname = ${authcheck_table}.Groupname \ ORDER BY radcheck.id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \ FROM radreply \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" Thanks, Ila. On Mon, Oct 27, 2014 at 4:36 PM, Pshem Kowalczyk <pshem.k@gmail.com> wrote:
Hi,
One method that I used in the past is to create a virtual server per 'tenant' and then use the 'main' server to proxy to the correct virtual server based on the attributes in the requests.
kind regards Pshem
On 28 October 2014 07:09, Ilavajuthy Palanisamy <ilavajuthy@gmail.com> wrote:
Hi All,
We are hosting an application in the cloud which is managing multiple customers. Customers will be authenticated using the FreeRadius server. We are planning to use the user authentication through the database(PostgreSQL). I have configured the radcheck table and able to make the user authentication successfully.
In order to support multiple customers, what are all the options/design available in FreeRadius.
One option we are thinking is to modify the schema to introduce customer-id and modify the sql module to support the new schema. If this is possible, please provide pointers in achieving this.
If there are other options available, please provide pointers.
Thanks, Ila.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set up multiple inner tunnel virtual servers (one for each tenant) and send the requests to those? Alan
perhaps using hunt-groups ? Victor Ors - Agh Sistemas - Infraestructuras de red cableadas y wifi Av Alay 3, 29630 Benalmadena Costa, Malaga, Spain Tel.: +34 952 441 147 Averias 24h.:+34 654 94 86 94 http://www.aghsistemas.com AVISO LEGAL: CLÁUSULA DE CONFIDENCIALIDAD (AGH SISTEMAS) Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial o legalmente protegida (LOPD 15/1999 de 13 de Diciembre), siendo para uso exclusivo del destinatario. No hay renuncia a la confidencialidad o secreto profesional por cualquier transmisión defectuosa o errónea, y queda expresamente prohibida su divulgación, copia o distribución a terceros sin la autorización expresa del remitente. Si ha recibido este mensaje por error o no desea recibir información comercial, se ruega lo notifique al remitente enviando un mensaje al correo electrónico, con el asunto (dar de baja o no deseo recibir información comercial),ventas@aghsistemas.com y proceda inmediatamente al borrado del mensaje original y de todas sus copias. Gracias por su colaboración 2014-11-06 23:15 GMT+01:00 Ilavajuthy Palanisamy <ilavajuthy@gmail.com>:
Hello All,
As suggested in earlier replies I have modified the sql query and the schema. We are trying to use NAS-Identifier to segregate the customers.
However I am running into an issue when trying to authenticate user using PEAP MSCHAP.
While sending the tunneled request, its not containing the NAS-Identifier. Is it possible to send the NAS-Identifier in the tunneled request?
I am using freeradius version 2.1.12
Please let me know if there is something wrong with my config.
FreeRadius LOG (i have removed many log output lines to reduce the size of the mail)
--------------------------------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=154, length=226
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025a000c0172616474657374
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xb9bfc73c2e480450d46170ae43dc7721
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 90 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> radtest
[sql] sql_set_user escaped user --> 'radtest'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id -> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 154 to 192.168.1.62 port 32953
EAP-Message = 0x015b00160410c29fa2a1e7b48d23a6e801c718e9f7a7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x005655b7000d519bfcf3bbcabb4eb013
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=77, length=238
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025b00060319
State = 0x005655b7000d519bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x9815cb4c5cca3bcebc15d622c5f9e0f9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 91 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> radtest
[sql] sql_set_user escaped user --> 'radtest'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id -> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 77 to 192.168.1.62 port 32953
EAP-Message = 0x015c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x005655b7010a4c9bfcf3bbcabb4eb013
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=213, length=440
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025c00d01980000000c616030100c1010000bd0301545bede983c64b84e5579021f2c8c1bba854b49152249d40e262132606fb4d13000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011
State = 0x005655b7010a4c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x1981daace80a8b50b267b588801fa7c6
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 92 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=247, length=238
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025d00061900
State = 0x005655b7020b4c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x3194e87ace606247da24d510ebdbb259
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 93 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 94 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=3, length=238
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025f00061900
State = 0x005655b704094c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xf14dd2f6c72a4c3ceb5375a80413b223
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 95 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.62 port 32953
EAP-Message = 0x0160002b190017030100206f520d286e0a8531cad4f96f3d16ff71290206fbd472476c97983544bf77ce37
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x005655b705364c9bfcf3bbcabb4eb013
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=137, length=312
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x0260005019001703010020be7393b22523f27ba53a2a90ae5022b7e6ac7a1733cbb1d10ea97dc3871c60001703010020e0e4b12bd1ad0ad1918c19eb36449ea6e0a94e322f9aeacee86bf5db4613e7e1
State = 0x005655b705364c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xd3c41c6be1d9c598f08c4b289f092589
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 96 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - radtest
[peap] Got inner identity 'radtest'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0260000c0172616474657374
server {
[peap] Setting User-Name to radtest
Sending tunneled request
EAP-Message = 0x0260000c0172616474657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radtest"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 96 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> radtest
[sql] sql_set_user escaped user --> 'radtest'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid = '%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id -> SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup WHERE Username = 'radtest' AND nasgroup.nasid = '' AND nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='radtest' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 1
[sql] User radtest not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
----------------------------------------------------------------------------------------------------------------------------------------
Database schema changes -
----------------------------------------
A new table has been added called "nasgroup" and the radcheck table has been modified to include an extra column called groupname -
radiusdb=# select * from nasgroup;
id | groupname | nasid
----+-----------+------------
1 | test | CN3BD321SM
3 | temp | XYZABDG
radiusdb=# select * from radcheck;
id | username | attribute | op | value | groupname
----+----------+--------------------+----+---------+-----------
1 | radtest | Cleartext-Password | := | radtest | test
2 | radtest | Cleartext-Password | := | radtest | temp
Dialup.conf
---------------
"authorize_check_query" has been modified but "authorize_reply_query" has not been changed.
authorize_check_query = "SELECT ${authcheck_table}.id, ${authcheck_table}.UserName, ${authcheck_table}.Attribute, ${authcheck_table}.Value, ${authcheck_table}.Op \
FROM ${authcheck_table}, nasgroup \
WHERE Username = '%{SQL-User-Name}' \
AND nasgroup.nasid = '%{NAS-Identifier}' \
AND nasgroup.groupname = ${authcheck_table}.Groupname \
ORDER BY radcheck.id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
FROM radreply \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
Thanks,
Ila.
On Mon, Oct 27, 2014 at 4:36 PM, Pshem Kowalczyk <pshem.k@gmail.com> wrote:
Hi,
One method that I used in the past is to create a virtual server per 'tenant' and then use the 'main' server to proxy to the correct virtual server based on the attributes in the requests.
kind regards Pshem
On 28 October 2014 07:09, Ilavajuthy Palanisamy <ilavajuthy@gmail.com> wrote:
Hi All,
We are hosting an application in the cloud which is managing multiple customers. Customers will be authenticated using the FreeRadius server. We are planning to use the user authentication through the database(PostgreSQL). I have configured the radcheck table and able to make the user authentication successfully.
In order to support multiple customers, what are all the options/design available in FreeRadius.
One option we are thinking is to modify the schema to introduce customer-id and modify the sql module to support the new schema. If this is possible, please provide pointers in achieving this.
If there are other options available, please provide pointers.
Thanks, Ila.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Agh Sistemas -
Alan Buxey -
Alan DeKok -
Ilavajuthy Palanisamy -
Pshem Kowalczyk