unlang mapping different users to different authentication source
Hi! Experts Sorry for wide distributing, we want to use unlang to mapping different users to different authentication module. For example, mapping all users from SSID gold to LDAP module and mapping all users from SSID silver to SQL module. Below is our simple test unlang configuration: if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) { ldap } else { sql } But from the "radius -X” debug message we found the freeREDIUS will still go through both LDAP and SQL module: # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) expand: %{request:Aruba-Essid-Name} -> ? Evaluating ("%{request:Aruba-Essid-Name}" == "microshield-test" ) -> FALSE ++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) -> FALSE ++else else { [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '娴?璇?ㄦ?风' ORDER BY id [sql] User found in group 娴?璇?ㄦ?风 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '娴?璇?ㄦ?风' ORDER BY id rlm_sql (sql): Released sql socket id: 3 +++[sql] = ok ++} # else else = ok ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '娴?璇?ㄦ?风' ORDER BY id [sql] User found in group 娴?璇?ㄦ?风 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '娴?璇?ㄦ?风' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] = ok [ldap] performing user authorization for test [ldap] expand: (sAMAccountName=%{User-Name}) -> (sAMAccountName=test) [ldap] expand: dc=ms,dc=local -> dc=ms,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.254.102:389, authentication 0 [ldap] bind as cn=Administrator,cn=Users,dc=ms,dc=local/1qaz!QAZ to 192.168.254.102:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=ms,dc=local, with filter (sAMAccountName=test) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlytrafficcounter] = noop rlm_sqlcounter: Entering module authorize code WARNING: Please replace '%k' with '${key}' sqlcounter_expand: 'SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000'' [monthlycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000' -> SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='test' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000' WARNING: Please replace '%S' with '${sqlmod-inst}' sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='test' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000'}' [monthlycounter] sql_xlat [monthlycounter] expand: %{User-Name} -> test [monthlycounter] sql_set_user escaped user --> 'test' [monthlycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='test' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000' -> SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='test' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000' rlm_sql (sql): Reserving sql socket id: 1 [monthlycounter] row[0] returned NULL rlm_sql (sql): Released sql socket id: 1 [monthlycounter] expand: %{sql:SELECT SUM(acctsessiontime - GREATEST((1454256000 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='test' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '1454256000'} -> rlm_sqlcounter: No integer found in string "" ++[monthlycounter] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +group LDAP { [ldap] login attempt by "test" with password "123456" [ldap] user DN: CN=test,CN=Users,DC=ms,DC=local [ldap] (re)connect to 192.168.254.102:389, authentication 1 [ldap] bind as CN=test,CN=Users,DC=ms,DC=local/123456 to 192.168.254.102:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user test authenticated succesfully ++[ldap] = ok +} # group LDAP = ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +group post-auth { ++? if (control:Auth-Type == 'LDAP') ? Evaluating (control:Auth-Type == 'LDAP') -> TRUE ++? if (control:Auth-Type == 'LDAP') -> TRUE ++if (control:Auth-Type == 'LDAP') { +++update reply { expand: We are using %{control:Auth-Type} authentication -> We are using LDAP authentication +++} # update reply = noop ++} # if (control:Auth-Type == 'LDAP') = noop +} # group post-auth = noop Sending Access-Accept of id 73 to 127.0.0.1 port 51620 Reply-Message = "We are using LDAP authentication" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 73 with timestamp +4 Ready to process requests. Is this the expected behavior? We want to use only one module depend on request attribute, is this achievable? Thanks for your help! BR! Chen Jiang Microshield Technology Co., Ltd 北京市海淀区西三环北路50号豪柏大厦C2座18-19层 100048 (86)10-88518768 (86)18612696123
On 02-02-16 15:23, James Chen wrote:
# Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) expand: %{request:Aruba-Essid-Name} -> ? Evaluating ("%{request:Aruba-Essid-Name}" == "microshield-test" ) -> FALSE ++? if ("%{request:Aruba-Essid-Name}" == "microshield-test" ) -> FALSE ++else else {
That means the attribute request:Aruba-Essid-Name is not available or has a different value. Earlier in the debug logging a complete dump of the request packet is shown, you can use that to see how the ssid is transmitted. There are a couple of ways an ssid can added to a radius packet. Aruba-Essid-Name is just one of them, other values that I'm aware of are Colubris-AVPair and Cisco-AVPair with a value ssid=(.*), or appended to Called-Station-Id. What is used really depends on the NAS and the configuration of the NAS. -- Herwin Weststrate
The attribute didn't match so feel through to the else part. As expected You'll need to look closer at debug output to see contents of the incoming request or post all output to the list rather than the small snippet you felt like sharing Alan
participants (3)
-
Alan Buxey -
Herwin Weststrate -
James Chen