Controlling with Auth-Type a client must use
Hello Radius People I'm running freeradius 2.1.8 working great I'm using the radius servers to many different clients, specially Cisco nodes, and some Unix servers. I'm using the module passwd working fine, and I have enabled unix authentication in my default section. Now when a specific client try to send username password to my system the passwd modle is accepting the password fine, but the unix section is rejecting the password ending in a Access-Reject back to client Some debug here Thu Jul 22 13:22:21 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' to config_items Thu Jul 22 13:22:21 2010 : Info: ++[kmdov3] returns ok ... .. . Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject I do know that the unix module reject because of a invalid shell, and chaning it to a valid shell fix this problem. But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible? I have been trying to use the Auth-Type attribute, but can't figure out how to tell that I want to use the kmdov3 authentication type. Best regards Jan Madsen
Madsen.Jan JMD wrote:
I’m using the module passwd working fine, and I have enabled unix authentication in my default section.
Don't. Use "pap". It can do crypt authentication.
Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject
Which is what the Unix module does.
But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible?
No. You want "crypt" authentication, without checking /etc/passwd. Use the "pap" module. When you say "only to use kmdov3 as my authentication", it means you have confused authorization and authentication. They are *very* different.
I have been trying to use the Auth-Type attribute, but can’t figure out how to tell that I want to use the kmdov3 authentication type.
Don't. Don't set Auth-Type. In the default configuration, all you need to do is: 1) configure the kmdov3 module in raddb/modules 2) list "kmdov3" in the "authorize" section *before* the "pap" module 3) authentication *will* work Alan DeKok.
Hello Alan Thanks for the answer. But I allready did that !!! I configured my passwd module with kmdov3 works fine. I added the kmdov3 in the top pf the authorize section of sites-enabled/default preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log kmdov3 ... .. Unix ... .. Pap But still the unix authorization is used and the client is rejected because of the invalid shell. Is it not possible to force a single client to use only one type of authorization etc. Kmdov3 ? Do I need to add something to the authentication section? Here is the full debug log of the client call and you can see that kmdov3 returns OK but the unix on fails with the invalid shell rad_recv: Access-Request packet from host 131.165.80.37 port 9183, id=169, length=61 User-Name = "jmd" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 8158 NAS-Port-Type = Virtual Fri Jul 23 07:57:40 2010 : Info: +- entering group authorize {...} Fri Jul 23 07:57:40 2010 : Info: ++[preprocess] returns ok Fri Jul 23 07:57:40 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' to config_items Fri Jul 23 07:57:40 2010 : Info: ++[kmdov3] returns ok Fri Jul 23 07:57:40 2010 : Info: [radius_group] Added Radius1-Group: 'wcs-superadmin' to request_items Fri Jul 23 07:57:40 2010 : Info: ++[radius_group] returns ok Fri Jul 23 07:57:40 2010 : Info: ++[chap] returns noop Fri Jul 23 07:57:40 2010 : Info: ++[mschap] returns noop Fri Jul 23 07:57:40 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking up realm NULL Fri Jul 23 07:57:40 2010 : Info: [suffix] No such realm "NULL" Fri Jul 23 07:57:40 2010 : Info: ++[suffix] returns noop Fri Jul 23 07:57:40 2010 : Info: [eap] No EAP-Message, not doing EAP Fri Jul 23 07:57:40 2010 : Info: ++[eap] returns noop Fri Jul 23 07:57:40 2010 : Auth: [unix] [jmd]: invalid shell [/bin/bash1] Fri Jul 23 07:57:40 2010 : Info: ++[unix] returns reject Fri Jul 23 07:57:40 2010 : Info: Using Post-Auth-Type Reject Fri Jul 23 07:57:40 2010 : Info: +- entering group REJECT {...} Fri Jul 23 07:57:40 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> jmd Fri Jul 23 07:57:40 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jul 23 07:57:40 2010 : Info: ++[attr_filter.access_reject] returns updated Fri Jul 23 07:57:40 2010 : Info: Delaying reject of request 1 for 1 seconds Fri Jul 23 07:57:40 2010 : Debug: Going to the next request Fri Jul 23 07:57:40 2010 : Debug: Waking up in 0.9 seconds. Fri Jul 23 07:57:41 2010 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 169 to 131.165.80.37 port 9183 Fri Jul 23 07:57:41 2010 : Debug: Waking up in 4.9 seconds. Fri Jul 23 07:57:46 2010 : Info: Cleaning up request 1 ID 169 with timestamp +89 Fri Jul 23 07:57:46 2010 : Info: Ready to process requests. Best regards Jan Madsen -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af Alan DeKok Sendt: 22. juli 2010 14:20 Til: FreeRadius users mailing list Emne: Re: Controlling with Auth-Type a client must use Madsen.Jan JMD wrote:
I’m using the module passwd working fine, and I have enabled unix authentication in my default section.
Don't. Use "pap". It can do crypt authentication.
Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject
Which is what the Unix module does.
But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible?
No. You want "crypt" authentication, without checking /etc/passwd. Use the "pap" module. When you say "only to use kmdov3 as my authentication", it means you have confused authorization and authentication. They are *very* different.
I have been trying to use the Auth-Type attribute, but can’t figure out how to tell that I want to use the kmdov3 authentication type.
Don't. Don't set Auth-Type. In the default configuration, all you need to do is: 1) configure the kmdov3 module in raddb/modules 2) list "kmdov3" in the "authorize" section *before* the "pap" module 3) authentication *will* work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Madsen.Jan JMD wrote:
But still the unix authorization is used and the client is rejected because of the invalid shell.
Because you listed "unix" in the "authorization" section. If you don't want to use the Unix module, delete it from the "authorization" section. Alan DeKok.
Yeah okay Alan, I have tried that allready, and it's working. But the challange is, that I got some client that should use the Unix authentication(unix server login), and some that dont(application logins and Cisco node access). So that's why I want to decide witch authiruzation module for a specific client I want to use. So is this possible or am I on a wish trip ? A work around I have been thinking on, is to make additional sites (more radius server) and do it that way around, but it requires other ports, or other IP addresses etc. But what is your suggestion? Best regards Jan Madsen -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af Alan DeKok Sendt: 23. juli 2010 11:26 Til: FreeRadius users mailing list Emne: Re: SV: Controlling with Auth-Type a client must use Madsen.Jan JMD wrote:
But still the unix authorization is used and the client is rejected because of the invalid shell.
Because you listed "unix" in the "authorization" section. If you don't want to use the Unix module, delete it from the "authorization" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Madsen.Jan JMD wrote:
Yeah okay Alan, I have tried that allready, and it's working. But the challange is, that I got some client that should use the Unix authentication(unix server login), and some that dont(application logins and Cisco node access). So that's why I want to decide witch authiruzation module for a specific client I want to use.
So is this possible or am I on a wish trip ?
Yes. Figure out which client is supposed to get what service, and configure that.
A work around I have been thinking on, is to make additional sites (more radius server) and do it that way around, but it requires other ports, or other IP addresses etc. But what is your suggestion?
Write down what you want. Then, implement it in the server. So far, it looks like you haven't done the first step. Alan DeKok.
Hmm okay. I got 2 clients, client1 and client2 I want client1 to use my passwd module (kmdov3) to do authorization And I want client2 to use the unix module for authorization. In my users file I have configured the one client I want to ONLY use my passwd module Users: # Client1 DEFAULT Client-IP-Address == 1.1.1.1 # Client2 DEFAULT NAS-IP-Address == 127.0.0.1, Auth-Type = System But how to I tell that client1 is going to use my passwd configured authorization ? This was where I thougth I clould use the Auth-Type attribute, in a simelar way I used with client2. Best regards Jan Madsen -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd.dk@lists.freeradius.org] På vegne af Alan DeKok Sendt: 26. juli 2010 09:01 Til: FreeRadius users mailing list Emne: Re: SV: SV: Controlling with Auth-Type a client must use Madsen.Jan JMD wrote:
Yeah okay Alan, I have tried that allready, and it's working. But the challange is, that I got some client that should use the Unix authentication(unix server login), and some that dont(application logins and Cisco node access). So that's why I want to decide witch authiruzation module for a specific client I want to use.
So is this possible or am I on a wish trip ?
Yes. Figure out which client is supposed to get what service, and configure that.
A work around I have been thinking on, is to make additional sites (more radius server) and do it that way around, but it requires other ports, or other IP addresses etc. But what is your suggestion?
Write down what you want. Then, implement it in the server. So far, it looks like you haven't done the first step. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center. www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you. __________________________________________________________________________________________ KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting Center. www.kmd.dk www.kundenet.kmd.dk www.organisator.dk www.kmdinternational.com Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig besked herom og slette den. If you received this e-mail by mistake, please notify me and delete it. Thank you.
Madsen.Jan JMD wrote:
Hmm okay.
I got 2 clients, client1 and client2 I want client1 to use my passwd module (kmdov3) to do authorization And I want client2 to use the unix module for authorization.
That's clear enough.
In my users file I have configured the one client I want to ONLY use my passwd module
The "users" file doesn't control the modules in the "authorize" section. See "man unlang"
But how to I tell that client1 is going to use my passwd configured authorization ? This was where I thougth I clould use the Auth-Type attribute, in a simelar way I used with client2.
You control that in the "authorize" section. authorize { ... if (Client-IP-Address == 1.2.3.4) { kmdov3 } elsif (Client-IP-Address == 3.4.5.6) { unix } ... }
participants (2)
-
Alan DeKok -
Madsen.Jan JMD