Proxy decision based on LDAP lookups and Radius_client match.
Hi, I have been asked to build a radius proxy using freeradius, and I'm completely new to freeradius, and with the flexibility in freeradius I'm having a hard time figuring out how to accomplish my goal, or if it's even possible to do. Objective: I need to verify that the user that tries to login from Company A really is an employee of Company A, and not an employee of Company B. For this purpose I have access each company's AD and of cause I know what radius clients belong to each company. Once I have validated that the user exists in the Company's AD, I then have to proxy it to another radius server where the users OTP will be validated, and from that give an access-accept or access-reject. If the user does not exist in the Company's AD, freeradius should send an access-reject and not proxy it to the OTP radius. I imagine the flow is some thing like: 1) User from Company A tries to login 2) Company A's VPN sends a radius request to Freeradius 3) Freeradius looks at the Radius_client IP and finds the right AD. 4) Freeradius does an LDAP bind to Company A's AD, and checks if the user exists. 5) If user exists request is proxied to the OTP radius, if the user does not exists access-reject is sent from Freeradius. I have freeradius setup to proxy the request to the OTP radius server today, without any checks. As I said I'm completely new to Freeradius, and not sure what files I need to configure or what to put in them, so any help is highly appreciated. -- Thank you, Frank Skovboel
Frank Skovboel wrote:
I have been asked to build a radius proxy using freeradius, and I'm completely new to freeradius, and with the flexibility in freeradius I'm having a hard time figuring out how to accomplish my goal, or if it's even possible to do.
Pretty much anything is possible. :)
I imagine the flow is some thing like: 1) User from Company A tries to login 2) Company A's VPN sends a radius request to Freeradius 3) Freeradius looks at the Radius_client IP and finds the right AD.
See "man unlang"
4) Freeradius does an LDAP bind to Company A's AD, and checks if the user exists.
if (Packet-Src-IP-Address == 1.2.3.4) { ldap_a } elsif (Packet-Src-IP-Address = 4.5.6.7) [ ldap_b } Configure two copies of the LDAP module. See raddb/modules/files for simple documentation on how this is done. Point ldap_a at the AD for company A, and ldap_b at the AD for company B.
5) If user exists request is proxied to the OTP radius, if the user does not exists access-reject is sent from Freeradius.
After the above config: if (!notfound) { reject } ... else proxy it ... Alan DeKok.
Hi Alan, Thanks for the quick reply. As I said, I'm quite inexperienced with Freeradius so I have a few followup questions below.
Frank Skovboel wrote:
I have been asked to build a radius proxy using freeradius, and I'm completely new to freeradius, and with the flexibility in freeradius I'm having a hard time figuring out how to accomplish my goal, or if it's even possible to do.
Pretty much anything is possible. :)
I imagine the flow is some thing like: 1) User from Company A tries to login 2) Company A's VPN sends a radius request to Freeradius 3) Freeradius looks at the Radius_client IP and finds the right AD.
See "man unlang"
Language seems straight forwards :-)
4) Freeradius does an LDAP bind to Company A's AD, and checks if the user exists.
if (Packet-Src-IP-Address == 1.2.3.4) { ldap_a } elsif (Packet-Src-IP-Address = 4.5.6.7) [ ldap_b }
Where would I place this (what file under which section?), and do I need to do some thing special to make sure it does not try to authenticate the user?
Configure two copies of the LDAP module. See raddb/modules/files for simple documentation on how this is done. Point ldap_a at the AD for company A, and ldap_b at the AD for company B.
5) If user exists request is proxied to the OTP radius, if the user does not exists access-reject is sent from Freeradius.
After the above config:
if (!notfound) { reject } ... else proxy it ...
Where can I read about the response codes that I can expect on "found user" and "user not found" ? "else proxy it" is that about using update control ? -- Thanks, Frank
Frank Skovboel wrote:
Where would I place this (what file under which section?), and do I need to do some thing special to make sure it does not try to authenticate the user?
In the "authorize" section. Look at raddb/sites-available/default. There are examples of using the "ldap" module.
Where can I read about the response codes that I can expect on "found user" and "user not found" ?
$ man unlang
"else proxy it" is that about using update control ?
Yes. Alan DeKok.
Hi Alan, Thank you for your help, it's up and running now, I do have a few follow up questions to try and see if I can make changes to the configuration a bit more simple. Is there a way to refer to the client shortname in the sites-enabled/default authorize section, so I only need to have the IP in one place? or even better is there a way I can group clients so I can test on the group in sites-enabled/default authorize section? .. so the only place the IP exists is in the clients.conf, and then I can group them, so I only have one if / elsif statement per company? clients.conf client 1.1.1.1 { secret = mysecret shortname = CompanyA_client1 } client 2.2.2.2 { secret = mysecret shortname = CompanyA_client2 } huntgroups file CompanyGroupA CompanyA_client1 CompanyGroupA CompanyA_client2 sites-enabled/default if (CompanyGroupA == Packet-Src-IP-Address) { ldap_companyA elseif (CompanyGroupB == Packet-Src-IP-Address) { ldap_companyB } So to setup a new radius client for a customer I would only have to add the radius client, and add that radius client to the company's clients group?
Frank Skovboel wrote:
Where would I place this (what file under which section?), and do I need to do some thing special to make sure it does not try to authenticate the user?
In the "authorize" section. Look at raddb/sites-available/default. There are examples of using the "ldap" module.
Where can I read about the response codes that I can expect on "found user" and "user not found" ?
$ man unlang
"else proxy it" is that about using update control ?
Yes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Thank you, Frank
Frank Skovboel wrote:
Thank you for your help, it's up and running now, I do have a few follow up questions to try and see if I can make changes to the configuration a bit more simple.
Is there a way to refer to the client shortname in the sites-enabled/default authorize section, so I only need to have the IP in one place? or even better is there a way I can group clients so I can test on the group in sites-enabled/default authorize section?
Add fields to the "client" section. It's not well known, but the configuration file is a pretty powerful key-value store. Anything that is well formatted is accepted, and used as key/value. You can then look up those keys at run time. client foo { ... normal values ... mything = hello } That *will* be parsed and accepted. You can then do: authorize { ... if ("%{client:mything}" == "hello") { ... do stuff ... } ... } This lets you apply arbitrary labels to clients, and to look up those arbitrary labels at run time. Alan DeKok.
participants (2)
-
Alan DeKok -
Frank Skovboel