Multiple Authentication REALMS - I hope in Plain Text
Shepherd, Dave
Dave.Shepherd at compass-group.co.uk
Tue Jun 14 15:49:25 CEST 2005
Hi,
It's been a long time, as the freeRADIUS software I've being using for
the last 3 years hasn't needed looking at since installation.
So a big thank you to the development team J
However, as with most things it's so good I've now got to redesign and
re-implement to encompass more of our infrastructure, and I'm having
problems.
I have a number of settings in the _users_ file that are based on the
_Called_Station_ID_ then proxy the requests to a specified REALM.
i.e.
DEFAULT Called-Station-Id == "<a telephone number>",
Proxy-To-Realm := "NULL"
Fall-Through = Yes
DEFAULT Called-Station-Id == "<another telephone number>",
Proxy-To-Realm := "NULL"
Fall-Through = Yes
DEFAULT Called-Station-Id == "<yet another number>",
Proxy-To-Realm := "SPECIAL"
Fall-Through = Yes
Now, the NULL realm is defined in the proxy.conf file as:
realm NULL {
type = radius
authhost = radiusserver.some.domain:1645
accthost = radiusserver.some.domain:1646
Secret = radiussecret
}
This works and actually points to a MS IAS server going against an NT4
Domain.
Now I need to authenticate a different set of users (who dial a
different number) against an LDAP repository, so as you can see from my
_users_ file I direct them at the "SPECIAL" realm, which I have set as
follows in proxy.conf:
realm SPECIAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
My plan was for this to then use the local radius server, which has an
_ldap_ module configure, which from what I can make out is working:
ldap {
server = "127.0.0.1"
basedn = "dc=some,dc=domain,dc=co,dc=uk"
filter = "(uid=%u)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
And then in the authorize and authenticate sections simply include
_ldap_
authorize {
preprocess
chap
eap
ldap
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type {
mschap
}
unix
ldap
eap
}
Now all I see when using NTRadping, and sending the additional
_Called_Station_Id_ attribute set to the required number is the
following in my _radius.log_
Error: Dropping packet from client Dave_Test:2328 - ID: 2 due to
dead request 5018
When I run the radiusd with the -X flag (bearing in mind it's an
Production Service) I can make out the call being made to my LDAP server
and a "rlm_ldap authorize", but then the request just finishes without
giving me and Access-Accept packet, and the relevant settings from the
_radreply_ table in the Postgres Database?
rad_recv: Access-Request packet from host xx.xx.xx.xx:2796, id=4,
length=62
User-Name = "unextest20"
User-Password = "nexus"
Called-Station-Id = "xxxxxxxxxx"
rad_lowerpair: User-Name now 'unextest20'
modcall: entering group authorize for request 14
modcall[authorize]: module "preprocess" returns ok for request 14
modcall[authorize]: module "chap" returns noop for request 14
modcall[authorize]: module "eap" returns noop for request 14
rlm_realm: No '@' in User-Name = "unextest20", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "unextest20"
rlm_realm: Proxying request from user unextest20 to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 14
radius_xlat: 'unextest20'
rlm_sql (sql): sql_set_user escaped user --> 'unextest20'
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 8
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username = 'unextest20' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radreply ??WHERE Username = 'unextest20' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM
radgroupreply,usergroup ??WHERE usergroup.Username = 'unextest20' AND
usergroup.GroupName = radgroupreply.GroupName ??ORDER BY
radgroupreply.id'
rlm_sql_postgresql: query: SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value,
radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE
usergroup.Username = 'unextest20' AND usergroup.GroupName =
radgroupreply.GroupName ??ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 8
modcall[authorize]: module "sql" returns ok for request 14
rlm_ldap: - authorize
rlm_ldap: performing user authorization for unextest20
radius_xlat: '(uid=unextest20)'
radius_xlat: 'dc=some,dc=domain,dc=co,dc=uk'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=some,dc=domain,dc=co,dc=uk, with
filter (uid=unextest20)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user unextest20 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 14
users: Matched DEFAULT at 90
modcall[authorize]: module "files" returns ok for request 14
modcall[authorize]: module "mschap" returns noop for request 14
modcall: group authorize returns updated for request 14
Finished request 14
I'm kinda lost and going round in circles at the minute.
If one of you guys has had to do something similar, or can see any
glaring omissions in my config (which I seem to think there is) could
you please point me in the right direction.
TIA
Dave Shepherd
More information about the Freeradius-Users
mailing list