Proxy Question
Phil Mayers
p.mayers at imperial.ac.uk
Fri Apr 21 22:10:59 CEST 2006
Reynold McGuire wrote:
> Thanks for the reply.
>
> I forgot to mention that I had 'ntdomain' addedd to the authorize stanze.
>
> The request is getting to my IAS server, but IAS doesn’t understand
> "DOMAIN\username" it does, at least in my implementation, understand
> "username at domain"...
>
Gah. Shudder.
> Is there a way to get "DOMAIN\username" converted to "username at domain"?
You could try this in /etc/raddb/preproxy_users
DEFAULT
User-Name := `%{Stripped-User-Name:-%{User-Name}}@%{Realm}`
Be sure to add the "files" module to the "pre-proxy" section in
radiusd.conf like so:
pre-proxy {
files
}
Seems to work here for me, with the exception that requests matching the
DEFAULT realm e.g. "foo\username" are sent as "username at DEFAULT" instead
of "username at foo". Annoying, but not an issue if you're explicitly
spelling out your realms.
>
> This is also using the radtest program with the following input:
>
> ./radtest "adm.suffolk.edu\\\\rmcguire" "password" 127.0.0.1 20 secret
>
>
> Here is radiusd -X
>
> root at ACAD1:5:./radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/proxy.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/clients.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/snmp.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/eap.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/sql.conf
> main: prefix = "/apps/renn/freeRadius"
> main: localstatedir = "/apps/renn/freeRadius/var"
> main: logdir = "/apps/renn/freeRadius/var/log/radius"
> main: libdir = "/apps/renn/freeRadius/lib"
> main: radacctdir = "/apps/renn/freeRadius/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/apps/renn/freeRadius/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/apps/renn/freeRadius/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/apps/renn/freeRadius/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /apps/renn/freeRadius/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/apps/renn/freeRadius/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = yes
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file =
> "/apps/renn/freeRadius/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file =
> "/apps/renn/freeRadius/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/apps/renn/freeRadius/etc/raddb/certs/root.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/apps/renn/freeRadius/etc/raddb/certs/dh"
> tls: random_file = "/apps/renn/freeRadius/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: Loaded and initialized type tls
> ttls: default_eap_type = "mschapv2"
> ttls: copy_request_to_tunnel = no
> ttls: use_tunneled_reply = yes
> rlm_eap: Loaded and initialized type ttls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/apps/renn/freeRadius/etc/raddb/huntgroups"
> preprocess: hints = "/apps/renn/freeRadius/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = yes
> Module: Instantiated realm (suffix)
> realm: format = "prefix"
> realm: delimiter = "\"
> realm: ignore_default = no
> realm: ignore_null = yes
> Module: Instantiated realm (ntdomain)
> Module: Loaded files
> files: usersfile = "/apps/renn/freeRadius/etc/raddb/users"
> files: acctusersfile = "/apps/renn/freeRadius/etc/raddb/acct_users"
> files: preproxy_usersfile =
> "/apps/renn/freeRadius/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/apps/renn/freeRadius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y
> %m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/apps/renn/freeRadius/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1645
> Listening on accounting *:1646
> Listening on proxy *:1647
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:34507, id=40, length=76
> User-Name = "adm.suffolk.edu\\rmcguire"
> User-Password = "password"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 20
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "adm.suffolk.edu\rmcguire", skipping
> NULL due to config.
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_realm: Looking up realm "adm.suffolk.edu" for User-Name =
> "adm.suffolk.edu\rmcguire"
> rlm_realm: Found realm "adm.suffolk.edu"
> rlm_realm: Proxying request from user rmcguire to realm adm.suffolk.edu
> rlm_realm: Adding Realm = "adm.suffolk.edu"
> rlm_realm: Preparing to proxy authentication request to realm
> "adm.suffolk.edu"
> modcall[authorize]: module "ntdomain" returns updated for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
> Sending Access-Request of id 0 to 10.18.1.37 port 1812
> User-Name = "adm.suffolk.edu\\rmcguire"
> User-Password = "t<W at mcore~!"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 20
> Proxy-State = 0x3430
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Reject packet from host 10.18.1.37:1812, id=0, length=24
> Proxy-State = 0x3430
> Processing the post-proxy section of radiusd.conf
> modcall: entering group post-proxy for request 0
> modcall[post-proxy]: module "eap" returns noop for request 0
> modcall: leaving group post-proxy (returns noop) for request 0
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:34507, id=40, length=76
> Sending Access-Reject of id 40 to 127.0.0.1 port 34507
> --- Walking the entire request list ---
> Waking up in 3 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 40 with timestamp 4448d631
> Nothing to do. Sleeping until we see a request.
> -----Original Message-----
> From: Bjørn Mork [mailto:bjorn at mork.no]
> Sent: Friday, April 21, 2006 8:42 AM
> To: rmcguire at suffolk.edu
> Cc: FreeRadius users mailing list
> Subject: Re: Proxy Question
>
> "Reynold McGuire" <rmcguire at suffolk.edu> writes:
>
>> How can I get freeRadius to see "domain.com\username" and convert that
>> to "username at domain.com" and proxy that off?
>
> If you need both styles:
>
> modules {
> ..
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = yes
> }
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> ignore_default = no
> ignore_null = yes
> }
> ..
> }
>
> authorize {
> ..
> suffix
> ntdomain
> ..
> }
>
> Please run radiusd -X if this doesn't work,
>
>
>
> Bjørn
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list