Autz-Type Config Clarification

Nathan L. Cable nathan at filmwest.com
Tue Aug 22 06:51:01 CEST 2006


Thank you very much for that!  That was exactly the solution I was looking
for.  Now, I only have one instance of mschap, and the physical location of
the wireless access points defines which group mschap looks for users in.

Unfortunately, Windows Server 2003's LDAP server was not an option at my
site because the passwords are not stored in the database.  So, mschap was
the next choice.

Thank you very much for that solution - it's much more elegant than anything
I've managed to come up with so far!

Nathan

PS.  For anyone wanting to use Apple wireless points with their network,
used the "Calling-Station-ID" attribute to identify your base stations, not
the "Called-Station-ID".  The latter does not work for my particular setup.


> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Reply-To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Date: Mon, 21 Aug 2006 12:40:42 +0100
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: Autz-Type Config Clarification
> 
> Nathan L. Cable wrote:
>> I'm setting up a Radius environment which covers several physical sites.
>> Usernames and passwords come from an Active Directory server via ntlm_auth.
>> Each site has a group in the NT domain.  So, it would be nice to have
>> multiple auth-types for each area.
> 
> You don't want and probably shouldn't use multiple auth-types. You want,
> as per your subject line, multiple Autz-Types. The behaviour of the
> mschap module can be controlled by setting variables based on Autz-Type
> then using them later on.
> 
>> 
>> For clarification, I've tested my server without the Autz-type arguments
>> (ie, only using the one mschap instance), and everything works fine.
>> Everything also works great if I declare multiple instances of mschap, and
>> just have the radius server search through them in order - however, this
>> seems to be a rather inefficient way of doing things.
> 
> It's also not guaranteed to work I think.
> 
>> 
>> The debug output of radiusd indicates that my modules are being loaded, but
>> when the client authenticates, it's not done so against an auth-type.
>> 
>> Any thoughts as to why this is not working?
>> 
>> Here are the relevant portions of my config files:
>> 
>> # radiusd.conf:
>> 
>> .
>> .
>> .
>> modules {
>>     .
>>     .
>>     .
>>     mschap group1 {
>>         authtype = group1
>>         ...some config stuff...
>>         }
>>     mschap group2 {
>>         authtype = group2
>>         ...some config stuff...
>>         }
>> }
>> .
>> .
>> .
>> authorize {
>>     preprocess
>>     files
>>     Autz-Type group1 {
>>         group1
>>     }
>>     Autz-Type group2 {
>>         group2 {
>>     }
>>     eap
>> }
>> 
>> authenticate {
>>     Auth-Type group1 {
>>         group1
>>     }
>>     Auth-Type group2 {
>>         group2 {
>>     }
>>     eap
>> }
>> .
>> .
>> .
>> 
>> # users
>> DEFAULT Called-Station-Id == "00-11-22-33-44-55-66",Autz-Type := group1
>> DEFAULT Autz-Type = group2
> 
> What precisely are you trying to do here?
> 
> You may be better off using the "ldap" module against the AD to pull the
> groups into the radius server and make decisions there, which is
> *separate* from the running of the authentication algorithm.
> 
> Failing that, you could do this:
> 
> DEFAULT Called-Station-Id == "00-11-22-33-44-55"
> Tmp-String-1 = "group1"
> 
> DEFAULT
> Tmp-String-1 = "group2"
> 
> ...then have:
> 
> modules {
>   mschap {
>    ntlm_auth = "ntlm_auth
> --require-membership-of=%{reply:Tmp-String-1:-Domain Users --other-options"
>   }
> }
> 
> authorize {
>   preprocess
>   files
>   mschap
>   eap
> }
> authenticate {
>    Auth-Type MSCHAP {
>      mschap
>    }
> }
> 
> If you are on an older version of the server you may need to define the
> Tmp-String-1 attributes like so in "dictionary":
> 
> ATTRIBUTE Tmp-String-1 3000 string
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list