Help mixing proxied and non-proxied auth mechanisms

Phil Mayers p.mayers at imperial.ac.uk
Thu Mar 16 14:59:56 CET 2006 

Geoff Silver wrote:
>>
>> DEFAULT My-Group != "known", Auth-Type := Reject
>>
>> DEFAULT  Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812
>>         Connect-Info="OFFICE_NET"
>> DEFAULT  Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW
>> 	Connect-Info="OFFICE_NET"
> 
> That will work for the simple case I provided, but my users file is actually a
> bit more complicated.  There are multiple NAS-IP-Address and/or Huntgroups
> available, and not all users have access to all of them.  The only thing
> guaranteed is that any user who *has* an entry actually has two, one with a
> Hint==Port-1645 and the other with Hint--Port-1812.
> 
> Perhaps a better users file example would be:
> 
> user01	Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812
> user01	Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812
> user01	NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW
> user02	Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812
> user03	NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW
> 
> Additionally, none of these folks have (or can have) /etc/passwd accounts on
> this system, so I'm not sure that rlm_passwd will work for me necessarily
> (plus, we're back to the "not every user has access to every NAS/Huntgroup"
> problem).

rlm_passwd would be better named "rlm_lookup" or "rlm_mapping" or 
"rlm_keyval". I use it very successfully after a hint from Alan to cut 
down combinatorial explosion:

modules {
   passwd nas2kind {
     file = /etc/raddb/nas2kind
     format = "*NAS-IP-Address:~NasKind"
   }
   passwd user2group {
     file = /etc/raddb/user2group
     format = "*User-Name:~Group"
   }
}
authorize {
   preprocess
   nas2kind
   user2group
   users
}

/etc/nas2kind:

10.1.2.3:type1
10.1.2.4:type2

/etc/user2group:

user01:nasgroup1-p1812
user01:nasgroup2-p1812
user01:nasgroup1
user02:nasgroup1-p1812
user03:nasgroup2-p1812


/etc/raddb/users:

# Skip unknown users
DEFAULT Group !* ANY, Auth-Type := Reject

DEFAULT Group=="nasgroup1-p1812", NasKind=="type1", Hint==Port-1812, 
Auth-Type := Accept

DEFAULT Group=="nasgroup2-p1812", NasKind=="type2", Hint==Port-1812, 
Auth-Type := Accept

DEFAULT Group=="nasgroup1", NasKind=="type1", Hint==Port-1645, 
Proxy-To-Realm := PROXY_GW

DEFAULT Group=="nasgroup2", NasKind=="type2", Hint==Port-1645, 
Proxy-To-Realm := PROXY_GW


Hopefully that's clear.

Note that the passwd instances are defined to add the values to the 
request (because it's hard to match on == for config/reply items in 
users) so you'll need to make sure those value names are in a local 
dictionary somewhere.

Note also that the above is a literal translation of your most recent 
email - I believe in your original email you matched on Huntgroup-Name, 
in which case you can skip the NasKind mapping and simplify things somewhat.

More information about the Freeradius-Users mailing list