add realm to user based on NAS-IP
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Apr 10 20:54:40 CEST 2007
Alexander Papenburg wrote:
> Hi Arran, hi Alexander and hi Freeradius-List,
>
> I ran into problems regarding to the Proxy-to-realm thing... :(
>
> My Setup:
>
> 10.0.0.1 A cisco Router
> 10.0.1.20 My Terminal
> 192.168.0.1 Radius (Home Server)
> 192.168.0.2 Radius (Proxy)
>
>
> At first a successful login with username abc at realm:
>
> --snip1--
> User-Name = "abc at realm"
> Reply-Message = "Password: "
> User-Password = "testtest"
> NAS-Port = 2
> NAS-Port-Id = "tty2"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "10.0.1.20"
> NAS-IP-Address = 10.0.0.1
> Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of
> radiusd.conf
> Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for
> request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module
> "preprocess" returns ok for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap
> (rlm_chap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from
> chap (rlm_chap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "chap"
> returns noop for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap
> (rlm_mschap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from
> mschap (rlm_mschap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "mschap"
> returns noop for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix
> (rlm_realm) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm
> "realm" for User-Name = "abc at realm"
> Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Found realm "realm"
> Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from
> user abc to realm realm
> Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Adding Realm = "realm"
> Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy
> authentication request to realm "realm"
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from
> suffix (rlm_realm) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "suffix"
> returns updated for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap
> (rlm_eap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from
> eap (rlm_eap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "eap"
> returns noop for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files
> (rlm_files) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from
> files (rlm_files) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module "files"
> returns notfound for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize
> (returns updated) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: proxy: creating 688187c3:1812
> Tue Apr 10 19:41:10 2007 : Debug: proxy: allocating 688187c3:1812 0
> Sending Access-Request of id 0 to 192.168.0.1 port 1812
> User-Name = "abc at realm"
> Reply-Message = "Password: "
> User-Password = "testtest"
> NAS-Port = 2
> NAS-Port-Id = "tty2"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "10.0.1.20"
> NAS-IP-Address = 10.0.0.1
> Proxy-State = 0x3836
> Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request
> rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24
> Tue Apr 10 19:41:10 2007 : Debug: proxy: de-allocating 688187c3:1812 0
> Tue Apr 10 19:41:10 2007 : Debug: rl_next: returning NULL
> Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore
> Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1
> handled so far)
> Proxy-State = 0x3836
> Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of
> radiusd.conf
> Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for
> request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap
> (rlm_eap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from
> eap (rlm_eap) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module "eap"
> returns noop for request 0
> Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy
> (returns noop) for request 0
> Tue Apr 10 19:41:10 2007 : Debug: authorize: Skipping authorize in
> post-proxy stage
> Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Found Auth-Type
> Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Auth-Type =
> Accept, accepting the user
> Sending Access-Accept of id 86 to 10.0.0.1 port 1645
> Tue Apr 10 19:41:10 2007 : Debug: Finished request 0
> Tue Apr 10 19:41:10 2007 : Debug: Going to the next request
> Tue Apr 10 19:41:10 2007 : Debug: Thread 2 waiting to be assigned a request
> Tue Apr 10 19:41:10 2007 : Debug: Waking up in 31 seconds...
> --snip1--
>
>
> Now trying Alexander's (Klepikov) hint with the following in "hints"
>
> >DEFAULT Suffix !~ "@."
> > Realm = "%{NAS-IP-Address:-unknown}"
>
>
> --snip2--
> User-Name = "abc"
> Reply-Message = "Password: "
> User-Password = "testtest"
> NAS-Port = 2
> NAS-Port-Id = "tty2"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "10.0.1.20"
> NAS-IP-Address = 10.0.0.1
> Tue Apr 10 19:42:41 2007 : Debug: Processing the authorize section of
> radiusd.conf
> Tue Apr 10 19:42:41 2007 : Debug: modcall: entering group authorize for
> request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: hints: Matched DEFAULT at 77
> Tue Apr 10 19:42:41 2007 : Debug: radius_xlat: '10.0.0.1'
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module
> "preprocess" returns ok for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling chap
> (rlm_chap) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from
> chap (rlm_chap) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "chap"
> returns noop for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling mschap
> (rlm_mschap) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from
> mschap (rlm_mschap) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "mschap"
> returns noop for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling suffix
> (rlm_realm) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: rlm_realm: Request already
> proxied. Ignoring.
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from
> suffix (rlm_realm) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "suffix"
> returns noop for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling eap
> (rlm_eap) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from
> eap (rlm_eap) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "eap"
> returns noop for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: calling files
> (rlm_files) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modsingle[authorize]: returned from
> files (rlm_files) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall[authorize]: module "files"
> returns notfound for request 0
> Tue Apr 10 19:42:41 2007 : Debug: modcall: leaving group authorize
> (returns ok) for request 0
> Tue Apr 10 19:42:41 2007 : Debug: auth: No authenticate method
> (Auth-Type) configuration found for the request: Rejecting the user
> Tue Apr 10 19:42:41 2007 : Debug: auth: Failed to validate the user.
> Tue Apr 10 19:42:41 2007 : Debug: Delaying request 0 for 1 seconds
> Tue Apr 10 19:42:41 2007 : Debug: Finished request 0
> Tue Apr 10 19:42:41 2007 : Debug: Going to the next request
> Tue Apr 10 19:42:41 2007 : Debug: Thread 1 waiting to be assigned a request
> --snip2--
>
> At last trying Arran's hint with the following in "users"
> >DEFAULT
> > NAS-IP-Address == 10.0.1.20, Proxy-To-Realm = "realm",
> > User-Name = "%{User-Name}@realm"
>
> --snip3--
> User-Name = "abc"
> Reply-Message = "Password: "
> User-Password = "testtest"
> NAS-Port = 2
> NAS-Port-Id = "tty2"
> NAS-Port-Type = Virtual
> Calling-Station-Id = "10.0.1.20"
> NAS-IP-Address = 10.0.0.1
> Tue Apr 10 19:44:45 2007 : Debug: Processing the authorize section of
> radiusd.conf
> Tue Apr 10 19:44:45 2007 : Debug: modcall: entering group authorize for
> request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module
> "preprocess" returns ok for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling chap
> (rlm_chap) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from
> chap (rlm_chap) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "chap"
> returns noop for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling mschap
> (rlm_mschap) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from
> mschap (rlm_mschap) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "mschap"
> returns noop for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling suffix
> (rlm_realm) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: rlm_realm: No '@' in User-Name =
> "abc", looking up realm NULL
> Tue Apr 10 19:44:45 2007 : Debug: rlm_realm: No such realm "NULL"
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from
> suffix (rlm_realm) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "suffix"
> returns noop for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling eap
> (rlm_eap) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from
> eap (rlm_eap) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "eap"
> returns noop for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: calling files
> (rlm_files) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: users: Matched entry DEFAULT at
> line 215
> Tue Apr 10 19:44:45 2007 : Debug: radius_xlat: 'abc at realm'
> Tue Apr 10 19:44:45 2007 : Debug: modsingle[authorize]: returned from
> files (rlm_files) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall[authorize]: module "files"
> returns ok for request 0
> Tue Apr 10 19:44:45 2007 : Debug: modcall: leaving group authorize
> (returns ok) for request 0
> Tue Apr 10 19:44:45 2007 : Debug: auth: No authenticate method
> (Auth-Type) configuration found for the request: Rejecting the user
> Tue Apr 10 19:44:45 2007 : Debug: auth: Failed to validate the user.
> Tue Apr 10 19:44:45 2007 : Debug: Delaying request 0 for 1 seconds
> Tue Apr 10 19:44:45 2007 : Debug: Finished request 0
> Tue Apr 10 19:44:45 2007 : Debug: Going to the next request
> Tue Apr 10 19:44:45 2007 : Debug: Thread 1 waiting to be assigned a request
> rad_recv: Access-Request packet from host 10.0.0.1:1645, id=89, length=93
> Sending Access-Reject of id 89 to 10.0.0.1 port 1645
> --snip3--
>
>
> Where is my mistake? The Freeradius-package is the latest in debian
> stable (4.0) branch (freeradius_1.1.3-3_i386)
>
>
> Regards Alex
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Hmmm I don't think Alexanders will work as you still need something to
actually trigger the proxying process.
Or at least I thought you did ? And that can be a rlm_realm instance or
a Proxy-To-Realm check item...
Just setting the realm attribute isn't enough.
With mine the entry in users should be
DEFAULT NAS-IP-Address == 10.0.1.20, Proxy-To-Realm = "realm"
User-Name = "%{User-Name}@realm"
Thats NAS-IP-Address and Proxy-To-Realm as check items
and user-name as a reply item.
You should also comment out any rlm_realm instances in the authorize section.
Such as suffix and ipass.
Now if you wan't a better way of doing this, that is proxy a user to the a realm based on the NAS-IP-Address
like.
User with NAS-IP-Address 10.0.1.20 gets proxied to realm 10.0.1.20
and username gets rewritten to user at 10.0.1.20.
Then you should be able to use Alexanders hint.
But modify the User-Name instead.
DEFAULT Suffix !~ "@."
User-Name = "%{User-Name}@%{NAS-IP-Address:-unknown}"
Then use the 'suffix' instance in authorize.
What should happen is the user request comes in,
If it's suffix does not already contain a realm.
Then rewrite the User-Name in the request packet, to be User at NAS-IP-Address
Then in the authorize section
the suffix instance, will split the username back into user and NAS-IP-Address,
and proxy to a realm with a name equal to the NAS-IP-Address.
---
Arran
More information about the Freeradius-Users
mailing list