user group problems, my logic or freeradius limitation

Reynolds, Walter waltr at umich.edu
Tue Nov 4 13:35:11 CET 2008


I am trying to find a good way to limit who is able to login at specific NAS's.  I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS.  So I figured the best way was to use groups.  The users are not account holders on the system, so I could not user the 'Group' option in huntgroups.  I also do not have a database backend so wanted to uses a local file.

So in looking I saw that I could do the following:

1. modules/etc_group - Define a local file with a group list
2. Created the group file referenced in etc_group
3. Added a dictionary item for the attribute
4. Add the desired NAS to a huntgroup
5. Set a policy in the users file to be based on the list.

Where I am having a problem is if the user is assigned to more than one group.  As you can see from the first debug output from below, if a user is a member of the group alone it works fine.  But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match.

The reason I need users in more than one group is if they are affiliated with more than one department.  Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS.

In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file.

So, is this a error in my logic/setup or is this a limitation I have with Freeradius.  Is there some other way to do this?


===============

/usr/local/etc/raddb/modules/etc_group

passwd etc_group {
       filename = /usr/local/etc/raddb/group_file
       format = "~Etc-Group-Name:*,User-Name"
       hashsize = 150
       ignorenislike = yes
       allowmultiplekeys = yes
       delimiter = ":"
}

================

/usr/local/etc/raddb/group_file

wilab:walt,walter
wilab2:walter,walter01
nolab:walter01

=================

/usr/local/etc/raddb/dictionary

ATTRIBUTE       Etc-Group-Name          3000    string

=================

/usr/local/etc/raddb/huntgroups

ILAB            NAS-IP-Address == 10.11.224.36

=================

/usr/local/etc/raddb/users  (added line numbers for the debug)


    102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject
    103                 Fall-Through = no
    104
    105 walt    Cleartext-Password := "walter01"
    106 walter  Cleartext-Password := "walter01"
    107 walter01        Cleartext-Password := "walter01"


-------------------------------


rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131
        User-Name = "walt"
        User-Password = "walter01"
        NAS-IP-Address = 10.11.224.36
        Service-Type = Login-User
        Framed-IP-Address = 192.168.135.25
        Called-Station-Id = "00:07:E9:D1:8F:C2"
        NAS-Identifier = "Bluesocket"
        Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
        NAS-Port-Type = Wireless-802.11
Tue Nov  4 07:09:21 2008 : Info: +- entering group authorize {...}
Tue Nov  4 07:09:21 2008 : Info: ++[preprocess] returns ok
Tue Nov  4 07:09:21 2008 : Info: ++[chap] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[mschap] returns noop
Tue Nov  4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL
Tue Nov  4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
Tue Nov  4 07:09:21 2008 : Info: ++[suffix] returns noop
Tue Nov  4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
Tue Nov  4 07:09:21 2008 : Info: ++[eap] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[unix] returns notfound
Tue Nov  4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
Tue Nov  4 07:09:21 2008 : Info: ++[etc_group] returns ok
Tue Nov  4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
Tue Nov  4 07:09:21 2008 : Info: ++[files] returns ok
Tue Nov  4 07:09:21 2008 : Info: ++[expiration] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[logintime] returns noop
Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns updated
Tue Nov  4 07:09:21 2008 : Info: Found Auth-Type = PAP
Tue Nov  4 07:09:21 2008 : Info: +- entering group PAP {...}
Tue Nov  4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
Tue Nov  4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
Tue Nov  4 07:09:21 2008 : Info: [pap] User authenticated successfully
Tue Nov  4 07:09:21 2008 : Info: ++[pap] returns ok
Tue Nov  4 07:09:21 2008 : Info: +- entering group post-auth {...}
Tue Nov  4 07:09:21 2008 : Info: ++[exec] returns noop
Sending Access-Accept of id 111 to 10.11.224.36 port 32783
Tue Nov  4 07:09:21 2008 : Info: Finished request 0.


=======================
rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133
        User-Name = "walter"
        User-Password = "walter01"
        NAS-IP-Address = 10.11.224.36
        Service-Type = Login-User
        Framed-IP-Address = 192.168.135.25
        Called-Station-Id = "00:07:E9:D1:8F:C2"
        NAS-Identifier = "Bluesocket"
        Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505"
        NAS-Port-Type = Wireless-802.11
Tue Nov  4 07:09:49 2008 : Info: +- entering group authorize {...}
Tue Nov  4 07:09:49 2008 : Info: ++[preprocess] returns ok
Tue Nov  4 07:09:49 2008 : Info: ++[chap] returns noop
Tue Nov  4 07:09:49 2008 : Info: ++[mschap] returns noop
Tue Nov  4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL
Tue Nov  4 07:09:49 2008 : Info: [suffix] No such realm "NULL"
Tue Nov  4 07:09:49 2008 : Info: ++[suffix] returns noop
Tue Nov  4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP
Tue Nov  4 07:09:49 2008 : Info: ++[eap] returns noop
Tue Nov  4 07:09:49 2008 : Info: ++[unix] returns notfound
Tue Nov  4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items
Tue Nov  4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
Tue Nov  4 07:09:49 2008 : Info: ++[etc_group] returns ok
Tue Nov  4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102
Tue Nov  4 07:09:49 2008 : Info: ++[files] returns ok
Tue Nov  4 07:09:49 2008 : Info: ++[expiration] returns noop
Tue Nov  4 07:09:49 2008 : Info: ++[logintime] returns noop
Tue Nov  4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it.
Tue Nov  4 07:09:49 2008 : Info: ++[pap] returns noop
Tue Nov  4 07:09:49 2008 : Info: Found Auth-Type = Reject
Tue Nov  4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user
Tue Nov  4 07:09:49 2008 : Info: Failed to authenticate the user.
Tue Nov  4 07:09:49 2008 : Info: Using Post-Auth-Type Reject
Tue Nov  4 07:09:49 2008 : Info: +- entering group REJECT {...}
Tue Nov  4 07:09:49 2008 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> walter
Tue Nov  4 07:09:49 2008 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Tue Nov  4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated
Tue Nov  4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds
Tue Nov  4 07:09:49 2008 : Debug: Going to the next request
Tue Nov  4 07:09:49 2008 : Debug: Waking up in 0.9 seconds.
Tue Nov  4 07:09:50 2008 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 112 to 10.11.224.36 port 32783
Tue Nov  4 07:09:50 2008 : Debug: Waking up in 4.9 seconds.
Tue Nov  4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39
Tue Nov  4 07:09:55 2008 : Debug: Ready to process requests.




--
Walt Reynolds
Principal Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438






More information about the Freeradius-Users mailing list