user group problems, my logic or freeradius limitation
tnt at kalik.net
tnt at kalik.net
Tue Nov 4 14:33:26 CET 2008
Sorry, my brain is like sieve today.
Not DEFAULT but user entries (as I said in the text):
walt password, hutgroup, group
fall-through
walt bpassword, huntgroup, group
Ivan Kalik
Kalik Informatika ISP
Dana 4/11/2008, "Reynolds, Walter" <waltr at umich.edu> piše:
>I am trying to find a good way to limit who is able to login at specific NAS's. I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS. So I figured the best way was to use groups. The users are not account holders on the system, so I could not user the 'Group' option in huntgroups. I also do not have a database backend so wanted to uses a local file.
>
>So in looking I saw that I could do the following:
>
>1. modules/etc_group - Define a local file with a group list
>2. Created the group file referenced in etc_group
>3. Added a dictionary item for the attribute
>4. Add the desired NAS to a huntgroup
>5. Set a policy in the users file to be based on the list.
>
>Where I am having a problem is if the user is assigned to more than one group. As you can see from the first debug output from below, if a user is a member of the group alone it works fine. But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match.
>
>The reason I need users in more than one group is if they are affiliated with more than one department. Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS.
>
>In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file.
>
>So, is this a error in my logic/setup or is this a limitation I have with Freeradius. Is there some other way to do this?
>
>
>===============
>
>/usr/local/etc/raddb/modules/etc_group
>
>passwd etc_group {
> filename = /usr/local/etc/raddb/group_file
> format = "~Etc-Group-Name:*,User-Name"
> hashsize = 150
> ignorenislike = yes
> allowmultiplekeys = yes
> delimiter = ":"
>}
>
>================
>
>/usr/local/etc/raddb/group_file
>
>wilab:walt,walter
>wilab2:walter,walter01
>nolab:walter01
>
>=================
>
>/usr/local/etc/raddb/dictionary
>
>ATTRIBUTE Etc-Group-Name 3000 string
>
>=================
>
>/usr/local/etc/raddb/huntgroups
>
>ILAB NAS-IP-Address == 10.11.224.36
>
>=================
>
>/usr/local/etc/raddb/users (added line numbers for the debug)
>
>
> 102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject
> 103 Fall-Through = no
> 104
> 105 walt Cleartext-Password := "walter01"
> 106 walter Cleartext-Password := "walter01"
> 107 walter01 Cleartext-Password := "walter01"
>
>
>-------------------------------
>
>
>rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131
> User-Name = "walt"
> User-Password = "walter01"
> NAS-IP-Address = 10.11.224.36
> Service-Type = Login-User
> Framed-IP-Address = 192.168.135.25
> Called-Station-Id = "00:07:E9:D1:8F:C2"
> NAS-Identifier = "Bluesocket"
> Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477"
> NAS-Port-Type = Wireless-802.11
>Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...}
>Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok
>Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop
>Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop
>Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL
>Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL"
>Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop
>Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP
>Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop
>Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound
>Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
>Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok
>Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105
>Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok
>Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop
>Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop
>Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated
>Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP
>Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...}
>Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01"
>Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01"
>Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully
>Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok
>Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...}
>Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop
>Sending Access-Accept of id 111 to 10.11.224.36 port 32783
>Tue Nov 4 07:09:21 2008 : Info: Finished request 0.
>
>
>=======================
>rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133
> User-Name = "walter"
> User-Password = "walter01"
> NAS-IP-Address = 10.11.224.36
> Service-Type = Login-User
> Framed-IP-Address = 192.168.135.25
> Called-Station-Id = "00:07:E9:D1:8F:C2"
> NAS-Identifier = "Bluesocket"
> Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505"
> NAS-Port-Type = Wireless-802.11
>Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...}
>Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok
>Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop
>Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop
>Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL
>Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL"
>Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop
>Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP
>Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop
>Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound
>Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items
>Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items
>Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok
>Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102
>Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok
>Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop
>Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop
>Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it.
>Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop
>Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject
>Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user
>Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user.
>Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject
>Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...}
>Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-Name} -> walter
>Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11
>Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated
>Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds
>Tue Nov 4 07:09:49 2008 : Debug: Going to the next request
>Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds.
>Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1
>Sending Access-Reject of id 112 to 10.11.224.36 port 32783
>Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds.
>Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39
>Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests.
>
>
>
>
>--
>Walt Reynolds
>Principal Systems Security Development Engineer
>Information Technology Central Services
>University of Michigan
>(734) 615-9438
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list