Add reply attributes to a proxy radius response
Paul TAVERNIER
paul.tavernier at ac-rouen.fr
Tue Nov 4 15:56:38 CET 2008
I built a new lab with Freeradius 1.x, Cisco ASA, RSA-OTP and RSARadius Box.
All is working perfectly...because, Freeradius 1.x is parsing TWICE the
authorize section (as it is said in the proxy.conf comment, once before
the proxy request and one after). So it asks twice my LDAP server the
attributes i need (Class+Framed-IP-Address). And with the second call,
the Access-Accept contains all the reply attributes i need...
Sending Access-Accept of id 226 to 192.168.1.2:1025
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
==> Class = 0x646976696e666f
==> Framed-IP-Address = 1.2.3.4
Finished request 0
Going to the next request
So, the thing i'd like to do with Freeradius v2.1 is to insert a "ldap"
authorization in the post_proxy section of my config.
and when i insert such a directive, it rejects me...
/etc/freeradius/sites-enabled/default[470]: "LDAP" modules aren't
allowed in 'post-proxy' sections -- they have no such method.
/etc/freeradius/sites-enabled/default[456]: Errors parsing post-proxy
section.
Any idea/tip?
Thanks in advance, rgds
Paul.
Paul TAVERNIER wrote:
> Hi all,
>
> I run with Freeradius 2.1, CiscoASA and RSASecurid "OTP"+RSARadius.
>
> I set my CiscoASA to authenticate against freeradius. On this
> freeradius server, i created a realm "OTP" which proxy the request to a
> RSARadius (the only one who can ask RSAOTP Securid database). So when i
> authenticate with myuserlogin at OTP/Passcode with my CiscoVPNclient, the
> authentication is successful. No pb. Here's the log:
>
> ======(log)
> [suffix] Looking up realm "otp" for User-Name = "xxxxxxxxxx at otp"
> [suffix] Found realm "otp"
> [suffix] Adding Stripped-User-Name = "xxxxxxxxxx"
> [suffix] Adding Realm = "otp"
> [suffix] Proxying request from user xxxxxxxxxx to realm otp
> [suffix] Preparing to proxy authentication request to realm "otp"
> ++[suffix] returns updated
> ...
> rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=4,
> length=85
> Class = x53425232434cd5a0c3accfca8fd9efc01180270180038198
> Proxy-State = 0x313530
> ======(end of log)
>
>
>
> The second thing i want to do is to "import" the user's "policy
> group" (radiusClass) and its own IP Address (radiusFramedIPAddress).
> Those attributes are located in a LDAP directory server. So i decided to
> add the "ldap" module in the authorization section of my freeradius conf
> files. In the logs, i clearly see that freeradius is doing a great job
> (asking and receiving my ldap attrs)
>
> ======(log)
> [ldap] performing user authorization for xxxxxxxxxx
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
> details
> expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=xxxxxxxxxx)
> expand: o=gouv,c=fr -> o=gouv,c=fr
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> ...
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=gouv,c=fr, with filter (uid=xxxxxxxxxx)
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> rlm_ldap: radiusClass -> Class = 0x646976696e666f
> rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 1.2.3.4
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> [ldap] Setting Auth-Type = LDAP
> [ldap] user xxxxxxxxxxx authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ======(end of log)
>
>
> My problem is that that finally i get 2 successful auth (i interpret
> it like these sorry...), and Freeradius "chooses" Auth-Type=Accept
> (ProxyRSARadius Response which doesn't contain my class and
> framedipaddress i need to push to my CiscoASA)
>
>
> ======(log)
> Found Auth-Type = LDAP
> Found Auth-Type = Accept
> Warning: Found 2 auth-types on request for user 'xxxxxxxxxxx'
> Auth-Type = Accept, accepting the user
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 150 to 192.168.1.2 port 1025
> Class = 0x53425232434cd5a0c3accfca8fd9efc0118027018
> Finished request 0.
> ======(end of log)
>
> In other words (sorry for being so long), i would love to
> authenticate againt my OTP RSASecurid boxes and concatenate Radius
> attributes found in a LDAP directory...
>
> Where should i go? post_proxy module?
>
> Any help would be greatly appreciated.
>
> Kind regards,
> Paul
>
>
More information about the Freeradius-Users
mailing list