Help checking group membership with FreeRadius

Josh Hiner josh at remc1.org
Thu Apr 2 23:24:42 CEST 2009


Chris Li, thanks a ton for your help. I can get this working for eap TLS 
but with eap-PEAPv0 I get this error:

[peap] Got tunneled request
    EAP-Message = 0x020a00061a03
server  {
  PEAP: Setting User-Name to ISD\josh
Sending tunneled request
    EAP-Message = 0x020a00061a03
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "ISD\\josh"
    State = 0xa686dd06a78cc76c35334009429a07b1
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[IPASS] No '/' in User-Name = "ISD\josh", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "ISD\josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "ISD" for User-Name = "ISD\josh"
[ntdomain] Found realm "ISD"
[ntdomain] Adding Stripped-User-Name = "josh"
[ntdomain] Adding Realm = "ISD"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
    EAP-Message = 0x030a0004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "josh"
[peap] Got tunneled reply RADIUS code 2
    EAP-Message = 0x030a0004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "josh"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 8 to 172.17.10.108 port 1033
    EAP-Message = 
0x010b00261900170301001b3604d13d0348525fc0da7fb57847a2e3e7c0995ef64dc26d03e5f3
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x18eefc7e11e5e513bc32a3648b8a8dfe
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1033, id=9, 
length=223
    User-Name = "ISD\\josh"
    NAS-IP-Address = 172.17.10.108
    NAS-Identifier = "00:1f:41:3a:83:b9"
    NAS-Port = 2
    Called-Station-Id = "00-1F-41-3A-83-B9:CCISD-REMC1"
    Calling-Station-Id = "00-0E-35-B6-74-AF"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 
0x020b00261900170301001bf8693c66e10727a640fdd7d4432aba5afcb58462b98042741be971
    State = 0x18eefc7e11e5e513bc32a3648b8a8dfe
    Message-Authenticator = 0x406f661f705976d392674ede06796d3c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[IPASS] No '/' in User-Name = "ISD\josh", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "ISD\josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "ISD" for User-Name = "ISD\josh"
[ntdomain] Found realm "ISD"
[ntdomain] Adding Stripped-User-Name = "josh"
[ntdomain] Adding Realm = "ISD"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 11 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 2 cli 
00-0E-35-B6-74-AF)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 9 to 172.17.10.108 port 1033
    User-Name = "josh"
    MS-MPPE-Recv-Key = 
0x9a9849388930a1ee1c9295db2e44143488cf68c70f335118b63ec9b9c8c34572
    MS-MPPE-Send-Key = 
0x3e38a97b67776c1fefba416dc6256ad27eeb7983a76f666bb1ed10985fe03cd0
    EAP-Message = 0x030b0004
    Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 255 with timestamp +41
Cleaning up request 1 ID 0 with timestamp +41
Cleaning up request 2 ID 1 with timestamp +41
Cleaning up request 3 ID 2 with timestamp +41
Cleaning up request 4 ID 3 with timestamp +41
Cleaning up request 5 ID 4 with timestamp +41
Cleaning up request 6 ID 5 with timestamp +41
Cleaning up request 7 ID 6 with timestamp +41
Cleaning up request 8 ID 7 with timestamp +41
Cleaning up request 9 ID 8 with timestamp +41
Cleaning up request 10 ID 9 with timestamp +41
Ready to process requests.


And I think its right because the eap-username is ISD\josh and the 
returned user-name from the perl module is ISD\\josh. I did set 
use_tunneled reply in eap.conf.

Any ideas?

Thanks! -Josh

Chris Li wrote:
> > Date: Mon, 23 Mar 2009 11:22:22 -0400
> > From: Josh Hiner <josh at remc1.org <mailto:josh at remc1.org>>
> > Subject: Help checking group membership with FreeRadius
> > To: freeradius-users at lists.freeradius.org 
> <mailto:freeradius-users at lists.freeradius.org>
> > Message-ID: <200903231522.n2NFMNxv077788 at mxdrop218.xs4all.nl 
> <mailto:200903231522.n2NFMNxv077788 at mxdrop218.xs4all.nl>>
> > Content-Type: text/plain; charset=UTF-8
>
> > Currently we have a radius server that performs authentication off 
> our samba domain controller for wireless users. This works great. I 
> would like to limit users so they must be a member of the wireless 
> group in order to connect. Since the /etc/group file is on a different 
> server I believe I cannot use the etc_group module. Also, in order to 
> use that module the user must have a valid account on the radius 
> server as well.
>
> > Any ideas on checking group membership? I use ntlm_auth in the 
> mschap module for authentication in Freeradius ver 2.1.3-1.
>
> i had a similar problem a few days ago
>
> run "getent passwd username" to see if you can get a line like:
> smith:*:100:3243::/home/smith:/usr/bin/sh
>
> if you do, '3243' is the principal group ID of the user
>
> my solution:
>
> use a perl script 'chkgrpmembership.pl'. to check the group membership 
> of the user. the script set 'Group' attribute if the user is found.
>
> 1. chkgrpmembership.pl
>
> use strict;
> # use ...
> # This is very important ! Without this script will not get the filled 
>  hashesh from main.
> use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
> use Data::Dumper;
>
> # This is hash wich hold original request from radius
> #my %RAD_REQUEST;
> # In this hash you add values that will be returned to NAS.
> #my %RAD_REPLY;
> #This is for check items
> #my %RAD_CHECK;
>
> #
> # This the remapping of return values
> #
>        use constant    RLM_MODULE_REJECT=>    0;#  /* immediately 
> reject the request */
>        use constant    RLM_MODULE_FAIL=>      1;#  /* module failed, 
> don't reply */
>        use constant    RLM_MODULE_OK=>        2;#  /* the module is 
> OK, continue */
>        use constant    RLM_MODULE_HANDLED=>   3;#  /* the module 
> handled the request, so stop. */
>        use constant    RLM_MODULE_INVALID=>   4;#  /* the module 
> considers the request invalid. */
>        use constant    RLM_MODULE_USERLOCK=>  5;#  /* reject the 
> request (user is locked out) */
>        use constant    RLM_MODULE_NOTFOUND=>  6;#  /* user not found */
>        use constant    RLM_MODULE_NOOP=>      7;#  /* module succeeded 
> without doing anything */
>        use constant    RLM_MODULE_UPDATED=>   8;#  /* OK (pairs 
> modified) */
>        use constant    RLM_MODULE_NUMCODES=>  9;#  /* How many return 
> codes there are */
>
> # Function to handle authorize
> sub authorize {
>                 my $getentResult = qx(getent passwd 
> $RAD_REQUEST{'User-Name'});
>                 my @resultArray = split ":", $getentResult;
>                 my $arraySize = scalar @resultArray;
>                 # Group ID 11184 = staff
>                 # Group ID 12705 = student
>                 if ($arraySize != 0) {
>                         my $groupID = $resultArray[3];
>                         if ($groupID == 11184) {
>                                $RAD_REPLY{'Group'} = "Staff";
>                         }
>                         elsif ($groupID == 12705) {
>                                $RAD_REPLY{'Group'} = "Student";
>                         }
>
>                         else {
>                                 # We only allow Staff and Student group
>                                return RLM_MODULE_REJECT;
>                         }
>                 }
>                 else {
>                         #user no found in AD
>                        return RLM_MODULE_REJECT;
>                 }
>        return RLM_MODULE_OK;
> }
>
>
> 2.add the following lines to the modules section of radius.conf
> perl {
>   module = /etc/freeradius/chkgrpmembership.pl
>   func_authorize = authorize
>  }
> 3. In the Authorize section, uncomment 'files'. Then add a line containing 'perl' after it.
>
>
> In the Authentication section add
>
> Auth-Type Perl { 
> perl
>  }
>
> 4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap and/or ttls section) eap.conf
> 5. finally, you can a line to 'users' file
> DEFAULT        Group != "wireless", Auth-Type := Reject
>
> (Sorry for starting a new thread, i subscribed to the "digest" version of the mailing
>  list)
>
> Chris
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list