Help checking group membership with FreeRadius
Josh Hiner
josh at remc1.org
Thu Apr 2 23:24:42 CEST 2009
Chris Li, thanks a ton for your help. I can get this working for eap TLS
but with eap-PEAPv0 I get this error:
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
PEAP: Setting User-Name to ISD\josh
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ISD\\josh"
State = 0xa686dd06a78cc76c35334009429a07b1
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[IPASS] No '/' in User-Name = "ISD\josh", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "ISD\josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "ISD" for User-Name = "ISD\josh"
[ntdomain] Found realm "ISD"
[ntdomain] Adding Stripped-User-Name = "josh"
[ntdomain] Adding Realm = "ISD"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "josh"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "josh"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 8 to 172.17.10.108 port 1033
EAP-Message =
0x010b00261900170301001b3604d13d0348525fc0da7fb57847a2e3e7c0995ef64dc26d03e5f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18eefc7e11e5e513bc32a3648b8a8dfe
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1033, id=9,
length=223
User-Name = "ISD\\josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:83:b9"
NAS-Port = 2
Called-Station-Id = "00-1F-41-3A-83-B9:CCISD-REMC1"
Calling-Station-Id = "00-0E-35-B6-74-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020b00261900170301001bf8693c66e10727a640fdd7d4432aba5afcb58462b98042741be971
State = 0x18eefc7e11e5e513bc32a3648b8a8dfe
Message-Authenticator = 0x406f661f705976d392674ede06796d3c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[IPASS] No '/' in User-Name = "ISD\josh", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "ISD\josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "ISD" for User-Name = "ISD\josh"
[ntdomain] Found realm "ISD"
[ntdomain] Adding Stripped-User-Name = "josh"
[ntdomain] Adding Realm = "ISD"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 11 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 2 cli
00-0E-35-B6-74-AF)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 9 to 172.17.10.108 port 1033
User-Name = "josh"
MS-MPPE-Recv-Key =
0x9a9849388930a1ee1c9295db2e44143488cf68c70f335118b63ec9b9c8c34572
MS-MPPE-Send-Key =
0x3e38a97b67776c1fefba416dc6256ad27eeb7983a76f666bb1ed10985fe03cd0
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 255 with timestamp +41
Cleaning up request 1 ID 0 with timestamp +41
Cleaning up request 2 ID 1 with timestamp +41
Cleaning up request 3 ID 2 with timestamp +41
Cleaning up request 4 ID 3 with timestamp +41
Cleaning up request 5 ID 4 with timestamp +41
Cleaning up request 6 ID 5 with timestamp +41
Cleaning up request 7 ID 6 with timestamp +41
Cleaning up request 8 ID 7 with timestamp +41
Cleaning up request 9 ID 8 with timestamp +41
Cleaning up request 10 ID 9 with timestamp +41
Ready to process requests.
And I think its right because the eap-username is ISD\josh and the
returned user-name from the perl module is ISD\\josh. I did set
use_tunneled reply in eap.conf.
Any ideas?
Thanks! -Josh
Chris Li wrote:
> > Date: Mon, 23 Mar 2009 11:22:22 -0400
> > From: Josh Hiner <josh at remc1.org <mailto:josh at remc1.org>>
> > Subject: Help checking group membership with FreeRadius
> > To: freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>
> > Message-ID: <200903231522.n2NFMNxv077788 at mxdrop218.xs4all.nl
> <mailto:200903231522.n2NFMNxv077788 at mxdrop218.xs4all.nl>>
> > Content-Type: text/plain; charset=UTF-8
>
> > Currently we have a radius server that performs authentication off
> our samba domain controller for wireless users. This works great. I
> would like to limit users so they must be a member of the wireless
> group in order to connect. Since the /etc/group file is on a different
> server I believe I cannot use the etc_group module. Also, in order to
> use that module the user must have a valid account on the radius
> server as well.
>
> > Any ideas on checking group membership? I use ntlm_auth in the
> mschap module for authentication in Freeradius ver 2.1.3-1.
>
> i had a similar problem a few days ago
>
> run "getent passwd username" to see if you can get a line like:
> smith:*:100:3243::/home/smith:/usr/bin/sh
>
> if you do, '3243' is the principal group ID of the user
>
> my solution:
>
> use a perl script 'chkgrpmembership.pl'. to check the group membership
> of the user. the script set 'Group' attribute if the user is found.
>
> 1. chkgrpmembership.pl
>
> use strict;
> # use ...
> # This is very important ! Without this script will not get the filled
> hashesh from main.
> use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
> use Data::Dumper;
>
> # This is hash wich hold original request from radius
> #my %RAD_REQUEST;
> # In this hash you add values that will be returned to NAS.
> #my %RAD_REPLY;
> #This is for check items
> #my %RAD_CHECK;
>
> #
> # This the remapping of return values
> #
> use constant RLM_MODULE_REJECT=> 0;# /* immediately
> reject the request */
> use constant RLM_MODULE_FAIL=> 1;# /* module failed,
> don't reply */
> use constant RLM_MODULE_OK=> 2;# /* the module is
> OK, continue */
> use constant RLM_MODULE_HANDLED=> 3;# /* the module
> handled the request, so stop. */
> use constant RLM_MODULE_INVALID=> 4;# /* the module
> considers the request invalid. */
> use constant RLM_MODULE_USERLOCK=> 5;# /* reject the
> request (user is locked out) */
> use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
> use constant RLM_MODULE_NOOP=> 7;# /* module succeeded
> without doing anything */
> use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs
> modified) */
> use constant RLM_MODULE_NUMCODES=> 9;# /* How many return
> codes there are */
>
> # Function to handle authorize
> sub authorize {
> my $getentResult = qx(getent passwd
> $RAD_REQUEST{'User-Name'});
> my @resultArray = split ":", $getentResult;
> my $arraySize = scalar @resultArray;
> # Group ID 11184 = staff
> # Group ID 12705 = student
> if ($arraySize != 0) {
> my $groupID = $resultArray[3];
> if ($groupID == 11184) {
> $RAD_REPLY{'Group'} = "Staff";
> }
> elsif ($groupID == 12705) {
> $RAD_REPLY{'Group'} = "Student";
> }
>
> else {
> # We only allow Staff and Student group
> return RLM_MODULE_REJECT;
> }
> }
> else {
> #user no found in AD
> return RLM_MODULE_REJECT;
> }
> return RLM_MODULE_OK;
> }
>
>
> 2.add the following lines to the modules section of radius.conf
> perl {
> module = /etc/freeradius/chkgrpmembership.pl
> func_authorize = authorize
> }
> 3. In the Authorize section, uncomment 'files'. Then add a line containing 'perl' after it.
>
>
> In the Authentication section add
>
> Auth-Type Perl {
> perl
> }
>
> 4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap and/or ttls section) eap.conf
> 5. finally, you can a line to 'users' file
> DEFAULT Group != "wireless", Auth-Type := Reject
>
> (Sorry for starting a new thread, i subscribed to the "digest" version of the mailing
> list)
>
> Chris
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list