Help checking group membership with FreeRadius
Chris Li
chrisyw.li at gmail.com
Thu Mar 26 17:50:11 CET 2009
> Date: Mon, 23 Mar 2009 11:22:22 -0400
> From: Josh Hiner <josh at remc1.org>
> Subject: Help checking group membership with FreeRadius
> To: freeradius-users at lists.freeradius.org
> Message-ID: <200903231522.n2NFMNxv077788 at mxdrop218.xs4all.nl>
> Content-Type: text/plain; charset=UTF-8
> Currently we have a radius server that performs authentication off our
samba domain controller for wireless users. This works great. I would like
to limit users so they must be a member of the wireless group in order to
connect. Since the /etc/group file is on a different server I believe I
cannot use the etc_group module. Also, in order to use that module the user
must have a valid account on the radius server as well.
> Any ideas on checking group membership? I use ntlm_auth in the mschap
module for authentication in Freeradius ver 2.1.3-1.
i had a similar problem a few days ago
run "getent passwd username" to see if you can get a line like:
smith:*:100:3243::/home/smith:/usr/bin/sh
if you do, '3243' is the principal group ID of the user
my solution:
use a perl script 'chkgrpmembership.pl'. to check the group membership of
the user. the script set 'Group' attribute if the user is found.
1. chkgrpmembership.pl
use strict;
# use ...
# This is very important ! Without this script will not get the filled
hashesh from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
#
# This the remapping of return values
#
use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the
request */
use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't
reply */
use constant RLM_MODULE_OK=> 2;# /* the module is OK,
continue */
use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the
request, so stop. */
use constant RLM_MODULE_INVALID=> 4;# /* the module considers
the request invalid. */
use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request
(user is locked out) */
use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
use constant RLM_MODULE_NOOP=> 7;# /* module succeeded
without doing anything */
use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */
use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes
there are */
# Function to handle authorize
sub authorize {
my $getentResult = qx(getent passwd
$RAD_REQUEST{'User-Name'});
my @resultArray = split ":", $getentResult;
my $arraySize = scalar @resultArray;
# Group ID 11184 = staff
# Group ID 12705 = student
if ($arraySize != 0) {
my $groupID = $resultArray[3];
if ($groupID == 11184) {
$RAD_REPLY{'Group'} = "Staff";
}
elsif ($groupID == 12705) {
$RAD_REPLY{'Group'} = "Student";
}
else {
# We only allow Staff and Student group
return RLM_MODULE_REJECT;
}
}
else {
#user no found in AD
return RLM_MODULE_REJECT;
}
return RLM_MODULE_OK;
}
2.add the following lines to the modules section of radius.conf
perl {
module = /etc/freeradius/chkgrpmembership.pl
func_authorize = authorize
}
3. In the Authorize section, uncomment 'files'. Then add a line
containing 'perl' after it.
In the Authentication section add
Auth-Type Perl {
perl
}
4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap
and/or ttls section) eap.conf
5. finally, you can a line to 'users' file
DEFAULT Group != "wireless", Auth-Type := Reject
(Sorry for starting a new thread, i subscribed to the "digest" version
of the mailing
list)
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090327/923da94c/attachment.html>
More information about the Freeradius-Users
mailing list