Virtual Servers, the Realms Module, and Proxying
Jacob Dawson
dawson at vt.edu
Thu Aug 4 21:39:00 CEST 2011
Our goal here is to use a variety of virtual servers in our FreeRADIUS instance to allow us to isolate handling of a variety of different sorts of users. As such, there's a fair bit of proxying going on, but much is just going to the virtual servers, and we'd like to be able to use the behavior of the realms module to make this work for us.
Unfortunately, I haven't seen any way to get some of those attributes that the Realm module inserts to continue through after being proxied, as they're 'internal' attributes and not wire attributes. I'd like for the Stripped-User-Name and Realm attributes to be available to the far side of the proxy (so I send it from the default virtual server to, say, the generic_realm virtual server), so that it can make decisions based on that information. I obviously can't use the realms module for parsing again in the first layer of virtual server, as I'll just end up creating a loopback on itself, but at the same time, I'd like to avoid having to do all that parsing and thinking in unlang. Since there seems to be some special config for virtual servers, is there any way to achieve this behavior (not stripping the 'internal' attributes when proxying to virtual servers) without a patch? It seems to be consistent with the idea behind virtual servers, but I may be misinterpreting it.
Thoughts? I feel like we're trying a little too hard to get what we want, here, but I'm not seeing how to do it the 'right' way.
Jacob M. Dawson
Network Research Engineer
Virginia Tech
---
For context:
I have an arbitrary number of FreeRADIUS servers providing my AAA service. I have an arbitrary number of NASs all talking to the FreeRADIUS servers, and they all provide the same suite of services to all possible users, so I can't do this proxying based on what client it comes in on (like this page suggests: http://freeradius.org/features/virtual_servers.html).
My realm module is short and sweet:
realm suffix {
format = suffix
delimiter = "@"
ignore_null = yes
}
realm prefix {
format = prefix
delimiter = "\\"
}
I have the following virtual servers linked in sites-enabled:
ad.vt.edu
default
ed.vt.edu
generic-realm
proxy-inner-tunnel
ad.vt.edu is to handle our Domain users
ed.vt.edu is to handle folks authenticating against our Enterprise Directory
default is, of course, where they come in to start with
generic-realm is intended to handle people who come in with SOME non-vt realm. Could be guests (authenticated against our AAA-related database, access via the sql module), could be eduroam folks.
proxy-inner-tunnel is used largely by the ad.vt.edu module to handle proxying the MS-CHAPv2 part of PEAP to our IAS machines.
default is simple:
authorize {
update request{
User-Name := "%{tolower:%{User-Name}}"
}
preprocess
auth_log
chap
mschap
perl
suffix
prefix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
ldap
eap
}
<other stanzas don't seem relevant>
In proxy, we defined these home_servers:
home_server ed.vt.edu {
type = auth
ipaddr = 127.0.0.1
port = 1816
secret = <redacted>
}
home_server ad.vt.edu {
type = auth
ipaddr = 127.0.0.1
port = 1815
secret = <redacted>
}
home_server generic_realm {
type = auth
ipaddr = 127.0.0.1
port = 1817
secret = <redacted>
}
home_server_pool ad_virtual_pool {
home_server = ad.vt.edu
}
home_server_pool ed_virtual_pool {
home_server = ed.vt.edu
}
home_server_pool generic_virtual_pool {
home_server = generic_realm
}
realm "~HOKIES" {
auth_pool = ad_virtual_pool
nostrip
}
realm "DomainUser" {
auth_pool = HOKIES_authen
nostrip
}
realm "~.*w2k\\.vt\\.edu$" {
auth_pool = ad_virtual_pool
nostrip
}
realm "~vt.edu$" {
auth_pool = ed_virtual_pool
}
realm LOCAL {
}
realm NULL {
auth_pool = ed_virtual_pool
}
realm DEFAULT {
auth_pool = generic_virtual_pool
}
Our virtual servers then start off like this, and then include the usual appropriate stanzas:
listen {
ipaddr = 127.0.0.1
port = 1815
type = auth
}
client 127.0.0.1 {
secret = <redacted>
}
More information about the Freeradius-Users
mailing list