Conditionally passing custom attributes
Chad Lensert
Chad.Lensert at cdw.com
Tue May 15 22:19:53 CEST 2012
freeradius-server-utils-2.1.1-7.7.19.77
freeradius-server-libs-2.1.1-7.7.19.77
freeradius-server-2.1.1-7.10.1
Greetings all. I am trying to pass a list of custom attributes based on the information in the radius request. Originally, I tried matching on NAS-IP-Address as noted below, but it looks like I can also match on Client-IP-Address, which I would prefer. The issue I am having is that I don't see radius matching the right entry in the users file and returning specific custom attributes. I can't determine why it is choosing the last user entry in the users file.
Here is an example of the users file. I expect the information from the request to match the first entry for user "chad".
####################################################
DEFAULT Auth-Type=Pam
Service-Type = NAS-Prompt-User,
cisco-avpair +="shell:priv-lvl=2",
cisco-avpair :="shell:roles*network-operator",
Fall-Through = 1
...
#put customer user attributes here!
chad NAS-IP-Address == "1.2.3.4"
cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN",
cisco-avpair += "NCS:role0=Root"
chad NAS-IP-Address == "2.3.4.5"
cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN",
cisco-avpair += "NCS:role0=Root"
chad
Service-Type := Administrative-User,
cisco-avpair := "shell:priv-lvl=15",
cisco-avpair := "shell:roles*network-admin"
####################################################
The debug from radius shows that the NAS-IP-Address in the first user entry matches the initial request. I also tried to match on Client-IP-Address, but the debugs always show radius matching on the last user entry and sending different attributes.
Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 19721, id=31, length=62
NAS-IP-Address = 1.2.3.4
Service-Type = Login-User
NAS-Port-Type = Virtual
User-Name = "chad"
User-Password = "0123456789"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "chad", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry chad at line 29
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAM
+- entering group authenticate {...}
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <chad>
++[pam] returns ok
Login OK: [chad/0123456789] (from client lensert port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 31 to x.x.x.x port 19721
Service-Type := Administrative-User
Cisco-AVPair := "shell:roles*network-admin"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 9296, id=104, length=68
User-Name = "chad"
User-Password = "0123456789"
NAS-IP-Address = 2.3.4.5
Message-Authenticator = 0xb346bbcf6f763e4e9e32c2f4ddc657b9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "chad", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry chad at line 29
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAM
+- entering group authenticate {...}
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <chad>. Reason: Permission denied
++[pam] returns reject
Failed to authenticate the user.
Login incorrect: [chad/0123456789] (from client lensert port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> chad
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 104 to x.x.x.x port 9296
Finished request 1.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host x.x.x.x port 55546, id=31, length=62
NAS-IP-Address = 1.2.3.4
Service-Type = Login-User
NAS-Port-Type = Virtual
User-Name = "chad"
User-Password = "0123456789"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "chad", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry chad at line 29
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAM
+- entering group authenticate {...}
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <chad>. Reason: Permission denied
++[pam] returns reject
Failed to authenticate the user.
Login incorrect: [chad/0123456789] (from client lensert port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> chad
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 31 to x.x.x.x port 55546
Finished request 2.
Going to the next request
Waking up in 0.4 seconds.
Cleaning up request 0 ID 31 with timestamp +30
Waking up in 2.2 seconds.
Cleaning up request 1 ID 104 with timestamp +32
Waking up in 2.3 seconds.
Cleaning up request 2 ID 31 with timestamp +35
Ready to process requests.
More information about the Freeradius-Users
mailing list