SV: authorize after proxy.
Thomas Raabo - Zitcom A/S
tr at zitcom.dk
Tue Oct 16 15:44:00 CEST 2012
I did not explain it very good.
What I want to do is.
Put phonenumber,etc attributes in radreply for a user.
1. Authenticate user via Radius via Microsoft NPS server
2. Run my exec authorization script to send OTP password
3. Challenge reponse
4. Auth OTP
My config... this all works if user is in SQL.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type zotp {
ZOTP
}
unix
eap
}
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
sql
expiration
logintime
pap
if(control:Auth-Type == 'zotp'){
ZOTP
if (updated) {
update control {
Response-Packet-Type := Access-Challenge
}
handled
}
}
}
Is there a way to do this? Get something from proxy and something from SQL and then Auth and authorize?
Here is output from working user.
rad_recv: Access-Request packet from host 127.0.0.1 port 39099, id=10, length=45
User-Name = "test2"
User-Password = "test2"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id
[sql] User found in group test2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (control:Auth-Type == 'zotp')
? Evaluating (control:Auth-Type == 'zotp') -> TRUE
++? if (control:Auth-Type == 'zotp') -> TRUE
++- entering if (control:Auth-Type == 'zotp') {...}
[ZOTP] expand: %{User-Name} -> test2
[ZOTP] expand: %{User-Password} -> test2
[ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu
[ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm
[ZOTP] expand: %{reply:Offset} -> 1
[ZOTP] expand: %{reply:OTP-Type} -> SMS
[ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091
[ZOTP] expand: %{State} ->
Exec-Program output: Reply-Message += "Enter SMS.", State = "25128",
Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS.", State = "25128",
Exec-Program: returned: 9
+++[ZOTP] returns updated
+++? if (updated)
? Evaluating (updated) -> TRUE
+++? if (updated) -> TRUE
+++- entering if (updated) {...}
++++[control] returns updated
++++[handled] returns handled
+++- if (updated) returns handled
++- if (control:Auth-Type == 'zotp') returns handled
Sending Access-Challenge of id 10 to 127.0.0.1 port 39099
Framed-IP-Address := 172.20.3.34
Reply-Message += "Enter SMS."
State = 0x3235313238
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 10 with timestamp +58
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 39099, id=11, length=70
Framed-IP-Address = 172.20.3.34
Reply-Message = "Enter SMS."
State = 0x3235313238
User-Name = "test2"
User-Password = "3fwy7h"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'test2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'test2' ORDER BY id
[sql] User found in group test2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test2' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (control:Auth-Type == 'zotp')
? Evaluating (control:Auth-Type == 'zotp') -> TRUE
++? if (control:Auth-Type == 'zotp') -> TRUE
++- entering if (control:Auth-Type == 'zotp') {...}
[ZOTP] expand: %{User-Name} -> test2
[ZOTP] expand: %{User-Password} -> 3fwy7h
[ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu
[ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm
[ZOTP] expand: %{reply:Offset} -> 1
[ZOTP] expand: %{reply:OTP-Type} -> SMS
[ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091
[ZOTP] expand: %{State} -> 0x3235313238
Exec-Program output: Reply-Message := "Accepted.",
Exec-Program-Wait: value-pairs: Reply-Message := "Accepted.",
Exec-Program: returned: 0
+++[ZOTP] returns ok
+++? if (updated)
? Evaluating (updated) -> FALSE
+++? if (updated) -> FALSE
++- if (control:Auth-Type == 'zotp') returns ok
Found Auth-Type = zotp
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group zotp {...}
[ZOTP] expand: %{User-Name} -> test2
[ZOTP] expand: %{User-Password} -> 3fwy7h
[ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu
[ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm
[ZOTP] expand: %{reply:Offset} -> 1
[ZOTP] expand: %{reply:OTP-Type} -> SMS
[ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091
[ZOTP] expand: %{State} -> 0x3235313238
Exec-Program output: Reply-Message := "Accepted.",
Exec-Program-Wait: value-pairs: Reply-Message := "Accepted.",
Exec-Program: returned: 0
++[ZOTP] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/raddb/sites-enabled/default
Sending Access-Accept of id 11 to 127.0.0.1 port 39099
Framed-IP-Address := 172.20.3.34
Reply-Message := "Accepted."
Finished request 2.
Med venlig hilsen | Best regards
Thomas Raabo
Senior Network Engineer CCIE #33466
_____________________________________________
tr at zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66
-----Oprindelig meddelelse-----
Fra: freeradius-users-bounces+tr=zitcom.dk at lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk at lists.freeradius.org] På vegne af Alan DeKok
Sendt: 16. oktober 2012 14:22
Til: FreeRadius users mailing list
Emne: Re: authorize after proxy.
Thomas Raabo - Zitcom A/S wrote:
> Is it possible to do authentication and then authorization on the SQL db?
post-auth {
...
sql.authorize
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list