Which attribute-name is needed for group-filtering?

Stefan Kuegler freeradius at kuegler.org
Mon Apr 28 15:32:27 CEST 2014 

Hello all.

I have a short question.

I want to use multiotp as an authentication-module in freeradius on a 
debian-wheezy system.
multiotp itself works properly. The authentication works as expected.

But now the question:
I want to filter the different users to groups using the "users"-file of 
freeradius, for example:

DEFAULT Auth-type = multiotp, Group-Name := "allowed-users"
         Reply-Message = "Your multiotp-account has been enabled."

DEFAULT Auth-type = multiotp, Group-Name := "forbidden-users"
         Reply-Message = "Your multiotp-account has been disabled."


We are very free for setting an attribute-name in multiotp - but I don't 
know, which attribute-name do I have to set.

I tested with different attribute names (like "Group-Name" in the 
example above). But nothing works. I only get the reply-message "Your 
multiotp-account has been enabled", everytime - even if the user is 
member of the group "allowed-users" or "forbidden-users".

These are the last lines of debug-output. The user is member of the 
group "forbidden-users":

[...]
rad_recv: Access-Request packet from host 127.0.0.1 port 46615, id=111, 
length=77
	User-Name = "testuser"
	User-Password = "1234740472"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 0
	Message-Authenticator = 0xdff73ff20f7d54045b999eae4cc891be
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 58
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++- entering policy multiotp.authorize {...}
+++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
+++? if (!control:Auth-Type) -> FALSE
++- policy multiotp.authorize returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = multiotp
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group multiotp {...}
[multiotp] 	expand: %{User-Name} -> testuser
[multiotp] 	expand: %{User-Password} -> 1234740472
[multiotp] 	expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1
[multiotp] 	expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge=
[multiotp] 	expand: -chap-password=%{CHAP-Password} -> -chap-password=
[multiotp] 	expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> 
-ms-chap-challenge=
[multiotp] 	expand: -ms-chap-response=%{MS-CHAP-Response} -> 
-ms-chap-response=
[multiotp] 	expand: -ms-chap2-response=%{MS-CHAP2-Response} -> 
-ms-chap2-response=
Exec-Program output: Group-Name = "forbidden-users"
Exec-Program-Wait: value-pairs: Group-Name = "forbidden-users"
Exec-Program: returned: 0
++[multiotp] returns ok
Login OK: [testuser] (from client localhost port 0)
# Executing section post-auth from file 
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 111 to 127.0.0.1 port 46615
	Class = 0x656e61626c6564
	Reply-Message = "Your multiotp-account has been enabled."
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.


So, I think I am using the wrong attribute-keyword. Can anybody tell me, 
which keyword do I have to use?

Regards,
Stefan

More information about the Freeradius-Users mailing list