Which attribute-name is needed for group-filtering?

Wed Apr 30 10:24:08 CEST 2014

Hello.

Nobody has an idea?

Possibly I am on the wrong way - Is it possible to filter groups 
dependent on the attribute-name?

Best Regards,
Stefan

> I have a short question.
>
> I want to use multiotp as an authentication-module in freeradius on a
> debian-wheezy system.
> multiotp itself works properly. The authentication works as expected.
>
> But now the question:
> I want to filter the different users to groups using the "users"-file of
> freeradius, for example:
>
> DEFAULT Auth-type = multiotp, Group-Name := "allowed-users"
>          Reply-Message = "Your multiotp-account has been enabled."
>
> DEFAULT Auth-type = multiotp, Group-Name := "forbidden-users"
>          Reply-Message = "Your multiotp-account has been disabled."
>
>
> We are very free for setting an attribute-name in multiotp - but I don't
> know, which attribute-name do I have to set.
>
> I tested with different attribute names (like "Group-Name" in the
> example above). But nothing works. I only get the reply-message "Your
> multiotp-account has been enabled", everytime - even if the user is
> member of the group "allowed-users" or "forbidden-users".
>
> These are the last lines of debug-output. The user is member of the
> group "forbidden-users":
>
> [...]
> rad_recv: Access-Request packet from host 127.0.0.1 port 46615, id=111,
> length=77
>      User-Name = "testuser"
>      User-Password = "1234740472"
>      NAS-IP-Address = 127.0.1.1
>      NAS-Port = 0
>      Message-Authenticator = 0xdff73ff20f7d54045b999eae4cc891be
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "testuser", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 58
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++- entering policy multiotp.authorize {...}
> +++? if (!control:Auth-Type)
> ? Evaluating !(control:Auth-Type) -> FALSE
> +++? if (!control:Auth-Type) -> FALSE
> ++- policy multiotp.authorize returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = multiotp
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group multiotp {...}
> [multiotp]     expand: %{User-Name} -> testuser
> [multiotp]     expand: %{User-Password} -> 1234740472
> [multiotp]     expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1
> [multiotp]     expand: -chap-challenge=%{CHAP-Challenge} ->
> -chap-challenge=
> [multiotp]     expand: -chap-password=%{CHAP-Password} -> -chap-password=
> [multiotp]     expand: -ms-chap-challenge=%{MS-CHAP-Challenge} ->
> -ms-chap-challenge=
> [multiotp]     expand: -ms-chap-response=%{MS-CHAP-Response} ->
> -ms-chap-response=
> [multiotp]     expand: -ms-chap2-response=%{MS-CHAP2-Response} ->
> -ms-chap2-response=
> Exec-Program output: Group-Name = "forbidden-users"
> Exec-Program-Wait: value-pairs: Group-Name = "forbidden-users"
> Exec-Program: returned: 0
> ++[multiotp] returns ok
> Login OK: [testuser] (from client localhost port 0)
> # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 111 to 127.0.0.1 port 46615
>      Class = 0x656e61626c6564
>      Reply-Message = "Your multiotp-account has been enabled."
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
>
>
> So, I think I am using the wrong attribute-keyword. Can anybody tell me,
> which keyword do I have to use?
>
> Regards,
> Stefan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html