how is it correct to use radiusCheckItem AVP?
Zeus Panchenko
zeus at ibs.dn.ua
Wed Feb 12 19:39:00 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hello,
I'm confused with my understanding of how it have to work - the AVP
radiusCheckItem
I hoped much I can use radiusCheckItem set to "Huntgroup-Name == ZyXEL"
set in client LDAP object, to check whether client belongs to the
huntgroup or not, to assign relevant profile to the client via check in
users file.
what I did:
- ---[ quotation start: users ]-------------------------------------------
# COMMUTATORS
DEFAULT Ldap-Group == comm-shell, Cisco-AVPair =* "anything", User-Profile := "cn=comm-shell,ou=profiles,ou=radius,dc=org"
Reply-Message = "%{User-Name}, you are comming as Cisco comm-shell.",
Fall-Through = no
DEFAULT Ldap-Group == comm-shell, Huntgroup-Name == ZyXEL, User-Profile := "cn=comm-shell,ou=profiles,ou=radius,dc=org"
Reply-Message = "%{User-Name}, you are comming as ZyXEL comm-shell.",
Fall-Through = no
DEFAULT Ldap-Group == comm-shell, User-Profile := "cn=comm-shell,ou=profiles,ou=radius,dc=org"
Reply-Message = "%{User-Name}, you are comming as comm-shell.",
Fall-Through = no
- ---[ quotation end ]---------------------------------------------------
- ---[ quotation start: ldap.attrmap ]-----------------------------
checkItem Huntgroup-Name radiusHuntgroupName
- ---[ quotation end ]-------------------------------------------
- ---[ quotation start: client .ldif ]-----------------------------
dn: radiusClientIdentifier=1.2.3.4,ou=clients,ou=radius,dc=org
cn: 1.2.3.4
objectclass: radiusClient
objectclass: top
objectclass: radiusprofile
radiusclientidentifier: 1.2.3.4
radiusclientsecret: testing123
radiusclientshortname: zyxel.comm.local
radiusclienttype: cisco
radiushuntgroupname: ZyXEL
- ---[ quotation end ]-------------------------------------------
- ---[ quotation start: commutators profile .ldif ]----------------
dn: cn=comm-shell,ou=profiles,ou=radius,dc=org
cn: comm-shell
objectclass: radiusprofile
objectclass: person
objectclass: top
radiuscheckitem: Huntgroup-Name == ZyXEL
radiusreplymessage: Hello, shell user.
radiusservicetype: Administrative-User
sn: comm-shell
- ---[ quotation end ]-------------------------------------------
- ---[ quotation start: commutator account .ldif ]-----------------
dn: cn=test-comm,ou=users,ou=radius,dc=org
cn: test-comm
description: Commutators shell, test user.
objectclass: radiusprofile
objectclass: person
objectclass: top
radiusgroupname: comm-shell
radiusreplyitem: cisco-avpair = "shell:priv-lvl=15"
sn: test-comm
userpassword: ***********
- ---[ quotation end ]-------------------------------------------
and here is what I have in debug:
- ---[ quotation start: debug from radiusd -XX ]-------------------
Wed Feb 12 20:10:46 2014 : Debug: - Added client 1.2.3.4 with shared secret testing123
rad_recv: Access-Request packet from host 1.2.3.4 port 1026, id=133, length=70
User-Name = "test-comm"
User-Password = "***********"
NAS-Identifier = "zyxel.comm.local"
NAS-IP-Address = 1.2.3.4
Wed Feb 12 20:10:46 2014 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
Wed Feb 12 20:10:46 2014 : Info: +group authorize {
...
Wed Feb 12 20:10:46 2014 : Debug: rlm_ldap::ldap_groupcmp: User found in group comm-shell
...
Wed Feb 12 20:10:46 2014 : Debug: rlm_ldap::ldap_groupcmp: User found in group comm-shell
Wed Feb 12 20:10:46 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Feb 12 20:10:46 2014 : Info: [files] users: Matched entry DEFAULT at line 23
Wed Feb 12 20:10:46 2014 : Info: [files] expand: %{User-Name}, you are comming as comm-shell. -> test-comm, you are comming as comm-shell.
Wed Feb 12 20:10:46 2014 : Info: ++[files] = ok
...
Wed Feb 12 20:10:46 2014 : Debug: [ldap] extracted attribute Huntgroup-Name from generic item Huntgroup-Name == ZyXEL
Wed Feb 12 20:10:46 2014 : Debug: [ldap] radiusReplyMessage -> Reply-Message = "Hello, shell user."
Wed Feb 12 20:10:46 2014 : Debug: [ldap] radiusServiceType -> Service-Type = Administrative-User
Wed Feb 12 20:10:46 2014 : Info: [ldap] looking for check items in directory...
Wed Feb 12 20:10:46 2014 : Debug: [ldap] userPassword -> Cleartext-Password == "***********"
Wed Feb 12 20:10:46 2014 : Debug: [ldap] userPassword -> Password-With-Header == "***********"
Wed Feb 12 20:10:46 2014 : Info: [ldap] looking for reply items in directory...
Wed Feb 12 20:10:46 2014 : Debug: [ldap] extracted attribute Cisco-AVPair from generic item cisco-avpair = "shell:priv-lvl=15"
Wed Feb 12 20:10:46 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Feb 12 20:10:46 2014 : Info: ++[ldap] = ok
...
Sending Access-Accept of id 133 to 1.2.3.4 port 1026
Reply-Message = "Hello, shell user."
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
- ---[ quotation end ]-------------------------------------------
so, how can I make the commutators requests match the second rule from
file users, not the third one? where am I wrong, please, I'm close to
give up?
- --
Zeus V. Panchenko jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
iEYEARECAAYFAlL7v8QACgkQr3jpPg/3oyoc3gCaAxLr9v4rZjiW1JdNCUjrgiXi
HlkAoI/MA1JlzHHaYrq3zzn+MEc45tsb
=i7QQ
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list