Setting ntlm_auth parameters depending on NAS-IP-Address
Antoine Benkemoun
antoine.benkemoun at nexthink.com
Wed May 7 15:17:26 CEST 2014
Thank you for your help.
I am now able to start freeradius with the conditional.
The ntlm_auth command is now the following :
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --require-membership-of=%{request:NTLM-Group-Required}
The conditional is now the following :
if ("%{request:NAS-IP-Address}" == "172.16.2.254") {
update request {
NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387"
}
}
elsif ("%{request:NAS-IP-Address}" == "172.16.0.200") {
update request {
NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459"
}
}
else {
update request {
NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387"
}
}
According to the logs, the if gets evaluated correctly.
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 6: Preceding "if" was taken
++ ... skipping else for request 6: Preceding "if" was taken
The problem is that the variable is not expanded in the mschap module as shown in the following logs.
[mschap] expand: %{mschap:Challenge} -> c056dfa8e298aaaa
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=c056dfa8e298aaaa
[mschap] expand: %{mschap:NT-Response} -> 13fc04face0302e96a75eba82ecaaaaaaaaaaa
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=13fc04face0302e96a75eba82ecaaaaaaaaaaa
[mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of=
What am I doing incorrectly ?
Thanks in advance,
Antoine
________________________________________
From: freeradius-users-bounces+antoine.benkemoun=nexthink.com at lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com at lists.freeradius.org> on behalf of Phil Mayers <p.mayers at imperial.ac.uk>
Sent: Wednesday, May 7, 2014 12:05 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Setting ntlm_auth parameters depending on NAS-IP-Address
On 07/05/14 10:03, Antoine Benkemoun wrote:
> Thank you for your answer and sorry for overlooking this.
>
> The syntax that I have added to <RADIUS_ETC_DIR>/sites-enabled/default is the following :
>
> if (NAS-IP-Address == 172.16.2.254) {
> ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387"
> }
> if (NAS-IP-Address == 172.16.0.200) {
> ntlm_group_membership = "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1459"
> }
This is completely wrong. See "man unlang".
You will need to:
1. Define a local attribute in raddb/dictionary
2. Use the correct syntax i.e.
if (...) {
update request {
NTLM-Group-Required := "..."
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list