Multi-tenancy setup
Ilavajuthy Palanisamy
ilavajuthy at gmail.com
Thu Nov 6 23:15:17 CET 2014
Hello All,
As suggested in earlier replies I have modified the sql query and the
schema. We are trying to use NAS-Identifier to segregate the customers.
However I am running into an issue when trying to authenticate user using
PEAP MSCHAP.
While sending the tunneled request, its not containing the NAS-Identifier.
Is it possible to send the NAS-Identifier in the tunneled request?
I am using freeradius version 2.1.12
Please let me know if there is something wrong with my config.
FreeRadius LOG (i have removed many log output lines to reduce the size of
the mail)
--------------------------------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=154,
length=226
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025a000c0172616474657374
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xb9bfc73c2e480450d46170ae43dc7721
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 90 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> radtest
[sql] sql_set_user escaped user --> 'radtest'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup
WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid =
'%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER
BY radcheck.id -> SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup
WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND
nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='radtest' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 154 to 192.168.1.62 port 32953
EAP-Message = 0x015b00160410c29fa2a1e7b48d23a6e801c718e9f7a7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x005655b7000d519bfcf3bbcabb4eb013
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=77,
length=238
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025b00060319
State = 0x005655b7000d519bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x9815cb4c5cca3bcebc15d622c5f9e0f9
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 91 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> radtest
[sql] sql_set_user escaped user --> 'radtest'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup
WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid =
'%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER
BY radcheck.id -> SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup
WHERE Username = 'radtest' AND nasgroup.nasid = 'CN3BD321SM' AND
nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op FROM radreply WHERE Username = 'radtest'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='radtest' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 77 to 192.168.1.62 port 32953
EAP-Message = 0x015c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x005655b7010a4c9bfcf3bbcabb4eb013
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=213,
length=440
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message =
0x025c00d01980000000c616030100c1010000bd0301545bede983c64b84e5579021f2c8c1bba854b49152249d40e262132606fb4d13000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011
State = 0x005655b7010a4c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x1981daace80a8b50b267b588801fa7c6
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 92 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=247,
length=238
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025d00061900
State = 0x005655b7020b4c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0x3194e87ace606247da24d510ebdbb259
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 93 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 94 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=3,
length=238
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message = 0x025f00061900
State = 0x005655b704094c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xf14dd2f6c72a4c3ceb5375a80413b223
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 95 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.62 port 32953
EAP-Message =
0x0160002b190017030100206f520d286e0a8531cad4f96f3d16ff71290206fbd472476c97983544bf77ce37
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x005655b705364c9bfcf3bbcabb4eb013
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.62 port 32953, id=137,
length=312
Acct-Session-Id = "eaea9572-00000065"
NAS-Port = 95
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "CN3BD321SM"
NAS-IP-Address = 192.168.1.62
Framed-MTU = 1496
User-Name = "radtest"
Calling-Station-Id = "F0-25-B7-48-08-2C"
Called-Station-Id = "A0-D3-C1-AB-71-62"
Service-Type = Framed-User
EAP-Message =
0x0260005019001703010020be7393b22523f27ba53a2a90ae5022b7e6ac7a1733cbb1d10ea97dc3871c60001703010020e0e4b12bd1ad0ad1918c19eb36449ea6e0a94e322f9aeacee86bf5db4613e7e1
State = 0x005655b705364c9bfcf3bbcabb4eb013
Colubris-AVPair = "ssid=tenant"
Colubris-AVPair = "phytype=IEEE802dot11 "
Colubris-Attr-250 = 0x00000000
Colubris-Attr-249 = 0x00000000
Message-Authenticator = 0xd3c41c6be1d9c598f08c4b289f092589
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 96 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - radtest
[peap] Got inner identity 'radtest'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0260000c0172616474657374
server {
[peap] Setting User-Name to radtest
Sending tunneled request
EAP-Message = 0x0260000c0172616474657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radtest"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "radtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 96 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> radtest
[sql] sql_set_user escaped user --> 'radtest'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup
WHERE Username = '%{SQL-User-Name}' AND nasgroup.nasid =
'%{NAS-Identifier}' AND nasgroup.groupname = radcheck.Groupname ORDER
BY radcheck.id -> SELECT radcheck.id, radcheck.UserName,
radcheck.Attribute, radcheck.Value, radcheck.Op FROM radcheck, nasgroup
WHERE Username = 'radtest' AND nasgroup.nasid = '' AND
nasgroup.groupname = radcheck.Groupname ORDER BY radcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='radtest' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 1
[sql] User radtest not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
----------------------------------------------------------------------------------------------------------------------------------------
Database schema changes -
----------------------------------------
A new table has been added called "nasgroup" and the radcheck table has
been modified to include an extra column called groupname -
radiusdb=# select * from nasgroup;
id | groupname | nasid
----+-----------+------------
1 | test | CN3BD321SM
3 | temp | XYZABDG
radiusdb=# select * from radcheck;
id | username | attribute | op | value | groupname
----+----------+--------------------+----+---------+-----------
1 | radtest | Cleartext-Password | := | radtest | test
2 | radtest | Cleartext-Password | := | radtest | temp
Dialup.conf
---------------
"authorize_check_query" has been modified but "authorize_reply_query" has
not been changed.
authorize_check_query = "SELECT ${authcheck_table}.id,
${authcheck_table}.UserName, ${authcheck_table}.Attribute,
${authcheck_table}.Value, ${authcheck_table}.Op \
FROM ${authcheck_table}, nasgroup \
WHERE Username = '%{SQL-User-Name}' \
AND nasgroup.nasid = '%{NAS-Identifier}' \
AND nasgroup.groupname = ${authcheck_table}.Groupname \
ORDER BY radcheck.id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
FROM radreply \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
Thanks,
Ila.
On Mon, Oct 27, 2014 at 4:36 PM, Pshem Kowalczyk <pshem.k at gmail.com> wrote:
> Hi,
>
> One method that I used in the past is to create a virtual server per
> 'tenant' and then use the 'main' server to proxy to the correct virtual
> server based on the attributes in the requests.
>
> kind regards
> Pshem
>
>
> On 28 October 2014 07:09, Ilavajuthy Palanisamy <ilavajuthy at gmail.com>
> wrote:
>
>> Hi All,
>>
>> We are hosting an application in the cloud which is managing multiple
>> customers.
>> Customers will be authenticated using the FreeRadius server.
>> We are planning to use the user authentication through the
>> database(PostgreSQL).
>> I have configured the radcheck table and able to make the user
>> authentication successfully.
>>
>> In order to support multiple customers, what are all the options/design
>> available in FreeRadius.
>>
>> One option we are thinking is to modify the schema to introduce
>> customer-id and modify the sql module to support the new schema. If this is
>> possible, please provide pointers in achieving this.
>>
>> If there are other options available, please provide pointers.
>>
>> Thanks,
>> Ila.
>>
>>
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141106/1b9743fa/attachment-0001.html>
More information about the Freeradius-Users
mailing list