How best to map users to domain name for login

yani at ecoco.co.uk yani at ecoco.co.uk
Thu Aug 24 19:06:31 CEST 2017 


On 24/08/17 17:53, yani at ecoco.co.uk wrote:
>
> On 24/08/17 17:23, Alan DeKok wrote:
>
>> On Aug 24, 2017, at 10:24 AM, yani at ecoco.co.uk wrote:
>>> radiusd -v
>>> radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, 
>>> built on Jan 17 2017 at 18:49:55
>>    I would suggest using 3.0.15.  It has a lot of fixes over 3.0.4.
>>
>>> I want to be able to authenticate users to my email service and manage
>>> them according to the domain they belong to  so fred at domaina.com is not
>>> the same as fred at domainb.com.  But in both cases the first part is the
>>> login user name within the domain.
>>    That's a pretty common requirement.
> Yep
>>
>>> I have looked at freeradius virtual servers -
>>    Virtual servers are largely for separating functionality. i.e. 
>> WiFi rules in one virtual server, DSL rules in another, and VPN rules 
>> in a third virtual server.
>>
>>> and have  considered
>>> using free radius realms dont see how either are actually the way 
>>> forward -  It seems
>>> that virtual servers will need a database system creating for every
>>> instance( am i actually correct here)
>>    No.
>  good  suspected I was wrong, but needed confirmation.
>>
>>> and that realms are really for
>>> forwarding requests to other free radius servers - when all i need at
>>> the moment is a single server handling multiple domain based login
>>> groups.
>>    Realms are often used for forwarding, but they don't need to be.
>>
>>> I understand from the documentation that  I can create a local realm
>>> like this
>>>
>>> realm domaina.com {
>>>     type= radius
>>>     authhost= LOCAL
>>>     accthost= LOCAL
>>    Yes.
>>
>>> I suspect I'm on the right track here - but haven't figured out how to
>>> create users in the database/system  that reflect this
>>>
>>> Please advise on the most appropriate way of configuring
>>> freeradius to achieve logins for multiple internet domains.
>>    The bigger question is where are the users stored right now? What 
>> kind of database contains the name / password for each user?  What is 
>> the schema used there?
>>
>>    Once you know that, you just configure FreeRADIUS to query the 
>> database.  It should be about 10 minutes work.
>>
>>    I wouldn't suggest creating users via the default SQL schema.  
>> That's largely for ISP functionality, and will likely not work well 
>> for you.
>>
>>    For enterprises we just recommend that FreeRADIUS look at the 
>> existing enterprise DB.
>>
>>    i.e. you don't mangle your data to make FreeRADIUS happy. That's a 
>> lot of work.  Instead, you configure 1-2 simple queries in 
>> FreeRADIUS, so that it pulls the correct information from your 
>> existing database.  That's *much* easier.
>>
>>    Alan DeKok.
>
>
> Thank you for the quick reply,  I'm just a newbie with Freeradius,
> trying to understand its modus operandi :)
> I have come to the conclusion that I will need to modify the schema and
> change the way in which the db is queried after seeing the output below
> for a test user in the test domain domaina.com .
>
>
> I'm using a mysql back end at the moment.  and this system is not live -
> still in development. ( I've wanted to get radius working for years and
> only just found the time.)
>
> I suppose it's really only adding a realm field to the
> radius.radcheckdb  and using that in the  subsequent queries. something
> like :
>
> EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE
> username = '%{SQL-User-Name}' and realm = {whatever_realm_is } ORDER 
> BY id
>
> if this is what you mean by mangling the data then I'm still missing
> something - ie how to best relate users to realms/domains.
>
Just noticed usergroup table and radgroucheck table - Probably useful  !

>
>
>
> Received Access-Request Id 25 from 10.64.4.111:36127 to 10.64.3.44:1812
> length 86
>     User-Name = 'yani at domaina.com'
>     User-Password = 'poppl'
>     NAS-IP-Address = 127.0.1.1
>     NAS-Port = 0
>     Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f
> (11) Received Access-Request packet from host 10.64.4.111 port 36127,
> id=25, length=86
> (11)     User-Name = 'yani at domaina.com'
> (11)     User-Password = 'poppl'
> (11)     NAS-IP-Address = 127.0.1.1
> (11)     NAS-Port = 0
> (11)     Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f
> (11) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> (11)   authorize {
> (11)   filter_username filter_username {
> (11)     if (!&User-Name)
> (11)     if (!&User-Name)  -> FALSE
> (11)     if (&User-Name =~ / /)
> (11)     if (&User-Name =~ / /)  -> FALSE
> (11)     if (&User-Name =~ /@.*@/ )
> (11)     if (&User-Name =~ /@.*@/ )  -> FALSE
> (11)     if (&User-Name =~ /\\.\\./ )
> (11)     if (&User-Name =~ /\\.\\./ )  -> FALSE
> (11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> (11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> -> FALSE
> (11)     if (&User-Name =~ /\\.$/)
> (11)     if (&User-Name =~ /\\.$/)   -> FALSE
> (11)     if (&User-Name =~ /@\\./)
> (11)     if (&User-Name =~ /@\\./)   -> FALSE
> (11)   } # filter_username filter_username = notfound
> (11)   [preprocess] = ok
> (11)   [chap] = noop
> (11)   [mschap] = noop
> (11)   [digest] = noop
> (11)  suffix : Checking for suffix after "@"
> (11)  suffix : Looking up realm "domaina.com" for User-Name =
> "yani at domaina.com"
> (11)  suffix : Found realm "domaina.com"
> (11)  suffix : Adding Stripped-User-Name = "yani"
> (11)  suffix : Adding Realm = "domaina.com"
> (11)  suffix : Authentication realm is LOCAL
> (11)   [suffix] = ok
> (11)  eap : No EAP-Message, not doing EAP
> (11)   [eap] = noop
> (11)   [files] = noop
> (11)  sql : EXPAND %{User-Name}
> (11)  sql :    --> yani at domaina.com
> (11)  sql : SQL-User-Name set to 'yani at domaina.com'
> rlm_sql (sql): Reserved connection (7)
> (11)  sql : EXPAND SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (11)  sql :    --> SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = 'yani at domaina.com' ORDER BY id
> rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
> op FROM radcheck WHERE username = 'yani at domaina.com' ORDER BY id'
> (11)  sql : User found in radcheck table
> (11)  sql : Check items matched
> (11)  sql : EXPAND SELECT id, username, attribute, value, op FROM
> radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
> (11)  sql :    --> SELECT id, username, attribute, value, op FROM
> radreply WHERE username = 'yani at domaina.com' ORDER BY id
> rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
> op FROM radreply WHERE username = 'yani at domaina.com' ORDER BY id'
> (11)  sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority
> (11)  sql :    --> SELECT groupname FROM radusergroup WHERE username =
> 'yani at domaina.com' ORDER BY priority
> rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
> WHERE username = 'yani at domaina.com' ORDER BY priority'
> (11)  sql : User not found in any groups
> rlm_sql (sql): Released connection (7)
> rlm_sql (sql): 0 of 3 connections in use.  Need more spares
> rlm_sql (sql): Opening additional connection (8)
> rlm_sql_mysql: Starting connect to MySQL server
> (11)   [sql] = ok
> (11)   [expiration] = noop
> (11)   [logintime] = noop
> (11)   [pap] = updated
> (11)  } #  authorize = updated
> (11) Found Auth-Type = PAP
> (11) # Executing group from file /etc/raddb/sites-enabled/default
> (11)  Auth-Type PAP {
> (11)  pap : Login attempt with password
> (11)  pap : User authenticated successfully
> (11)   [pap] = ok
> (11)  } # Auth-Type PAP = ok
> (11) # Executing section post-auth from file
> /etc/raddb/sites-enabled/default
> (11)   post-auth {
> (11)  sql : EXPAND .query
> (11)  sql :    --> .query
> (11)  sql : Using query template 'query'
> rlm_sql (sql): Reserved connection (8)
> (11)  sql : EXPAND %{User-Name}
> (11)  sql :    --> yani at domaina.com
> (11)  sql : SQL-User-Name set to 'yani at domaina.com'
> (11)  sql : EXPAND INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( '%{SQL-User-Name}',
> '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (11)  sql :    --> INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( 'yani at domaina.com', 'poppl', 'Access-Accept',
> '2017-08-24 17:23:57')
> rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
> pass, reply, authdate) VALUES ( 'yani at domaina.com', 'poppl',
> 'Access-Accept', '2017-08-24 17:23:57')'
> rlm_sql (sql): Released connection (8)
> (11)   [sql] = ok
> (11)   [exec] = noop
> (11)   remove_reply_message_if_eap remove_reply_message_if_eap {
> (11)     if (&reply:EAP-Message && &reply:Reply-Message)
> (11)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (11)    else else {
> (11)     [noop] = noop
> (11)    } # else else = noop
> (11)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (11)  } #  post-auth = ok
> (11) Sending Access-Accept packet to host 10.64.4.111 port 36127, id=25,
> length=0
> Sending Access-Accept Id 25 from 10.64.3.44:1812 to 10.64.4.111:36127
> (11) Finished request
>
>
>

More information about the Freeradius-Users mailing list