How to configure freeradius server to authenticate VSA attribute
Jibin Han
J.Han at F5.com
Mon Mar 12 01:38:26 CET 2018
Thanks for the reply.
Here are some examples of our VSA attributes:
Type Length Vendor-Id Vendor-type Vendor-length Value
Attr1 26 <length> 3456 100 <len> foo
Attr2 26 <length> 3456 200 <len> bar
The goal is we can configure Freeradius server so that in addition to user/password check:
- server reads all the VSA;
- for any VSA whose Vendor-Id is 3456,
- when Vendor-type is "100", the value must be "foo"; "200", "bar".
- If all above checks are good, sends back accept message; otherwise reject message.
Our RADIUS client inserts the above to the access request message, currently freeradius debug output does not mention these attributes. I need to somehow configure the server and hence ask the question.
I am also updating the system to use later version freeradius.
-----Original Message-----
From: Alan DeKok <aland at deployingradius.com>
Sent: Saturday, March 10, 2018 3:50 AM
To: Jibin Han <J.Han at F5.com>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: How to configure freeradius server to authenticate VSA attribute
EXTERNAL MAIL: aland at deployingradius.com
On Mar 10, 2018, at 1:13 AM, Jibin Han via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I am using freeradius v2.1.12
You should really use 2.2.10 at least.
> on Ubuntu 16.04, I need to configure it so that it will authenticate the incoming RADIUS messages based on their Vendor Specific Attributes. I looked over freeradius.org, it is not clear how to do that, hence ask people in this group.
>
> Here are the details -
>
> 1. We have an in-house developed RADIUS client software which creates a RADIUS access request message and sends to freeradius server.
> 2. The configuration of freeradius server is ready: when the client message has the right user/password, we can receive accept message; otherwise reject message. The authentication is PAP.
> 3. Now we insert VSA attribute: the code is 26, the vendor id is our vendor's ID and the custom name and value.
> 4. Our goal is, make freeradius server authenticate not only user/password, but also this VSA - when an invalid name/value are put into VSA, freeradius sends reject message.
You don't "authenticate" the VSA. You just check it's value.
> I check out dictionary, but that seems just some name mapping, I do not think it authenticate attributes.
The dictionary defines attributes. The configuration files tell the server how to process packets.
> Could you point me the direction how this could be done and preferably with some examples?
How about giving *us* some examples? What do these attributes look like? What do you want to compare them with?
Hint: debug output is infinitely better than vague descriptions.
> I can upgrade to freeradius v3 if it is required.
You can probably do it in v2. You jut need to *describe* what you want to do.
Alan DeKok.
More information about the Freeradius-Users
mailing list