Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users
Fajar A. Nugraha
list at fajar.net
Thu Sep 5 07:04:10 CEST 2019
On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <vladlevin at geo-logic.com> wrote:
>
> Hi Fajar,
>
> Just to be clear: the user accounts and groups already exist in Synology's local database.
Does freeradius get the same information from that database?
> My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router). Here's what I did (working config files are located in /usr/local/synoradius/):
> 1. Created /usr/local/synoradius/groups file with the following content:
> update reply {
> Class := "%{Group}"
> }
Have you determined that %{Group} actually contain the correct group?
> The client log reads "charon: Localdb:authorization failed as group is NULL".
>
> Below is the server log:
> Type Date & Time Event
> 2019-09-04 18:59:06 Info Ready to process requests
> 2019-09-04 18:59:06 Debug (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01 Debug Waking up in 4.9 seconds.
> 2019-09-04 18:59:01 Debug (0) Finished request
> 2019-09-04 18:59:01 Debug (0) Class := 0x
Looking at this, it seems that %{Group} is expanded to null.
Where did synology define the group? If it's part of unix group, then
reading http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-tp2781054p2781071.html
, it does not store group membership in 'Group' attribute. You might
be able to use something like
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/etc_group
, but it might or might not work depending on what's in your
/etc/group.
If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL
query.
In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all: https://serverfault.com/a/845161
--
Fajar
More information about the Freeradius-Users
mailing list