A question - User Auth etc

Alan DeKok aland at deployingradius.com
Wed Jun 24 22:47:37 CEST 2020 

On Jun 24, 2020, at 3:38 PM, Richard J Palmer <richard at merula.net> wrote:
> I really appreciate your help - thank you

  You're welcome.

> I'm working though this  - I may have some extra questions from this - a couple of initial questions if I may ?

  Questions are always good.

> Currently for uses that we suspend I have a group defined and assign users to that group if they are disabled
> 
> 
> id    GroupName    Attribute    op    Value
> 219    disabledusers    Filter-Id    =     T3
> 
> Which effectively puts the sessions into a known VRF - so that part is in place. The VRF works and traffic blackholed. This works if they enter the right username and password - the NAS and network does the rest ...

  OK...

> In this case I ideally want:
> 
> i) Users we know BUT the user has the wrong password - AND there's an '@' in the username
> or
> ii) Unknown users AND there's an '@' in the username

  That depends on exactly what "unknown user" or "wrong password" means.  You could do something like:

authorize {
	...
	sql
	if (notfound && (User-Name =~ /@/)) {
		update reply {
			Filter-Id := T3
		}
		accept
	}
	...
}

  Which does pretty much what you expect.  Then for authentication:

Auth-Type pap {
	pap
	if (reject && (User-Name =~ /@/)) {
		update reply {
			Filter-Id := T3
		}
		accept
	}
}

  Which also does pretty much what you expect.  FreeRADIUS isn't that hard in the end.  But knowing what to do depends on so many things that we just can't document every situation.  So we document how the server works, and how to put solutions together.

> The server should allow the users but.. have the same effect as being in the disabledusers group or add that attribute and set the user to get an IP from sqlippool (I already have that module setup for other users - it's just setting these users to be assigned to a specific (single) pool

  Sure.  Since IP pools are assigned in the post-auth section, you can do this easily.  Just check for the disabled users.  At this point, it doesn't matter why they were disabled:

post-auth {
	...
	if (reply:Filter-Id == "T3") {
		sqlippool_disabled
	}
}

> I mentioned above that this should only be the case if the username has an '@' the alternative is that this only happens when the request comes from certain NAS addresses - this is because I also have some wireless hotspots etc using the radius server and I don't want this behaviour to affect them.

  Sure.

> We also have a couple of realms we proxy for another home server - that's sort of in my control... Now I could copy this onto there server - but wondered if there's any way to implement this so it covers both uers authenticated locally - OR after a proxy has taken place

  v3 can't turn a proxied reject into an accept, so that's a little more difficult.

> I probably wasn't clear on logging - which was my fault - we have a portal that I created that feeds from the SQL database - radpostauth and radacct. In the ideal world I'd like there to be something I can add to radpostauith query that flags this user has connected - BUT with the 'disabled' flag - I assume I could set a variable somewhere in the auth part and access this in the post-auth section to add to the SQL query ?

  Sure.  Update the radpostauth query to include another attribute, say by editing raddb/dictionary, and defining one:

ATTRIBUTE User-Disabled 3000 string

  And edit the radpostauth query to include that:

	... %{reply:User-Disabled} ...

  Then in post-auth again:

post-auth {
	...
	if (reply:Filter-Id == "T3") {
		sqlippool_disabled
		update request {
			User-Disabled := "disabled"
		}
	}
	...
	sql
	...
}

  And the users status will be logged.

> My aim is to test this on a clone of one of the current servers but not *yet* used by any of the NAS's so I can send requests to it - and test until I have this correct

  Sure.  As with everything, test in small pieces.  It will work.

> IF I have got the wrong end of the stick .... please feel free to point me to the correct end ....

  Asking questions and explaining what you want is exactly the right thing to do.

  Alan DeKok.

More information about the Freeradius-Users mailing list