On Thu, 6 Jan 2005, James Feger wrote:
Okay, So I am a newbie with just enough knowledge to know this should work, and have spent a few hours reading all the different cool things RADIUS does for me. However, I cant get it to do what we need, and I am sure its lack of experience. I have read the various FAQ's and help files, but I must still be missing something.
1. Problem: We are using RADIUS to authenticate logins to routers. Not for PPP, dialup, etc, but for command line authentication for network engineers or admins. We are using more than one vendor, which means the attributes sent back to the NAS device are different.
2. What works so far: I have been able to create a basic users file and authenticate logins for my differen vendor equipment. Logins work flawlessly, but using the "freeradius -X" I notice the server is sending all attributes, even if they arent for that vendor. This was expected, based on how I set the thing up:
USER Auth-Type = System Juniper-Local-User-Name = READ_ONLY, Riverstone-User-Level = 15
3. What I did different to keep that from happening. I created a huntgroup called BB that had a list of IP's for all the Junipers. So when I logged in to one of those devices the first entry in the users file was used. If I logged into a device not in the huntgroup list the second entry in the user file was used. This works....but it is sloppy, yes? :)
USER Huntgroup-Name == BB, Auth-Type = System Juniper-Local-User-Name = READ_ONLY,
USER Auth-Type = System Riverstone-User-Level = 15
3. So how am I really supposed to make this work? :) I have been told to use realms, but everything I see makes it look like you have to put @<something> in the username. Is this true? If so, that defeats the purpose of one username.
Okay, so this is all working now, using MySQL as the grouping/user account DB. Many thanks go to Dustin Doris for all of his work. He pretty much created the solution and gave it to me to test in my environment. I will post his solution, and my variation of it, which I picked because it seemed easier to maintain in our small shop.
1. The Goal, as stated above, is to have the freeradius server reply with only the attributes the NAS vendor cares about, while allowing the users to have one login, and not rely on multiple realms. This was acheived with grouping.
I will post Dustin's solution, which worked flawlessly, and then I will post my solution, which works, but is less reliant on the User-Profile settings.
----------- <Begin Dustin's solution> ---------------------
Ok, here is what I did. You'll have to modify it a bit to match your setup, but this is the basics.
I setup 2 users in radcheck. These will be my actual users.
mysql> select * from radcheck; +----+----------+---------------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+-------+ | 1 | test1 | user-password | == | test1 | | 2 | test2 | user-password | == | test2 | +----+----------+---------------+----+-------+
I setup 4 users in usergroup. The first two put my actual users into a group. The other 2 are User-Profile users. They don't exist in radcheck, they are just there for reply attributes.
mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 1 | test1 | test1 | | 2 | test2 | test2 | | 3 | profile1 | profile1 | | 4 | profile2 | profile2 | +----+----------+-----------+
I setup two entries in groupradreply. These entries are for my User-Profile users. These will tell freeradius what reply values to send back for those user-profile users.
mysql> select * from radgroupreply; +----+-----------+--------------+----+----------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+--------------+----+----------------+------+ | 1 | profile1 | Cisco-AVPair | = | profile 1 user | 0 | | 2 | profile2 | Cisco-AVPair | = | profile 2 user | 0 | +----+-----------+--------------+----+----------------+------+
Now, in the users file I setup my checks and assign a user-profile based on it. These don't include huntgroups for easy testing, but show you what to do. If the user that comes in is in test1 group, assign the reply values for the profile1 user. If it comes in and is part of test2, assign the profile2 user reply values. **NOTE, that it ended up being Sql-Group, not just Group.
DEFAULT Sql-Group == "test1", User-Profile := "profile1"
DEFAULT Sql-Group == "test2", User-Profile := "profile2"
Now, I send my packets over with radclient.
# radclient localhost auth testing123
user-name = test1
user-password = test1
Received response ID 110, code 2, length = 42
Cisco-AVPair = "profile 1 user"
# radclient localhost auth testing123 user-name = test2 user-password = test2 Received response ID 111, code 2, length = 42 Cisco-AVPair = "profile 2 user"
See how I sent in the test1 user and it checked with SQL to see if it was in the group (sql-group) of test1. It was, so it used the := operator to say use the groupreply attributes of the profile1 user. Then it looked in usergroup for profile1 user. It found profile1 user was attached to
profile1 group. It then looked in groupradreply for the groupname of
profile1 and returned the attributes.
The same thing on the second one. This time, I had the user-name of test2. It wasn't in the group1 group, so it fell through and then tried the next line in the users file. It matched there, so it then went through the same process.
That should do it for you. Just modify the sql tables with your setup and add huntgroups to the users file. Once you get it working, please do everyone a favor and post your config similar to how I did it in this email to the mailling list. That way others can find this solution in the archives.
--------------</End Dustin's solution> -----------------------------
Now for my less complex, probably not as flexible solution.
I defined some Huntgroups which contain the NAS IP's of my equipment. Remember, these are routers, so I am only looking at allowing SSH/Telnet access for Network admins, nothing like dialup, etc.
(/etc/freeradius/huntgroups) JUNIPER NAS-IP-Address == w.w.w.w JUNIPER NAS-IP-Address == x.x.x.x RIVERSTONE NAS-IP-Address == y.y.y.y RIVERSTONE NAS-IP-Address == z.z.z.z
Then I defined my DEFAULT rules: (/etc/freeradius/users)
DEFAULT Sql-Group == "J-UNRESTRICTED", Huntgroup-Name == "JUNIPER"
Juniper-Local-User-Name = "UNRESTRICTED",
Fall-Through = YesDEFAULT Sql-Group == "J-WRITE-RESTRICTED", Huntgroup-Name == "JUNIPER"
Juniper-Local-User-Name = "WRITE_RESTRICTED",
Fall-Through = YesDEFAULT Sql-Group == "J-READ-ONLY", Huntgroup-Name == "JUNIPER"
Juniper-Local-User-Name = "READ_ONLY",
Fall-Through = YesDEFAULT Sql-Group == "R-UNRESTRICTED", Huntgroup-Name == "RIVERSTONE"
Riverstone-User-Level = 15,
Fall-Through = YesDEFAULT Sql-Group == "R-READ-ONLY", Huntgroup-Name == "RIVERSTONE"
Riverstone-User-Level = 10,
Fall-Through = YesFrom there, I created the users and placed them in groups in the MySQL DB:
mysql> select * from radcheck; +----+----------+---------------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+-------+ | 1 | test1 | user-password | == | test1 | | 2 | test2 | user-password | == | test2 | +----+----------+---------------+----+-------+
Then I added them to the respective groups they belonged in:
mysql> select * from usergroup; +-----+----------+----------------+ | id | UserName | GroupName | +-----+----------+----------------+ | 100 | test1 | J-UNRESTRICTED | | 200 | test1 | R-UNRESTRICTED | | 450 | test2 | J-READ-ONLY | | 500 | test2 | R-READ-ONLY | +-----+----------+----------------+
Based on this, when I connected to a device that is in the JUNIPER huntgroup I get back the attributes associated with the groupname defined in DEFAULT for Juniper, or if it is matching the RIVERSTONE huntgroup I get the Riverstone attributes.
If anyone has any questions or wants more details, feel free to email.
Again, thanks to Dustin for pretty much creating this solution. All I did was make it a little less complex and staticly defined the attributes in the users file, rather than in the MySQL DB.
-James
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
