Re: Autz-Type Config Clarification

Mon, 21 Aug 2006 04:54:55 -0700 

Nathan L. Cable wrote:

I'm setting up a Radius environment which covers several physical sites.
Usernames and passwords come from an Active Directory server via ntlm_auth.
Each site has a group in the NT domain.  So, it would be nice to have
multiple auth-types for each area.



You don't want and probably shouldn't use multiple auth-types. You want, 
as per your subject line, multiple Autz-Types. The behaviour of the 
mschap module can be controlled by setting variables based on Autz-Type 
then using them later on.




For clarification, I've tested my server without the Autz-type arguments
(ie, only using the one mschap instance), and everything works fine.
Everything also works great if I declare multiple instances of mschap, and
just have the radius server search through them in order - however, this
seems to be a rather inefficient way of doing things.


It's also not guaranteed to work I think.



The debug output of radiusd indicates that my modules are being loaded, but
when the client authenticates, it's not done so against an auth-type.

Any thoughts as to why this is not working?

Here are the relevant portions of my config files:

# radiusd.conf:

.
.
.
modules {
    .
    .
    .
    mschap group1 {
        authtype = group1
        ...some config stuff...
        }
    mschap group2 {
        authtype = group2
        ...some config stuff...
        }
}
.
.
.
authorize {
    preprocess
    files
    Autz-Type group1 {
        group1
    }
    Autz-Type group2 {
        group2 {
    }
    eap
}

authenticate {
    Auth-Type group1 {
        group1
    }
    Auth-Type group2 {
        group2 {
    }
    eap
}
.
.
.

# users
DEFAULT Called-Station-Id == "00-11-22-33-44-55-66",Autz-Type := group1
DEFAULT Autz-Type = group2


What precisely are you trying to do here?


You may be better off using the "ldap" module against the AD to pull the 
groups into the radius server and make decisions there, which is 
*separate* from the running of the authentication algorithm.


Failing that, you could do this:

DEFAULT Called-Station-Id == "00-11-22-33-44-55"
        Tmp-String-1 = "group1"

DEFAULT
        Tmp-String-1 = "group2"

...then have:

modules {
 mschap {

  ntlm_auth = "ntlm_auth 
--require-membership-of=%{reply:Tmp-String-1:-Domain Users --other-options"

 }
}

authorize {
 preprocess
 files
 mschap
 eap
}
authenticate {
  Auth-Type MSCHAP {
    mschap
  }
}


If you are on an older version of the server you may need to define the 
Tmp-String-1 attributes like so in "dictionary":


ATTRIBUTE       Tmp-String-1    3000    string

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to