> Date: Mon, 23 Mar 2009 11:22:22 -0400 > From: Josh Hiner <j...@remc1.org> > Subject: Help checking group membership with FreeRadius > To: freeradius-users@lists.freeradius.org > Message-ID: <200903231522.n2nfmnxv077...@mxdrop218.xs4all.nl> > Content-Type: text/plain; charset=UTF-8
> Currently we have a radius server that performs authentication off our samba domain controller for wireless users. This works great. I would like to limit users so they must be a member of the wireless group in order to connect. Since the /etc/group file is on a different server I believe I cannot use the etc_group module. Also, in order to use that module the user must have a valid account on the radius server as well. > Any ideas on checking group membership? I use ntlm_auth in the mschap module for authentication in Freeradius ver 2.1.3-1. i had a similar problem a few days ago run "getent passwd username" to see if you can get a line like: smith:*:100:3243::/home/smith:/usr/bin/sh if you do, '3243' is the principal group ID of the user my solution: use a perl script 'chkgrpmembership.pl'. to check the group membership of the user. the script set 'Group' attribute if the user is found. 1. chkgrpmembership.pl use strict; # use ... # This is very important ! Without this script will not get the filled hashesh from main. use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */ use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */ use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */ use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */ # Function to handle authorize sub authorize { my $getentResult = qx(getent passwd $RAD_REQUEST{'User-Name'}); my @resultArray = split ":", $getentResult; my $arraySize = scalar @resultArray; # Group ID 11184 = staff # Group ID 12705 = student if ($arraySize != 0) { my $groupID = $resultArray[3]; if ($groupID == 11184) { $RAD_REPLY{'Group'} = "Staff"; } elsif ($groupID == 12705) { $RAD_REPLY{'Group'} = "Student"; } else { # We only allow Staff and Student group return RLM_MODULE_REJECT; } } else { #user no found in AD return RLM_MODULE_REJECT; } return RLM_MODULE_OK; } 2.add the following lines to the modules section of radius.conf perl { module = /etc/freeradius/chkgrpmembership.pl func_authorize = authorize } 3. In the Authorize section, uncomment 'files'. Then add a line containing 'perl' after it. In the Authentication section add Auth-Type Perl { perl } 4. if you use EAP/TLS, you need to enable use_tunneled_reply, in (peap and/or ttls section) eap.conf 5. finally, you can a line to 'users' file DEFAULT Group != "wireless", Auth-Type := Reject (Sorry for starting a new thread, i subscribed to the "digest" version of the mailing list) Chris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html