Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth.
what's the config:local.MY.realm? My debug showed [suffix] Looking up realm "foo.edu" for User-Name = "sd...@foo.edu"^M [suffix] Found realm "foo.edu"^M [suffix] Adding Stripped-User-Name = "sding"^M [suffix] Adding Realm = "foo.edu"^M [suffix] Authentication realm is LOCAL.^M ++[suffix] returns ok^M ++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" )^M ?? Evaluating (outer.request:EAP-Message) -> TRUE^M expand: local.MY.realm -> local.MY.realm^M WARNING: No such configuration item local.MY.realm^M expand: %{config:local.MY.realm} -> ^M ? Evaluating (Realm != "%{config:local.MY.realm}" ) -> TRUE^M ++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) -> TRUE^M ++- entering if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) {...}^M expand: Realm is '%{Realm}' on Inside -> Realm is 'foo.edu' on Inside^M +++[outer.reply] returns ok^M +++[reject] returns reject^M ++- if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) returns reject^M } # server auth^M Thanks, Schilling On Fri, Jan 21, 2011 at 3:49 AM, Alexander Clouter <a...@digriz.org.uk> wrote: > schilling <schilling2...@gmail.com> wrote: >> >> Where should I put the perl script? I already have a perl module for >> another virtual server to use radscript. >> >> I also tried unlang in post-auth, like >> if ( %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) { >> update outer.reply { >> Service-Type = "Framed-User" >> Tunnel-Type = "VLAN" >> Tunnel-Medium-Type = "IEEE-802" >> Tunnel-Private-Group-Id = "facstaff" >> } >> } >> > I cannot recommend more *not* to do your authorisation in the inner > tunnel, and instead to pass it back on out. There are a number of > reasons, clarity including, but especially you then can make use of the > reject path... > > Incase it helps, this is what we (a small-medium university in the > UK) do. In our eap block we set (we use TTLS, however it should be the > same for PEAP): > ---- > eap { > ... > > ttls { > ... > copy_request_to_tunnel = no > use_tunneled_reply = yes > virtual_server = "auth" > } > > ... > } > > Then we have a 'auth' virtual server: > ---- > server auth { > authorize { > if ((outer.request:EAP-Message)) { > update outer.request { > User-Name := "%{request:User-Name}" > } > update reply { > User-Name := "%{request:User-Name}" > } > } > > validate_username > > suffix > > if ((outer.request:EAP-Message) && Realm != > "%{config:local.MY.realm}") { > update outer.reply { > Reply-Message := "Realm is '%{Realm}' on > Inside" > } > reject > } > > # if the password is passed to us use it, otherwise yank it > from LDAP > if ((outer.request:Cleartext-Password)) { > update control { > Cleartext-Password := > "%{outer.request:Cleartext-Password}" > } > } > else { > ldap-login > > # some accounts are glitched and do not have a UP :( > if (ok && !(control:Cleartext-Password)) { > update outer.reply { > Reply-Message := "No eDirectory UP" > } > reject > } > } > > pap > chap > mschap > > update reply { > Auth-Type := "%{control:Auth-Type}" > } > } > > authenticate { > Auth-Type PAP { > pap > } > Auth-Type CHAP { > chap > } > Auth-Type MSCHAP { > mschap > } > } > } > ---- > > We are 'blessed' with Novhell, so 'ldap-login' populated > Cleartext-Password from eDirectory if present, your approach would be > different (the interesting bit is if you set > 'request:Cleartext-Password' in your outer layer before calling 'eap', > which is a handy hook for a NAGIOS RADIUS hook (letting you test > authentication with eapol_test[1] and remove the AD component from the > equation. > > Once the 'auth' virtual server finishes, you will find in the outer > layer for *successful* authentications, 'reply:User-Name' is the inner > username whilst for *failure* authentications you want to use > 'request:User-Name'. > >> I did map something to fooEmployeeStatus in ldap.attrmaps >> Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/ && >> fooEmployeeStatus =~ /active/i ) >> /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors >> parsing post-auth section. >> >> How can I reference User-Name in post-auth section of inner-tunnel? >> > In your outer post-auth section then I would recommend the following > unlang (prime the defaults, and use the attributes to fixup what you > want the final result to be): > ---- > post-auth { > ... > > # defaults > update reply { > Tunnel-Type := VLAN > Tunnel-Medium-Type := IEEE-802 > Tunnel-Private-Group-Id := "unauthorised" > > Termination-Action := RADIUS-Request > > # Cisco only support a max of 65535 > Session-Timeout := 64800 > > Acct-Interim-Interval := 3600 > } > > if ( User-Name =~ /@/ && (fooEmployeeStatus) ) { > update reply { > Tunnel-Private-Group-Id := "facstaff" > } > } > > ... > } > ---- > > If you want to lower the load (and authentication latency) on your AD > servers then you might want to look at the following too: > > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html > > Cheers > > [1] http://deployingradius.com/scripts/eapol_test/ > > -- > Alexander Clouter > .sigmonster says: Never ask the barber if you need a haircut. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html