freeradius-server-utils-2.1.1-7.7.19.77 freeradius-server-libs-2.1.1-7.7.19.77 freeradius-server-2.1.1-7.10.1
Greetings all. I am trying to pass a list of custom attributes based on the information in the radius request. Originally, I tried matching on NAS-IP-Address as noted below, but it looks like I can also match on Client-IP-Address, which I would prefer. The issue I am having is that I don't see radius matching the right entry in the users file and returning specific custom attributes. I can't determine why it is choosing the last user entry in the users file. Here is an example of the users file. I expect the information from the request to match the first entry for user "chad". #################################################### DEFAULT Auth-Type=Pam Service-Type = NAS-Prompt-User, cisco-avpair +="shell:priv-lvl=2", cisco-avpair :="shell:roles*network-operator", Fall-Through = 1 ... #put customer user attributes here! chad NAS-IP-Address == "1.2.3.4" cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN", cisco-avpair += "NCS:role0=Root" chad NAS-IP-Address == "2.3.4.5" cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN", cisco-avpair += "NCS:role0=Root" chad Service-Type := Administrative-User, cisco-avpair := "shell:priv-lvl=15", cisco-avpair := "shell:roles*network-admin" #################################################### The debug from radius shows that the NAS-IP-Address in the first user entry matches the initial request. I also tried to match on Client-IP-Address, but the debugs always show radius matching on the last user entry and sending different attributes. Ready to process requests. rad_recv: Access-Request packet from host x.x.x.x port 19721, id=31, length=62 NAS-IP-Address = 1.2.3.4 Service-Type = Login-User NAS-Port-Type = Virtual User-Name = "chad" User-Password = "0123456789" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "chad", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 1 [files] users: Matched entry chad at line 29 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAM +- entering group authenticate {...} pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: authentication succeeded for <chad> ++[pam] returns ok Login OK: [chad/0123456789] (from client lensert port 0) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 31 to x.x.x.x port 19721 Service-Type := Administrative-User Cisco-AVPair := "shell:roles*network-admin" Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host x.x.x.x port 9296, id=104, length=68 User-Name = "chad" User-Password = "0123456789" NAS-IP-Address = 2.3.4.5 Message-Authenticator = 0xb346bbcf6f763e4e9e32c2f4ddc657b9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "chad", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 1 [files] users: Matched entry chad at line 29 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAM +- entering group authenticate {...} pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <chad>. Reason: Permission denied ++[pam] returns reject Failed to authenticate the user. Login incorrect: [chad/0123456789] (from client lensert port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> chad attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 104 to x.x.x.x port 9296 Finished request 1. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host x.x.x.x port 55546, id=31, length=62 NAS-IP-Address = 1.2.3.4 Service-Type = Login-User NAS-Port-Type = Virtual User-Name = "chad" User-Password = "0123456789" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "chad", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 1 [files] users: Matched entry chad at line 29 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAM +- entering group authenticate {...} pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <chad>. Reason: Permission denied ++[pam] returns reject Failed to authenticate the user. Login incorrect: [chad/0123456789] (from client lensert port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> chad attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 31 to x.x.x.x port 55546 Finished request 2. Going to the next request Waking up in 0.4 seconds. Cleaning up request 0 ID 31 with timestamp +30 Waking up in 2.2 seconds. Cleaning up request 1 ID 104 with timestamp +32 Waking up in 2.3 seconds. Cleaning up request 2 ID 31 with timestamp +35 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html