Re: Please help ! newbie question
Hi Alan , [EMAIL PROTECTED] wrote: > Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote: > >>I have one more question . This is regarding huntgroups . I assume >>huntgroups is for restricting users to certain groups , right ? >> > > No. Read the comments at the top of the huntgroups file. > I think I am phrasing the question incorrectly . Let me explain my question in detail, assume I have 2 NASs in my network , say NAS1 and NAS2 . Both send access requests to a radius server in the network . Say I have some users "A" , "B" , "C" ,"X" , "Y" and "Z" . I want users "A", "B", "C" to login to NAS1 and users "X","Y", and "Z" to login to NAS2 only . NAS1 => A , B , C NAS2 => X , Y ,Z Obviously now NAS1 will send the access requests for "A" , "B" and "C" The radius server should authenticate the users succesfully , ie it should respond with a access accept .The same should happen for users "X" , "Y" and "Z" . But in case "A" or "B" or "C" tries to login to NAS2 , radius should not allow it . Similarly if "X" , "Y" or "Z" tries to login to NAS1 , radius should not allow it in this case either. In both these cases radius should respond with a access reject . I want to implement this with radius and openldap as backend . Obviously one way I can think of doing is by using the users and huntgroups files and I did implement it that way . Let me explain as to how I did it . The users file contained the following directives : DEFAULT Auth-Type := LDAP, Huntgroup-Name == "localhost" Fall-Through = 1 DEFAULT Auth-Type := LDAP, Huntgroup-Name == "test1" Fall-Through = No and no other directives . The huntgroups file contained the following directives : localhost NAS-IP-Address == 127.0.0.1 User-Name == basavaraj test1 NAS-IP-Address == 64.104.131.182 User-Name == guest The radiusd.conf file contained the following directives for authorize module : authorize { preprocess suffix files ldap } So when a access request comes comes in from NAS 64.104.131.182 for user "guest" the radius server responds with access accept and the same happens with user "basavaraj" when the request comes in from NAS 127.0.0.1 . But if the request for "basavaraj" comes from NAS 64.104.131.182 , the radius server responds with access reject . The same happens for "guest" from NAS "127.0.0.1" .This solution satisfies my requirement . However, I want to know if this is the correct way of doing it ? Thanks in advance -Raj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help ! newbie question
Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote: > > The 'users' file is just one authorization method out of many. You > > allowed LDAP to be used, so when you disallowed the users file, LDAP > > was still permitted, and therefore it was used. > > Actually I was under the impression , that the user will be first > checked against the users file and if the authorization was successful > would then be handed over to LDAP . Isn't that how it is done ? If you tell it to do that, yes. If you tell it NOT to use the 'users' file, then my original comment is correct. > I have one more question . This is regarding huntgroups . I assume > huntgroups is for restricting users to certain groups , right ? No. Read the comments at the top of the huntgroups file. > My question here is can I use the huntgroups file in the scenario > wherein I am using LDAP as the authorization and authentication backend > for radius and at the same time implement the above requirement . That may be possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help ! newbie question
Hi Alan , Thanks for the help ! Your mail cleared a lot of doubts in my mind . > >>The module "files" returns not found since there is no entry in the >>users file still the authorization is done with ldap . I was under >>the impression that if a user-name is not present in the users file >>then the user should be denied access OR am I doing something wrong >>here . >> > > The 'users' file is just one authorization method out of many. You > allowed LDAP to be used, so when you disallowed the users file, LDAP > was still permitted, and therefore it was used. > Actually I was under the impression , that the user will be first checked against the users file and if the authorization was successful would then be handed over to LDAP . Isn't that how it is done ? I have one more question . This is regarding huntgroups . I assume huntgroups is for restricting users to certain groups , right ? Excuse me if I am wrong here . The reason I am asking this question is , I have a requirement wherein I need to restrict users to login to certain NAS only . For eg : If have 2 NAS , NAS1 and NAS2 and I have users , say a,b,c and x,y,z . I want radius to authenticate users a,b,c only if they login to NAS1 and users x,y,z if they login to NAS2 . Something like : NAS1 => a,b,c NAS2 => x,y,z So in case user "a" logs into NAS1 and NAS1 sends a radius request to the radius server , the radius server should send a accept packet . But if user "x" tries to do the same ( ie, log into NAS1 ) , the radius server should reject it . This is in a corporate LAN and the authentication backend for radius is openldap . My question here is can I use the huntgroups file in the scenario wherein I am using LDAP as the authorization and authentication backend for radius and at the same time implement the above requirement . Or is there any other solution . I am looking at the RADIUS schema for ldap but I am not sure if that will help . Thanks in advance -Raj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help ! newbie question
Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote: > My users file contains the directives : > > DEFAULT Auth-Type := LDAP > Fall-Through = 1 > > DEFAULT Auth-Type := System > Fall-Through = 1 Why? You're setting the Auth-Type to LDAP, and then immediatley throwing that away, and setting it to System. That makes no sense. > However , I commented all the entries in the users file and tested the > radius server with a different username ,using the following command > > radtest guest hello123 localhost 10 testing123 > > and it works fine too !!! > > NOTE : The user guest has a DN entry in the ldap directory . Yes, your debug log shows: > modcall: group authorize returns ok >rad_check_password: Found Auth-Type LDAP So something is setting Auth-Type to LDAP. That's why the user is being authenticated against the LDAP directory. > The module "files" returns not found since there is no entry in the > users file still the authorization is done with ldap . I was under > the impression that if a user-name is not present in the users file > then the user should be denied access OR am I doing something wrong > here . The 'users' file is just one authorization method out of many. You allowed LDAP to be used, so when you disallowed the users file, LDAP was still permitted, and therefore it was used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help ! newbie question
Hi , I have got freeradius up and running . However I have a few questions , regarding the users . I have setup ldap as authentication backend for freeradius . So my radiusd.conf file , the ldap modules section looks like this : ldap { server = 127.0.0.1 identity = "cn=admin,dc=example,dc=com" password = secret basedn = "dc=example,dc=com" filter = "(uid=%u)" default_profile = "cn=radprofile,ou=People,dc=example,dc=com" access_group = "cn=radius_accounts,ou=People,dc=example,dc=com" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap timeout = 4 timelimit = 3 net_timeout = 1 ldap_debug = 0x0028 } and the authorize section is : authorize { preprocess # counter # attr_filter suffix files ldap } and authenticate section is : authenticate { # pam unix # By grouping modules together in an authtype block, that authtype will be # tried on each module in sequence until one returns REJECT or OK. This # allows authentication failover if the first SQL server has crashed, for # example. # authtype SQL { # sql # sql2 # } ldap } My users file contains the directives : DEFAULT Auth-Type := LDAP Fall-Through = 1 DEFAULT Auth-Type := System Fall-Through = 1 # # # # Last default: shell on the local terminal server. # # DEFAULT Service-Type = Shell-User I tested the free-radius server by running the radtest command locally as : radtest basavaraj welcome123 localhost 10 testing123 and it seems to work fine .Both the authorization and authentication work fine. A dn by name is basavaraj is present in the ldap directory and hence ldap authenticates it successfully . However , I commented all the entries in the users file and tested the radius server with a different username ,using the following command radtest guest hello123 localhost 10 testing123 and it works fine too !!! NOTE : The user guest has a DN entry in the ldap directory . The module "files" returns not found since there is no entry in the users file still the authorization is done with ldap . I was under the impression that if a user-name is not present in the users file then the user should be denied access OR am I doing something wrong here . Someone please help me . I have attached the the log & debug output below . -Raj User-Name = "guest" Password = "\373\312\t\203\003\231\225\227^c\031\340&\r\242_" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "10" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok modcall[authorize]: module "files" returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for guest radius_xlat: '(uid=guest)' rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example,dc=com/secret rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in dc=example,dc=com, with filter (uid=guest) request 2 done rlm_ldap: checking if remote access for guest is allowed by uid rlm_ldap: checking user membership in dialup-enabling group cn=radius_accounts,ou=people,dc=example,dc=com radius_xlat: '(| (& (objectClass=GroupOfNames) (member=uid=guest,ou=People,dc=example,dc=com)) (& (objectClass=GroupOfUniqueNames) (uniquemember=uid=guest,ou=People,dc=example,dc=com)))' rlm_ldap: performing search in cn=radius_accounts,ou=people,dc=example,dc=com, with filter (| (& (objectClass=GroupOfNames) (member=uid=guest,ou=People,dc=example,dc=com)) (& (objectClass=GroupOfUniqueNames) (uniquemember=uid=guest,ou=People,dc=example,dc=com))) request 3 done radius_xlat: '(objectclass=*)' rlm_ldap: performing search in cn=radprofile,ou=people,dc=example,dc=com, with filter (objectclass=*) request 4 done rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user guest authorized to use remote access modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "Ldap" modcall: entering group authenticate rlm_ldap: - authenticate rlm_ldap: login attempt by "guest" with password "hello123" radius_xlat: '(uid=guest)' rlm_ldap: user DN: uid=guest,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=guest,ou=People,dc=example,dc=com/hello123 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: user guest authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authenticate returns ok - List info/subscribe/u