Re: Please help ! newbie question
Hi Alan ,
[EMAIL PROTECTED] wrote:
> Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote:
>
>>I have one more question . This is regarding huntgroups . I assume
>>huntgroups is for restricting users to certain groups , right ?
>>
>
> No. Read the comments at the top of the huntgroups file.
>
I think I am phrasing the question incorrectly . Let me explain my
question in detail, assume I have 2 NASs in my network , say NAS1 and
NAS2 . Both send access requests to a radius server in the network . Say
I have some users "A" , "B" , "C" ,"X" , "Y" and "Z" . I want users "A",
"B", "C" to login to NAS1 and users "X","Y", and "Z" to login to NAS2 only .
NAS1 => A , B , C
NAS2 => X , Y ,Z
Obviously now NAS1 will send the access requests for "A" , "B" and "C"
The radius server should authenticate the users succesfully , ie it
should respond with a access accept .The same should happen
for users "X" , "Y" and "Z" . But in case "A" or "B" or "C" tries to login to NAS2 ,
radius should not allow it . Similarly if "X" , "Y" or "Z" tries to login to NAS1 ,
radius should not allow it in this case either. In both these cases
radius should respond with a access reject .
I want to implement this with radius and openldap as backend . Obviously
one way I can think of doing is by using the users and huntgroups files
and I did implement it that way . Let me explain as to how I did it .
The users file contained the following directives :
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "localhost"
Fall-Through = 1
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "test1"
Fall-Through = No
and no other directives .
The huntgroups file contained the following directives :
localhost NAS-IP-Address == 127.0.0.1
User-Name == basavaraj
test1 NAS-IP-Address == 64.104.131.182
User-Name == guest
The radiusd.conf file contained the following directives for authorize
module :
authorize {
preprocess
suffix
files
ldap
}
So when a access request comes comes in from NAS 64.104.131.182 for user
"guest" the radius server responds with access accept and the same
happens with user "basavaraj" when the request comes in from NAS
127.0.0.1 . But if the request for "basavaraj" comes from NAS
64.104.131.182 , the radius server responds with access reject . The
same happens for "guest" from NAS "127.0.0.1" .This solution satisfies
my requirement . However, I want to know if this is the correct way of
doing it ?
Thanks in advance
-Raj
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help ! newbie question
Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote: > > The 'users' file is just one authorization method out of many. You > > allowed LDAP to be used, so when you disallowed the users file, LDAP > > was still permitted, and therefore it was used. > > Actually I was under the impression , that the user will be first > checked against the users file and if the authorization was successful > would then be handed over to LDAP . Isn't that how it is done ? If you tell it to do that, yes. If you tell it NOT to use the 'users' file, then my original comment is correct. > I have one more question . This is regarding huntgroups . I assume > huntgroups is for restricting users to certain groups , right ? No. Read the comments at the top of the huntgroups file. > My question here is can I use the huntgroups file in the scenario > wherein I am using LDAP as the authorization and authentication backend > for radius and at the same time implement the above requirement . That may be possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help ! newbie question
Hi Alan , Thanks for the help ! Your mail cleared a lot of doubts in my mind . > >>The module "files" returns not found since there is no entry in the >>users file still the authorization is done with ldap . I was under >>the impression that if a user-name is not present in the users file >>then the user should be denied access OR am I doing something wrong >>here . >> > > The 'users' file is just one authorization method out of many. You > allowed LDAP to be used, so when you disallowed the users file, LDAP > was still permitted, and therefore it was used. > Actually I was under the impression , that the user will be first checked against the users file and if the authorization was successful would then be handed over to LDAP . Isn't that how it is done ? I have one more question . This is regarding huntgroups . I assume huntgroups is for restricting users to certain groups , right ? Excuse me if I am wrong here . The reason I am asking this question is , I have a requirement wherein I need to restrict users to login to certain NAS only . For eg : If have 2 NAS , NAS1 and NAS2 and I have users , say a,b,c and x,y,z . I want radius to authenticate users a,b,c only if they login to NAS1 and users x,y,z if they login to NAS2 . Something like : NAS1 => a,b,c NAS2 => x,y,z So in case user "a" logs into NAS1 and NAS1 sends a radius request to the radius server , the radius server should send a accept packet . But if user "x" tries to do the same ( ie, log into NAS1 ) , the radius server should reject it . This is in a corporate LAN and the authentication backend for radius is openldap . My question here is can I use the huntgroups file in the scenario wherein I am using LDAP as the authorization and authentication backend for radius and at the same time implement the above requirement . Or is there any other solution . I am looking at the RADIUS schema for ldap but I am not sure if that will help . Thanks in advance -Raj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help ! newbie question
Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote: > My users file contains the directives : > > DEFAULT Auth-Type := LDAP > Fall-Through = 1 > > DEFAULT Auth-Type := System > Fall-Through = 1 Why? You're setting the Auth-Type to LDAP, and then immediatley throwing that away, and setting it to System. That makes no sense. > However , I commented all the entries in the users file and tested the > radius server with a different username ,using the following command > > radtest guest hello123 localhost 10 testing123 > > and it works fine too !!! > > NOTE : The user guest has a DN entry in the ldap directory . Yes, your debug log shows: > modcall: group authorize returns ok >rad_check_password: Found Auth-Type LDAP So something is setting Auth-Type to LDAP. That's why the user is being authenticated against the LDAP directory. > The module "files" returns not found since there is no entry in the > users file still the authorization is done with ldap . I was under > the impression that if a user-name is not present in the users file > then the user should be denied access OR am I doing something wrong > here . The 'users' file is just one authorization method out of many. You allowed LDAP to be used, so when you disallowed the users file, LDAP was still permitted, and therefore it was used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help ! newbie question
Hi ,
I have got freeradius up and running . However I have a few
questions , regarding the users . I have setup ldap as authentication
backend for freeradius . So my radiusd.conf file , the ldap modules
section looks like this :
ldap {
server = 127.0.0.1
identity = "cn=admin,dc=example,dc=com"
password = secret
basedn = "dc=example,dc=com"
filter = "(uid=%u)"
default_profile =
"cn=radprofile,ou=People,dc=example,dc=com"
access_group =
"cn=radius_accounts,ou=People,dc=example,dc=com"
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
timeout = 4
timelimit = 3
net_timeout = 1
ldap_debug = 0x0028
}
and the authorize section is :
authorize {
preprocess
#
counter
#
attr_filter
suffix
files
ldap
}
and authenticate section is :
authenticate {
#
pam
unix
# By grouping modules together in an authtype block, that authtype will be
# tried on each module in sequence until one returns REJECT or OK. This
# allows authentication failover if the first SQL server has crashed, for
# example.
#
authtype SQL {
#
sql
#
sql2
#
}
ldap
}
My users file contains the directives :
DEFAULT Auth-Type := LDAP
Fall-Through = 1
DEFAULT Auth-Type := System
Fall-Through = 1
# #
# # Last default: shell on the local terminal server.
# #
DEFAULT
Service-Type = Shell-User
I tested the free-radius server by running the radtest command locally as :
radtest basavaraj welcome123 localhost 10 testing123
and it seems to work fine .Both the authorization and authentication
work fine. A dn by name is basavaraj is present in the ldap directory
and hence ldap authenticates it successfully .
However , I commented all the entries in the users file and tested the
radius server with a different username ,using the following command
radtest guest hello123 localhost 10 testing123
and it works fine too !!!
NOTE : The user guest has a DN entry in the ldap directory . The module
"files" returns not found since there is no entry
in the users file still the authorization is done with ldap . I was
under the impression that if a user-name is not present in the users
file then the user should be denied access OR am I doing something wrong
here . Someone please help me . I have attached the the log & debug
output below .
-Raj
User-Name = "guest"
Password = "\373\312\t\203\003\231\225\227^c\031\340&\r\242_"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "10"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for guest
radius_xlat: '(uid=guest)'
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=example,dc=com/secret
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=guest)
request 2 done
rlm_ldap: checking if remote access for guest is allowed by uid
rlm_ldap: checking user membership in dialup-enabling group
cn=radius_accounts,ou=people,dc=example,dc=com
radius_xlat: '(| (& (objectClass=GroupOfNames)
(member=uid=guest,ou=People,dc=example,dc=com)) (&
(objectClass=GroupOfUniqueNames)
(uniquemember=uid=guest,ou=People,dc=example,dc=com)))'
rlm_ldap: performing search in
cn=radius_accounts,ou=people,dc=example,dc=com, with filter (| (&
(objectClass=GroupOfNames)
(member=uid=guest,ou=People,dc=example,dc=com)) (&
(objectClass=GroupOfUniqueNames)
(uniquemember=uid=guest,ou=People,dc=example,dc=com)))
request 3 done
radius_xlat: '(objectclass=*)'
rlm_ldap: performing search in
cn=radprofile,ou=people,dc=example,dc=com, with filter (objectclass=*)
request 4 done
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user guest authorized to use remote access
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "Ldap"
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by "guest" with password "hello123"
radius_xlat: '(uid=guest)'
rlm_ldap: user DN: uid=guest,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=guest,ou=People,dc=example,dc=com/hello123
rlm_ldap: waiting for bind result ...
request 1 done
rlm_ldap: user guest authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group authenticate returns ok
-
List info/subscribe/u
