Re: [RADIATOR] Correction to CheckPoint Gaia dictionary entry
On 04/14/2014 11:26 PM, Jason Griffith wrote: > VENDORCheckPoint 2620 > #ATTRIBUTE CP-Gaia-User-Role 229 string > #ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer > > VENDORATTR 2620 CP-Gaia-User-Role 229 string > VENDORATTR 2620 CP-Gaia-SuperUser-Access 230 integer > > After we made this change the User Role seemed to function correctly. I > hope this helps. Hello Jason, you are correct, the CheckPoint vendor specific attributes were entered incorrectly in the dictionary. These will be corrected in the next patch set. Thanks! Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Correction to CheckPoint Gaia dictionary entry
Hi, I'd just thought I'd share this with anyone who is interested. I was troubleshooting Radius with the Gaia CheckPoint OS today and found that we had problems assigning roles to users via the Radius attributes. We fixed this by modifying the following in the Radiator dictionary file: We replaced the commented lines with the VENDORATTR lines. # # CheckPoint # VENDORCheckPoint 2620 #ATTRIBUTE CP-Gaia-User-Role 229 string #ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer VENDORATTR 2620 CP-Gaia-User-Role 229 string VENDORATTR 2620 CP-Gaia-SuperUser-Access 230 integer After we made this change the User Role seemed to function correctly. I hope this helps. Jason ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Use AD group membership for SQL lookups?
On 04/14/2014 05:56 PM, Martin Burman wrote: > 1: check username/password combo. - OK > 2: Search from a set of AD groups until a match EVENTUALLY is found. -OK > 3: query MySQL for attributes/values based on username. - OK > 4: query MySQL for the attributes and values based on group name. - Problem > here Hello Martin, thanks for the full examples. About step 2, I'd use AuthAttrDef to pick and choose just the attributes that are interesting. If you store attributes in the reply, for example, you can pick them in step 4. with something like this: AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME=? AuthAttrDef %{x-memberof} It might be you need to do a small Hook to pick just the interesting part from the returned memberOf value. That interesting part can then be stored in the reply. If you use this: AuthAttrDef memberOf,x-memberof,request You will get the full value of memberOf in the request. If you do this: AuthAttrDef memberOf the attributes will not stored in request or reply, but will be available from the LDAP result for you to process with PostSearchHook and store in the request for later use. > (BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in > Freeradius this is accomplished with different assignment operators (':=' > instead of '=' if I remember it right). > How is this implemented in Radiator?) If you use GENERIC with AuthColumnDef, it will add all attributes from SQL and cisco-avpair can be there multiple times. There is no separate assigment operator. > Or am I doomed to use hooks? Maybe :) Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator/AuthWimax.pm BS ID Questions
On 04/14/2014 07:07 AM, Adam O'Reilly wrote: > Just wanting to find out the reasoning behind this: > 200 my $bsid = $p->get_attr('WiMAX-BS-ID'); > 201 ($napid, $bsid) = unpack('a3 a3', $bsid) > > The reason is we are seeing WiMAX-BS-ID come in like this > WiMAX-BS-ID = 000XXXX001 > > (Removed the identifying parts) > > The AuthWimax Code then inserts irt into the device_session table as: > > bsid: 000 > > Any help would be greatly appreciated. I think the reason is this: http://resources.wimaxforum.org/sites/wimaxforum.org/files/technical_document/2009/07/WMF-T33-001-R010v04_Network-Stage3-Base.pdf Section 5.4.2.46 BS-ID says about the attribute value: Octet-String (6 Octets). Representing NAP operator identifier (first 3 Octets) and the Base Station ID (next 3 Octets). Looking at a more recent doc, WMF-T33-001-R015v03 WMF Approved (2011-11-14) the same definition is also there, unchanged. Maybe your equipment has a configuration option to use different format? Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Use AD group membership for SQL lookups?
Hi there. I'm a n00b in RADIUS so please bear with me. I've read a couple of links found via Google and either I can't define my question correctly or I'm rather alone in what I'm trying to do? I have Radiator on Red Hat Linux authenticating via Winbind/NTLM to an Active Directory server, probably a Server 2008. I have two LDAP2 sections checking group memberships and so far all is working. The goal is to send attributes to a Cisco ASA that contain access-lists, which group policy to use and so on and all data for this is tested and working. Steps from what I understand is 1: check username/password combo. - OK 2: Search from a set of AD groups until a match EVENTUALLY is found. -OK 3: query MySQL for attributes/values based on username. - OK 4: query MySQL for the attributes and values based on group name. - Problem here 5: If no group matches: select a default set of attributes from MySQL - problem here. Could get away whith an Access-Rejected also. The closest I've get seems to be this one, suggesting PostAuthHooks: http://www.open.com.au/pipermail/radiator/2014-February/019667.html I've just begun reading about this but I'm a lousy programmer so I decided to ask here for a simpler solution if possible. Below is my cleaned up config, trace 5 debug and the SQL data. For now the SQL query for groups is static, I made it that way for sanity check. (BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in Freeradius this is accomplished with different assignment operators (':=' instead of '=' if I remember it right). How is this implemented in Radiator?) Or am I doomed to use hooks? Best regards and thanks in advance, sorry for poor English and n00b skillZ. Martin Burman - Secret testing123 Identifier justanidentifier Domain DOM.AIN.SE DefaultDomain DOM.AIN.SE UsernameMatchesWithoutRealm Identifier pfntlm UsernameFormat %U NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 EAPType MSCHAP-V2, PAP Identifier pfldapFWVPN-Test Host 1.2.3.11 Port 3268 AuthDN CN=... AuthPassword UltraSecret BaseDN DC=DOM,DC=AIN,DC=SE UsernameAttr sAMAccountName NoCheckPassword SearchFilter (&(%0=%U)(memberOf=CN=FWVPN-Test,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE)) NoDefault NoDefaultIfFound Debug 15 ### supposed to fail, used to check if Radiator continues as expected Identifier pfldapNonExistent Host 1.2.3.11 Port 3268 AuthDN CN=... AuthPassword UtraSecret BaseDN DC=DOM,DC=AIN,DC=SE UsernameAttr sAMAccountName NoCheckPassword SearchFilter (&(%0=%U)(memberOf=CN=NonExistentGroup,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE)) NoDefault NoDefaultIfFound Debug 15 ### Works Identifier SQLAccounting DBSourcedbi:mysql:radius:localhost:3306 DBUsername rad AuthSelect select PASSWORD,REPLYATTR from SUBSCRIBERS where USERNAME=%0 AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply ### Stuck here Identifier SQLgroupcheck DBSourcedbi:mysql:radius:localhost:3306 DBUsername rad ### A variable with group name would be great, static SQL as mentioned above AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME='FWVPN-Test' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply Identifier tjosan AuthByPolicy ContinueWhileAccept AuthBy pfntlm AuthByPolicy ContinueUntilAccept AuthBy pfldapNonExistent AuthBy pfldapFWVPN-Test AuthBy SQLAccounting AuthBy SQLgroupcheck ___ Mon Apr 14 11:53:06 2014: DEBUG: Packet dump: *** Received from 1.2.8.247 port 60086 Packet length = 76 01 98 00 4c 4c 35 96 77 df d8 1c e1 8d eb 9b 27 c9 64 37 ba 3e 30 4f 4d 8d e9 88 37 Code: Access-Request Identifier: 152 Authentic: L5... Attributes: User-Name = "mytestuser" User-Password = sqrubbed NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = <196>... Mon Apr 14 11:53:06 2014: DEBUG: Handling request with Handler 'User-Name=mytestuser', Identifier 'tjosan' Mon Apr 14 11:53:06 2014: DEBUG: Deleting session for mytestuser, 127.0.0.1, 0 Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthNTLM: pfntlm Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM looks for match with mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Password:: == Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute NT-Domain:: x Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Username:: x Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: Authenticated: Yes Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: . Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM ACCEPT: : mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: AuthBy NTLM result: ACCEPT, Mon Apr 14 11:53:06 20