Re: ascend-data-filter info not returned with radtest?
On Tue, 18 Jan 2005, Scott Baker wrote: I'm attempting to do a global dial-up solution and they're requiring me to use the ascend-data-filter to open up outbound port 25. Simple enough. I've configured my users file to include the attributes they provided and it seems to be accepting the data. However when I query the radius with radtest it returns odd results. In my users file I have four ADF lines, but only three are returned after the query. Also, some of the lines that are returned contain a trailing 0. I'm new to this abinary type so I'm not sure if this is expected behaviour or not. -- users -- bakers User-Password = passwd Fall-Through = Yes DEFAULT X-Ascend-Data-Filter += ip in forward tcp est, X-Ascend-Data-Filter += ip in forward dstip 65.182.224.0/26, X-Ascend-Data-Filter += ip in drop tcp dstport=25, X-Ascend-Data-Filter += ip in forward, Simultaneous-Use = 1, Session-Timeout = 28800, Idle-Timeout = 3600, Framed-Compression = Van-Jacobson-TCP-IP, Service-Type = Framed-User, Framed-Protocol = PPP, Propel-Accelerate = 0, Framed-MTU = 576 -- radtest output -- [EMAIL PROTECTED] ~]# !radte radtest bakers scottb localhost 10 localhost Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = bakers User-Password = scottb NAS-IP-Address = snikt NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=128, length=170 X-Ascend-Data-Filter = ip in forward tcp est X-Ascend-Data-Filter = ip in forward dstip 65.182.224.0/26 0 X-Ascend-Data-Filter = ip in forward 0 Session-Timeout = 28800 Idle-Timeout = 3600 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Propel-Accelerate = 0 Framed-MTU = 576 Have you tried running freeradius in debug mode to see what the server is spitting out as well? Is it possible that a few of the attributes you are trying to send are not defined in the dictionary file and the radius server is ignoring those statements? -j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Thu, 6 Jan 2005, James Feger wrote: Okay, So I am a newbie with just enough knowledge to know this should work, and have spent a few hours reading all the different cool things RADIUS does for me. However, I cant get it to do what we need, and I am sure its lack of experience. I have read the various FAQ's and help files, but I must still be missing something. 1. Problem: We are using RADIUS to authenticate logins to routers. Not for PPP, dialup, etc, but for command line authentication for network engineers or admins. We are using more than one vendor, which means the attributes sent back to the NAS device are different. 2. What works so far: I have been able to create a basic users file and authenticate logins for my differen vendor equipment. Logins work flawlessly, but using the freeradius -X I notice the server is sending all attributes, even if they arent for that vendor. This was expected, based on how I set the thing up: USERAuth-Type = System Juniper-Local-User-Name = READ_ONLY, Riverstone-User-Level = 15 3. What I did different to keep that from happening. I created a huntgroup called BB that had a list of IP's for all the Junipers. So when I logged in to one of those devices the first entry in the users file was used. If I logged into a device not in the huntgroup list the second entry in the user file was used. This worksbut it is sloppy, yes? :) USERHuntgroup-Name == BB, Auth-Type = System Juniper-Local-User-Name = READ_ONLY, USERAuth-Type = System Riverstone-User-Level = 15 3. So how am I really supposed to make this work? :) I have been told to use realms, but everything I see makes it look like you have to put @something in the username. Is this true? If so, that defeats the purpose of one username. Okay, so this is all working now, using MySQL as the grouping/user account DB. Many thanks go to Dustin Doris for all of his work. He pretty much created the solution and gave it to me to test in my environment. I will post his solution, and my variation of it, which I picked because it seemed easier to maintain in our small shop. 1. The Goal, as stated above, is to have the freeradius server reply with only the attributes the NAS vendor cares about, while allowing the users to have one login, and not rely on multiple realms. This was acheived with grouping. I will post Dustin's solution, which worked flawlessly, and then I will post my solution, which works, but is less reliant on the User-Profile settings. --- Begin Dustin's solution - Ok, here is what I did. You'll have to modify it a bit to match your setup, but this is the basics. I setup 2 users in radcheck. These will be my actual users. mysql select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | test1| user-password | == | test1 | | 2 | test2| user-password | == | test2 | ++--+---++---+ I setup 4 users in usergroup. The first two put my actual users into a group. The other 2 are User-Profile users. They don't exist in radcheck, they are just there for reply attributes. mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | test1| test1 | | 2 | test2| test2 | | 3 | profile1 | profile1 | | 4 | profile2 | profile2 | ++--+---+ I setup two entries in groupradreply. These entries are for my User-Profile users. These will tell freeradius what reply values to send back for those user-profile users. mysql select * from radgroupreply; ++---+--+++--+ | id | GroupName | Attribute| op | Value | prio | ++---+--+++--+ | 1 | profile1 | Cisco-AVPair | = | profile 1 user |0 | | 2 | profile2 | Cisco-AVPair | = | profile 2 user |0 | ++---+--+++--+ Now, in the users file I setup my checks and assign a user-profile based on it. These don't include huntgroups for easy testing, but show you what to do. If the user that comes in is in test1 group, assign the reply values for the profile1 user. If it comes in and is part of test2, assign the profile2 user reply values. **NOTE, that it ended up being Sql-Group, not just Group. DEFAULT Sql-Group == test1, User-Profile := profile1 DEFAULT Sql-Group == test2, User-Profile := profile2 Now, I send my packets over with radclient. # radclient localhost auth testing123 user-name = test1 user-password = test1 Received response ID 110, code 2, length = 42 Cisco-AVPair = profile 1 user # radclient localhost auth testing123 user-name = test2 user-password = test2 Received response ID 111, code 2, length = 42 Cisco
Re: Multiple NAS Vendors, one user-id?
On Fri, 7 Jan 2005, Dustin Doris wrote: On Fri, 7 Jan 2005, Dustin Doris wrote: Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group. Have your users file say something like. DEFAULT Huntgroup-Name == Juniper, Group == unlimited Juniper-Local-User-Name = UNLIMITED DEFAULT Huntgroup-Name == Juniper, Group == read_only Juniper-Local-User-Name = READ_ONLY This seems like the answer, but I am again being stupid and must be missing something. When I try to login now, I get authenticated, but the Attributes never get sent back. Here is what I have defined: DEFAULT Group == J-UNRESTRICTED, Huntgroup-Name == JUNIPER Juniper-Local-User-Name = UNRESTRICTED, Fall-Through = Yes DEFAULT Group == R-UNRESTRICTED, Huntgroup-Name == RIVERSTONE Riverstone-User-Level = 15, Fall-Through = Yes jfeger Auth-Type = System Group = J-UNRESTRICTED In the huntgroups file: JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email) So, when I ssh to the IP of the NAS box and attempt to login, I get authenticated, but none of the attributes are sent back: rlm_realm: No '@' in User-Name = jfeger, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched jfeger at 34 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) Sending Access-Accept of id 10 to X.X.X.X:2315 Finished request 0 So, what am I missing, or have out of sequence? I have tried taking Fall-Through off, I have tried putting the Huntgroup before the Groupetc... Thanks, James I think that you can't put the group a user is in in the users file. I would suggest putting your users and groups into some type of backend like mysql or ldap. I believe you could also get what you want in the password module, with something like what is in the etc_group module in the default radiusd.conf file. Or you can use the unix module and store all your users and groups in /etc/passwd, /etc/shadow, /etc/group. That would mean having local users on that machine, however. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Okay, So this seemed to work, but it was a little sloppy. I was able to add the local user (local on the *nix box) to a group called j-unrestricted, and it worked well. The downside, I am now managing users with the /etc/group file and the /etc/freeradius/users file. That is weak. On to MySQL I have ventured. I have the basics up and running, but now I am to the part about simulating the users file into the MySQL DB. I used the standard db create script to get all the proper tables defined etc, and like I said, basic auth worked. However, how do I go about setting up DEFAULT to emulate what I have above? Does it go in 'radcheck', 'radreply' 'radgroupchecl' 'radgroupreply' etc? I have found a a few useful documents out there, and done some digging but I am still not clear on how to define the this stuff based on the functioning users file I had. Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Fri, 7 Jan 2005, Dustin Doris wrote: Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group. Have your users file say something like. DEFAULT Huntgroup-Name == Juniper, Group == unlimited Juniper-Local-User-Name = UNLIMITED DEFAULT Huntgroup-Name == Juniper, Group == read_only Juniper-Local-User-Name = READ_ONLY This seems like the answer, but I am again being stupid and must be missing something. When I try to login now, I get authenticated, but the Attributes never get sent back. Here is what I have defined: DEFAULT Group == J-UNRESTRICTED, Huntgroup-Name == JUNIPER Juniper-Local-User-Name = UNRESTRICTED, Fall-Through = Yes DEFAULT Group == R-UNRESTRICTED, Huntgroup-Name == RIVERSTONE Riverstone-User-Level = 15, Fall-Through = Yes jfeger Auth-Type = System Group = J-UNRESTRICTED In the huntgroups file: JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email) So, when I ssh to the IP of the NAS box and attempt to login, I get authenticated, but none of the attributes are sent back: rlm_realm: No '@' in User-Name = jfeger, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched jfeger at 34 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) Sending Access-Accept of id 10 to X.X.X.X:2315 Finished request 0 So, what am I missing, or have out of sequence? I have tried taking Fall-Through off, I have tried putting the Huntgroup before the Groupetc... Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple NAS Vendors, one user-id?
Okay, So I am a newbie with just enough knowledge to know this should work, and have spent a few hours reading all the different cool things RADIUS does for me. However, I cant get it to do what we need, and I am sure its lack of experience. I have read the various FAQ's and help files, but I must still be missing something. 1. Problem: We are using RADIUS to authenticate logins to routers. Not for PPP, dialup, etc, but for command line authentication for network engineers or admins. We are using more than one vendor, which means the attributes sent back to the NAS device are different. 2. What works so far: I have been able to create a basic users file and authenticate logins for my differen vendor equipment. Logins work flawlessly, but using the freeradius -X I notice the server is sending all attributes, even if they arent for that vendor. This was expected, based on how I set the thing up: USERAuth-Type = System Juniper-Local-User-Name = READ_ONLY, Riverstone-User-Level = 15 3. What I did different to keep that from happening. I created a huntgroup called BB that had a list of IP's for all the Junipers. So when I logged in to one of those devices the first entry in the users file was used. If I logged into a device not in the huntgroup list the second entry in the user file was used. This worksbut it is sloppy, yes? :) USERHuntgroup-Name == BB, Auth-Type = System Juniper-Local-User-Name = READ_ONLY, USERAuth-Type = System Riverstone-User-Level = 15 3. So how am I really supposed to make this work? :) I have been told to use realms, but everything I see makes it look like you have to put @something in the username. Is this true? If so, that defeats the purpose of one username. PS - My first attempt to send this got blocked due to me sending it from the wrong email address, sorry for the DUP if the original actually makes it past moderation. Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Thu, 6 Jan 2005, Dustin Doris wrote: Why don't you make some default entries up front and allow fall-through? For example. DEFAULT Huntgroup-Name == x Reply-Attribute = X Fall-Through = yes DEFAULT Huntgroup-Name == y Reply-Attribute = y Fall-Through = yes USER User-Password == password USER2 User-Password == password2 Then the reply attributes are defined for each huntgroup, not for each user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This seems like an excellent idea, and I was about to implement this when I came accross the next issue. :) Each username for the Juniper authentication is sending Juniper-Local-User-Name attributes back. Not all of the Juniper-Local-User-Name's are going to be the same. Example: USER1 Auth-Type = System Juniper-Local-User-Name = UNRESTRICTED Riverstone-User-Level = 15 USER2 Auth-Type = System Juniper-Local-User-Name = READ_ONLY Riverstone-User-Level = 15 So, with this said, if I used the DEFAULT for each huntrgoup with fallthrough, I still end up with either two user entries for each vendor, or sending all attributes under the one username. Someone previously mentioned this isnt bad, but I just think its dirty. :) Is this acceptable, or is there a better way? Im thinking along the lines of an if statement logic...but I dont know how to set that up. If Huntgroup = Juniper Then send only Juniper Attributes If Huntgroup = Riverstone Then send only Riverstone Attributes Am I smoking the good stuff or is this doable? Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html