Re: FreeRadius + AD + Realms
$ man unlang
This says put the string %{1} as the value of Stripped-User-Name.
See the data types' section of the manual page, and the strings section.
Got it ;)
Thanks for your help, fixed now.
btw. the unlang-way is quite more flexible than the legacy-module-way
Was this problem even possible to solve without using unlang? (using freeradius
1.x for an example)
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: btw. the unlang-way is quite more flexible than the legacy-module-way Yes. That's why it was written. But there is still a need for the modules. Was this problem even possible to solve without using unlang? (using freeradius 1.x for an example) Likely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
Most regexes don't support \w, or (?... constructs.
Keep it simple:
if (User-Name =~ /^(.*)@(.*)$/) {
# name = %{1}
# realm = %{2}
}
Makes sense now :) Thanks.
man regex is written mostly descriptive, it's much easier to understand on
examples like these, than on weeknights :D
But I guess I missed to point with doing it this way, because:
if (User-Name =~ /@mydomain.com/) {
if (User-Name =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name = %{1}
}
ldap
}
}
doesn't work ^^
It gives:
rlm_ldap - authorize
rlmd_ldap: performing user authorization for %{1}
...
Also, I tried to apply this directly in the ldap module configuration,
different outcome, but also doesn't work.
Where did I go wrong? -_-
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
But I guess I missed to point with doing it this way, because:
if (User-Name =~ /@mydomain.com/) {
if (User-Name =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name = %{1}
$ man unlang
This says put the string %{1} as the value of Stripped-User-Name.
See the data types' section of the manual page, and the strings
section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
Although, now a new problem arrised - I can't seem to get the (stripped)
username in the inner-tunnel with preprocess.
So the username stays in the form - u...@mydomain.com, but that isn't
usable for a LDAP search (on the AD).
So... decode the user-name using a regex. You can then use that in
the LDAP configuration. The LDAP user search is configurable for a
*reason*.
Because there are realms involved in the scenario.
If the realm is mydomain.com then radius needs to lookup a user in AD.
If the realm is mydomain2.com then it needs to consult sql.
Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server
for every scenario is the way to go?
It's an option, but not the only way to do it.
if (User-Name =~ /@mydomain.com/) {
ldap
}
elsif (User-Name =~ /@mydomain2.com) {
sql
}
else {
update control {
Proxy-To-Realm := other
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Thanks for your help Alan, it really makes a difference when learning about
Freeradius configuration.
So... decode the user-name using a regex. You can then use that in
the LDAP configuration. The LDAP user search is configurable for a
*reason*.
I forgot to mention that I need the user portion of u...@mydomain.com for
sql too.
u...@mydomain.com only needs to be sent to the home server (in case the user
doesn't have @mydomain.com or @mydomain2.com). In another words, both AD
and DB contain usernames, without any realms.
I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem
to figure out how to make the logic - take everything before @ as a username.
So please help.
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
It's an option, but not the only way to do it.
if (User-Name =~ /@mydomain.com/) {
ldap
}
elsif (User-Name =~ /@mydomain2.com/) {
sql
}
else {
update control {
Proxy-To-Realm := other
}
}
Works nicely, thanks for this hint.
Matthew
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
I forgot to mention that I need the user portion of u...@mydomain.com for
sql too.
u...@mydomain.com only needs to be sent to the home server (in case the
user doesn't have @mydomain.com or @mydomain2.com). In another words,
both AD and DB contain usernames, without any realms.
I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't
seem to figure out how to make the logic - take everything before @ as a
username. So please help.
See man regex for the regex format.
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
Most regexes don't support \w, or (?... constructs.
Keep it simple:
if (User-Name =~ /^(.*)@(.*)$/) {
# name = %{1}
# realm = %{2}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
realm mydomain.com {
auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
This worked, thanks. Preprocess doesn't strip the username in the default
server and EAP works.
Although, now a new problem arrised - I can't seem to get the (stripped)
username in the inner-tunnel with preprocess.
So the username stays in the form - u...@mydomain.com, but that isn't usable
for a LDAP search (on the AD).
(btw. if I test without the realm portion of the scenario, like AD is the only
source of authentication, it works)
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running?
I'm sorry, it was my mistake. I configured proxy_requests = no, because I
thought it was ment for a server when it was only proxying requests from other
sources (since this option opens a special proxy-ing listening port).
Fixed now, proxying to virtual server works.
And why are you creating this complicated configuration? The
inner-tunnel virtual server is set up *precisely* for this kind of
authentication. You do EAP in the default server. Then, the
inner-tunnel server gets the PAP password, and you can configure it to
look the user up in AD there.
Because there are realms involved in the scenario.
If the realm is mydomain.com then radius needs to lookup a user in AD.
If the realm is mydomain2.com then it needs to consult sql.
Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server
for every scenario is the way to go?
TIA!
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + AD + Realms
Hello everyone!
I'm new to FreeRadius, so please bear with me. :)
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has
mydomain.com domain.
Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please
explain a bit. :)
(it doesn't seem to load the local_ad virtual server configuration, which is I
placed in the sites-enabled directory, it seems to just carry on executing the
default server)
parts from proxy.conf:
proxy server {
default_fallback = no
}
home_server localhost_ad {
type = auth
virtual_server = local_ad
}
home_server_pool active_directory {
type = fail-over
virtual_server = local_ad
home_server = localhost_ad
}
realm mydomain.com {
auth_pool = active_directory
}
And the output:
rad_recv: Access-Request packet from host 192.168.0.101 port 1812, id=8,
length=138
NAS-IP-Address = 192.168.0.101
NAS-Port-Type = Async
User-Name = u...@mydomain.com
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = 00-11-22-33-44-55
EAP-Message =
0x021d016a73691d756e646363406c73732d6e65542e6c73732e6872
Message-Authenticator = 0x10017179767a5ab6718168e8399c8993
+- entering group authorize
++[preprocess] returns ok
rlm_realm: Looking up realm mydomain.com for User-Name =
u...@mydomain.com
rlm_realm: Found realm mydomain.com
rlm_realm: Adding Stripped-User-Name = user
rlm_realm: Adding Realm = mydomain.com
rlm_realm: Proxying request from user user to realm mydomain.com
rlm_realm: Preparing to proxy authentication request to realm mydomain.com
++[suffix] returns updated
rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
There was no response configured: rejecting request 0
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - u...@mydomain.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Thanks in advance!
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has
mydomain.com domain.
Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please
explain a bit. :)
(it doesn't seem to load the local_ad virtual server configuration, which is
I placed in the sites-enabled directory, it seems to just carry on executing
the default server)
If you read the start of the debug output, it *should* show it loading
the local_ad virtual server. The output below shows it not *proxying*
the request to the local_ad virtual server.
realm mydomain.com {
auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
...
rlm_realm: Preparing to proxy authentication request to realm
mydomain.com
++[suffix] returns updated
rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
There was no response configured: rejecting request 0
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running?
And why are you creating this complicated configuration? The
inner-tunnel virtual server is set up *precisely* for this kind of
authentication. You do EAP in the default server. Then, the
inner-tunnel server gets the PAP password, and you can configure it to
look the user up in AD there.
In fact, you should only need to do the following:
* start with the default config
* uncomment ldap everywhere in raddb/sites-enabled/inner-tunnel
* configure raddb/modules/ldap to point to AD
* ensure you have the correct certificates for TTLS
* TTLS + PAP *should* work
The default configuration is designed to work in the widest possible
set of circumstances, with a minimal set of changes required to add any
common functionality.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
