Re: How can I change proxy based on username?
On Tue, 2013-03-26 at 14:08 +0100, Olivier Beytrison wrote: > > You could also use the preproxy_users which allow you to rewrite the > request before it is proxied. It contains the exact example for your case. > Hello, Many thanks for that, I had overlooked that file. I am pleased to say that enabling the DEFAULT example in the file (and correcting it slightly), it worked fine :-) Debug output from radiusd showed that the format 'jblo...@plymouth.ac.uk' was proxied with the realm NULL and using the Stripped-User-Name attribute (which we set in the policy.conf file). This is exactly what we wanted, and it didn't break EAP. I also checked the other formats that we wanted to allow, and they all worked fine too. I'll do further testing tomorrow, but it looks good. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
Hi, just add more global UPNs - the AD can authenticate any domain if the username is okay. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On Tue, 2013-03-26 at 15:35 +, Phil Mayers wrote: > On 26/03/2013 15:12, John Horne wrote: > >> What is the upstream proxy? > >> > > Microsoft domain controller (DC). > > As in, Microsoft NPS running on a DC? > As far as I know, yes. I don't deal with the Microsoft side of this. > > Just to check I understand you - you currently have an NPS instance that > will successfully authenticate: > > jbloggs > j.bloggs@domain > > ...but fails on: > > jbloggs@domain > > Correct? > No. At present it will authenticate 'jbloggs' and 'jbloggs@domain'. We want to have it authenticate 'jbloggs' and 'j.bloggs@domain', but because 'jbloggs@domain' currently works, we need to cater for it but have to do this by stripping the realm (so it becomes just 'jbloggs'). Don't ask me 'why', I gather that the DC can recognise a userid (such as 'jbloggs') and the UPN ('j.bloggs@domain'), but it cannot recognise three formats. So we need to change 'jbloggs@domain' to just 'jbloggs'. Trying to change 'jbloggs@domain' to 'j.bloggs@domain' may be possible, but we would have to start doing LDAP lookups to dig out the info. Secondly, of course, is that we would be changing the 'User-Name' sent to the DC, so I assume EAP would break again. > > However, we have to cater for a mixed format of > > 'jblo...@plymouth.ac.uk', which is currently used by some users and > > working. To do this we need to strip off the realm so that the DC will > > recognise just the userid part ('jbloggs'). > > But as you say, this ought to cause EAP failures, so it's useless? > If I can't get 'jbloggs@domain' stripped of the domain, then yes it could all be useless. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On 26/03/2013 15:12, John Horne wrote: What is the upstream proxy? Microsoft domain controller (DC). As in, Microsoft NPS running on a DC? Can you explain why you want to do this? Obviously it's possible to manipulate the packet in many ways, but your goal may be best accomplished via a different route. - The DC will recognise a users userid (e.g. 'jbloggs') provided it has no realm. It will also recognise (what I think is the UPN?) which is of the form 'j.blo...@plymouth.ac.uk'. Well, this depends on how you have your AD setup. Basically, this whole area is a nest of vipers. It's a complete pain because windows is inconsistent about when you have to use a samAccountName, when you may use a userPrincipalName, and it's complicated even further by the fact that mschap mixes the username (but not any domain prefix/suffix) into the challenge/response crypto, so the server has to know which "username" you used. Just to check I understand you - you currently have an NPS instance that will successfully authenticate: jbloggs j.bloggs@domain ...but fails on: jbloggs@domain Correct? However, we have to cater for a mixed format of 'jblo...@plymouth.ac.uk', which is currently used by some users and working. To do this we need to strip off the realm so that the DC will recognise just the userid part ('jbloggs'). But as you say, this ought to cause EAP failures, so it's useless? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On Tue, 2013-03-26 at 14:13 +, Phil Mayers wrote: > On 26/03/2013 12:50, John Horne wrote: > > Hello, > > > > Using Freeradius 2.1.10 I have been trying to see if I can proxy a > > request to a remote server but using a different User-Name attribute > > based on the original request User-Name attribute. > > You can do this, but it might break things because you're using EAP. > Yes, it seems that just changing the 'User-Name' attribute results in authentication failures (no doubt due to EAP breaking). > What is the upstream proxy? > Microsoft domain controller (DC). > Can you explain why you want to do this? Obviously it's possible to > manipulate the packet in many ways, but your goal may be best > accomplished via a different route. > - The DC will recognise a users userid (e.g. 'jbloggs') provided it has no realm. It will also recognise (what I think is the UPN?) which is of the form 'j.blo...@plymouth.ac.uk'. However, we have to cater for a mixed format of 'jblo...@plymouth.ac.uk', which is currently used by some users and working. To do this we need to strip off the realm so that the DC will recognise just the userid part ('jbloggs'). (For completeness, the format 'j.bloggs' with no realm is not allowed by us and rejected.) John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On 26/03/2013 12:50, John Horne wrote: Hello, Using Freeradius 2.1.10 I have been trying to see if I can proxy a request to a remote server but using a different User-Name attribute based on the original request User-Name attribute. You can do this, but it might break things because you're using EAP. What is the upstream proxy? If it's FreeRADIUS as well, it will definitely break, as FR will detect the User-Name is not equal to the EAP identity and assume something has gone wrong. Can you explain why you want to do this? Obviously it's possible to manipulate the packet in many ways, but your goal may be best accomplished via a different route. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On 26.03.2013 13:50, John Horne wrote: > Hello, > > Using Freeradius 2.1.10 I have been trying to see if I can proxy a > request to a remote server but using a different User-Name attribute > based on the original request User-Name attribute. > > For example so that: > Request 'j.blo...@plymouth.ac.uk' gets proxied to remote server with > User-Name="j.blo...@plymouth.ac.uk" in the proxy request. > Request 'jblo...@plymouth.ac.uk' gets proxied to the same remote server > but uses the User-Name="jbloggs" attribute (so no realm) in the proxy > request. > > So basically if a username contains a dot, then proxy on the whole thing > (username and realm). But if the username does not contain a dot, then > only proxy on the username, no realm. > > I have been trying in the authorize section to use: > > = > if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) { > if (User-Name =~ /^([^.]+)@/) { > update control { > Proxy-To-Realm := NULL > } > } > } > = > > The NULL realm will 'strip' the username, and proxy the request to the > remote server. However, testing shows that the User-Name being sent is > the original one still with the realm: If the NULL realm is set to strip, then the stripped user name will be stored in the attribute "Stripped-User-Name". User-Name will remain untouched. After your update control, you can do : update request { User-Name := %{Stripped-User-Name:-%{User-Name}} } You could also use the preproxy_users which allow you to rewrite the request before it is proxied. It contains the exact example for your case. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How can I change proxy based on username?
Hello, Using Freeradius 2.1.10 I have been trying to see if I can proxy a request to a remote server but using a different User-Name attribute based on the original request User-Name attribute. For example so that: Request 'j.blo...@plymouth.ac.uk' gets proxied to remote server with User-Name="j.blo...@plymouth.ac.uk" in the proxy request. Request 'jblo...@plymouth.ac.uk' gets proxied to the same remote server but uses the User-Name="jbloggs" attribute (so no realm) in the proxy request. So basically if a username contains a dot, then proxy on the whole thing (username and realm). But if the username does not contain a dot, then only proxy on the username, no realm. I have been trying in the authorize section to use: = if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) { if (User-Name =~ /^([^.]+)@/) { update control { Proxy-To-Realm := NULL } } } = The NULL realm will 'strip' the username, and proxy the request to the remote server. However, testing shows that the User-Name being sent is the original one still with the realm: = Tue Mar 26 12:31:07 2013 : Debug: ++? if (Realm !~ /^(NULL|DEFAULT| LOCAL)$/) Tue Mar 26 12:31:07 2013 : Debug: ? Evaluating (Realm !~ /^(NULL| DEFAULT|LOCAL)$/) -> TRUE Tue Mar 26 12:31:07 2013 : Debug: ++? if (Realm !~ /^(NULL|DEFAULT| LOCAL)$/) -> TRUE Tue Mar 26 12:31:07 2013 : Debug: ++- entering if (Realm !~ /^(NULL| DEFAULT|LOCAL)$/) {...} Tue Mar 26 12:31:07 2013 : Debug: +++? if (User-Name =~ /^([^.]+)@/) Tue Mar 26 12:31:07 2013 : Debug: ? Evaluating (User-Name =~ /^([^.]+)@/) -> TRUE Tue Mar 26 12:31:07 2013 : Debug: +++? if (User-Name =~ /^([^.]+)@/) -> TRUE Tue Mar 26 12:31:07 2013 : Debug: +++- entering if (User-Name =~ /^([^.]+)@/) {...} Tue Mar 26 12:31:07 2013 : Debug: [control] returns updated Tue Mar 26 12:31:07 2013 : Debug: +++- if (User-Name =~ /^([^.]+)@/) returns updated Tue Mar 26 12:31:07 2013 : Debug: ++- if (Realm !~ /^(NULL|DEFAULT| LOCAL)$/) returns updated Tue Mar 26 12:31:07 2013 : Debug: ++[local_mschap] returns noop Tue Mar 26 12:31:07 2013 : Debug: [eap] Request is supposed to be proxied to Realm NULL. Not doing EAP. Tue Mar 26 12:31:07 2013 : Debug: ++[eap] returns noop Tue Mar 26 12:31:07 2013 : Debug: ++[files] returns noop Tue Mar 26 12:31:07 2013 : Debug: ++[expiration] returns noop Tue Mar 26 12:31:07 2013 : Debug: ++[logintime] returns noop Tue Mar 26 12:31:07 2013 : Debug: ++[pap] returns noop ... Tue Mar 26 12:31:07 2013 : Debug: Sending Access-Request packet to host 141.163.1.180 port 1812, id=140, length=191 Tue Mar 26 12:31:07 2013 : Debug: User-Name = "jblo...@plymouth.ac.uk" Tue Mar 26 12:31:07 2013 : Debug: NAS-IP-Address = 127.0.0.1 Tue Mar 26 12:31:07 2013 : Debug: Calling-Station-Id = "02-00-00-00-00-01" Tue Mar 26 12:31:07 2013 : Debug: Framed-MTU = 1400 Tue Mar 26 12:31:07 2013 : Debug: NAS-Port-Type = Wireless-802.11 Tue Mar 26 12:31:07 2013 : Debug: Connect-Info = "CONNECT 11Mbps 802.11b" Tue Mar 26 12:31:07 2013 : Debug: EAP-Message = 0x020c00261900170301001b3fb7e62a2e47d33ede49271ebc0c70dc92c4a82ac889c9b1867ddc Tue Mar 26 12:31:07 2013 : Debug: State = 0x28af050f013700018da3c9b400035b2fcad100 Tue Mar 26 12:31:07 2013 : Debug: Message-Authenticator = 0x Tue Mar 26 12:31:07 2013 : Debug: Realm = "plymouth.ac.uk" Tue Mar 26 12:31:07 2013 : Debug: EAP-Type = PEAP Tue Mar 26 12:31:07 2013 : Debug: Proxy-State = 0x3132 = As the output shows 'Request is supposed to be proxied to Realm NULL', so the authorize bit seems to be working, but the realm is not being stripped from the username. The proxy.conf file simply has: = realm NULL { auth_pool = local_proxies } = So the realm should be stripped from the username. Anyone any ideas about this? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html