Re: Local groups in FreeRadius ?
Alan, I'm using the man rlm_passwd examples and the examples within radiusd.conf and still I can't manage to make User-Group membership to work. Here's my config: in radiusd.conf : passwd MyGroup { filename = /etc/MyGroup format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes delimiter = : } # Similar configuration, for the /etc/group file. Adds a Group-Name # attribute for every group that the user is member of. # #passwd etc_group { # filename = /etc/group # format = =Group-Name:::*,User-Name # hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes # delimiter = : #} My /etc/MyGroup file : FIGrp:::*,Ami FIGrp:::*,John My users file : Ami Auth-Type := Local, Pool-Name := FITest, User-Password == ami123 Reply-Message = Hello, %u, Service-Type = Framed-User, Framed-Protocol = PPP FIGrp Auth-Type := Local Reply-Message = Hello from Group, %u My dictionary file: #ATTRIBUTE My-Local-String 3000 string #ATTRIBUTE My-Local-IPAddr 3001 ipaddr #ATTRIBUTE My-Local-Integer 3002 integer ATTRIBUTE My-Group 3003 string When I start radiusd -X : Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded
Re: Local groups in FreeRadius ?
Ami Schieber wrote: passwd MyGroup { filename = /etc/MyGroup format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes My /etc/MyGroup file : FIGrp:::*,Ami FIGrp:::*,John No. The , prefixing the key in the format means that more than one value exists in that field, separated by commas, like the /etc/group file. The man page is quite specific. Your file would need to read: FIGrp:::Ami,John The man rlm_passwd docs are pretty specific about that example: Parse a file similar to the /etc/group file. If you're generating the file yourself, you can use a simpler format: passwd mygroup { filename = /etc/mygroup format = ~Group-Name:*User-Name hashsize = 50 allowmultiplekeys = yes } ...ands group:user1 group:user2 othergroup:user3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Phil, Thanks for your help. Can you also explain what format should the users file use ? Currently, I've tried : Ami User-Password == ami123 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes FIGrp Auth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u DEFAULT Pool-Name := main_pool, Auth-Type := Local Fall-Through = Yes and my dictionary file has : ATTRIBUTE MyGroup-Name 3003 string while my /etc/FIGroup file has the following : FIGrp:Ami and my radiusd.conf has : passwd MyGroup { filename = /usr/local/etc/raddb/FIGroup format = ~MyGroup-Name:*User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes delimiter = : } I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20 Thanks again, Ami On 8/28/06, Phil Mayers [EMAIL PROTECTED] wrote: Ami Schieber wrote:passwd MyGroup { filename = /etc/MyGroup format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes My /etc/MyGroup file : FIGrp:::*,Ami FIGrp:::*,JohnNo. The , prefixing the key in the format means that more than onevalue exists in that field, separated by commas, like the /etc/groupfile. The man page is quite specific. Your file would need to read: FIGrp:::Ami,JohnThe man rlm_passwd docs are pretty specific about that example:Parsea file similar to the /etc/group file.If you're generating the file yourself, you can use a simpler format: passwd mygroup { filename = /etc/mygroup format = ~Group-Name:*User-Name hashsize = 50 allowmultiplekeys = yes}...andsgroup:user1group:user2othergroup:user3 -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20 You're not trying to match the group name. See man users FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u ':=' is not a comparison operator. Read the man page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
On 8/28/06, Alan DeKok [EMAIL PROTECTED] wrote: Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20You're not trying to match the group name.See man users man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host SYNOPSIS users [OPTION]... [ FILE ] DESCRIPTION Output who is currently logged in according to FILE. If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common. --help display this help and exit --version output version information and exit AUTHOR Written by Joseph Arceneaux and David MacKenzie. REPORTING BUGS Report bugs to bug-coreutils@gnu.org. COPYRIGHT Copyright 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO The full documentation for users is maintained as a Texinfo manual. If the info and users pro- grams are properly installed at your site, the command info coreutils users should give you access to the complete manual. FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u':=' is not a comparison operator.Read the man page. I've changed the ':=' operator to '==' , so my file looks like : FIGrp Auth-Type := Local, MyGroup-Name == FIGrp Reply-Message = Hello from Group, %u Is my comparison correct ? Am I right to try and match the attribute name (MyGroup-Name) with the actual group name (FIGrp) ? Should it be in the users file ? Thanks, Ami Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber wrote: man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host Try man 5 users. Man page names are only unique within section numbers. Alternatively, man -a users will show you all the pages calles users from each section in turn. You want to read and understand man 5 users carefully else you'll get nowhere with FreeRadius. Additionally I'd point out since you didn't know how to use man properly, you might need to check a basic primer on unix else your time with FreeRadius will be EXTREMELY frustrating. You said you had tried: Ami User-Password == ami123 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u DEFAULT Pool-Name := main_pool, Auth-Type := Local Fall-Through = Yes ...which is virtually all wrong. You want: Ami User-Password := ami123 Fall-Through = yes DEFAULT MyGroup-Name == FIGrp Reply-Message = Hello from group FIGrp, Fall-Through = yes DEFAULT Pool-Name := main_pool With the server properly configured, you should not need to set Auth-Type and will ALMOST CERTAINLY break things if you do. You don't use == to compare passwords, but use := to *set* the server-side copy. You don't use := to compare, you use ==, and group names never go on the left-hand-side - either usernames or DEFAULT. Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: Ok. I've probably mis-read the documents. Can someone please provide an example of how to specify group membership to a user and then define return values for this group ? Should I cut paste the documentation from man rlm_passwd here? What part of that documentation is unclear? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Alan, Thanks for the pointers. All examples discuss unix groups and I need to avoid using those. Can I create a file with several definitions like : Finance = userA,userB,userC Engineering = diffuserA,diffuserB,diffuserC and somewhere else have another definition like: Finance: Reply-Message = Hello Finance user %u Engineering: Reply-Message = Hello Engineering user %u and in users file, have userA Auth-Type := Local, User-Password == A123, Group == Finance userB Auth-Type := Local, User-Password == B123, Group == Finance userC Auth-Type := Local, User-Password == C123, Group == Finance diffuserA Auth-Type := Local, User-Password == A456, Group == Engineering diffuserA Auth-Type := Local, User-Password == B456, Group == Engineering diffuserA Auth-Type := Local, User-Password == C456, Group == Engineering I'd appericiate some help with achieving this. Thanks, Ami On 8/23/06, Alan DeKok [EMAIL PROTECTED] wrote: Ami Schieber [EMAIL PROTECTED] wrote: I've seen several QA about local groups of users but they all refer to system groups (i.e. - /etc/group configuration). I'd like to have a Group definition that will include attributes that are common to all users that belong in this group.See the FAQ, and man rlm_passwd, which describes exactly this. Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: Thanks for the pointers. All examples discuss unix groups and I need to avoid using those. The examples I pointed you to do NOT discuss Unix groups. Go read man rlm_passwd. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: I've seen several QA about local groups of users but they all refer to system groups (i.e. - /etc/group configuration). I'd like to have a Group definition that will include attributes that are common to all users that belong in this group. See the FAQ, and man rlm_passwd, which describes exactly this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html