Re: Local groups in FreeRadius ?
Alan,
I'm using the man rlm_passwd examples and the examples within
radiusd.conf and still I can't manage to make User-Group membership to
work.
Here's my config:
in radiusd.conf :
passwd MyGroup {
filename = /etc/MyGroup
format = ~Group-Name:::*,User-Name
hashsize = 50
ignoreislike = yes
allowmultiplekeys = yes
delimiter = :
}
# Similar configuration, for the /etc/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = =Group-Name:::*,User-Name
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = :
#}
My /etc/MyGroup file :
FIGrp:::*,Ami
FIGrp:::*,John
My users file :
Ami Auth-Type := Local, Pool-Name := FITest, User-Password == ami123
Reply-Message = Hello, %u,
Service-Type = Framed-User,
Framed-Protocol = PPP
FIGrp Auth-Type := Local
Reply-Message = Hello from Group, %u
My dictionary file:
#ATTRIBUTE
My-Local-String
3000 string
#ATTRIBUTE
My-Local-IPAddr
3001 ipaddr
#ATTRIBUTE
My-Local-Integer
3002 integer
ATTRIBUTE
My-Group
3003 string
When I start radiusd -X :
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded
Re: Local groups in FreeRadius ?
Ami Schieber wrote:
passwd MyGroup {
filename = /etc/MyGroup
format = ~Group-Name:::*,User-Name
hashsize = 50
ignoreislike = yes
allowmultiplekeys = yes
My /etc/MyGroup file :
FIGrp:::*,Ami
FIGrp:::*,John
No. The , prefixing the key in the format means that more than one
value exists in that field, separated by commas, like the /etc/group
file. The man page is quite specific. Your file would need to read:
FIGrp:::Ami,John
The man rlm_passwd docs are pretty specific about that example:
Parse a file similar to the /etc/group file.
If you're generating the file yourself, you can use a simpler format:
passwd mygroup {
filename = /etc/mygroup
format = ~Group-Name:*User-Name
hashsize = 50
allowmultiplekeys = yes
}
...ands
group:user1
group:user2
othergroup:user3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Phil,
Thanks for your help.
Can you also explain what format should the users file use ?
Currently, I've tried :
Ami User-Password == ami123
Service-Type = Framed-User,
Framed-Protocol = PPP,
Fall-Through = Yes
FIGrp Auth-Type := Local, MyGroup-Name := FIGrp
Reply-Message = Hello from Group FIGrp, %u
DEFAULT Pool-Name := main_pool, Auth-Type := Local
Fall-Through = Yes
and my dictionary file has :
ATTRIBUTE
MyGroup-Name
3003 string
while my /etc/FIGroup file has the following :
FIGrp:Ami
and my radiusd.conf has :
passwd MyGroup {
filename = /usr/local/etc/raddb/FIGroup
format = ~MyGroup-Name:*User-Name
hashsize = 50
ignoreislike = yes
allowmultiplekeys = yes
delimiter = :
}
I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries :
users: Matched entry Ami at line 1
users: Matched entry DEFAULT at line 20
Thanks again,
Ami
On 8/28/06, Phil Mayers [EMAIL PROTECTED] wrote:
Ami Schieber wrote:passwd MyGroup { filename = /etc/MyGroup
format = ~Group-Name:::*,User-Name hashsize = 50 ignoreislike = yes allowmultiplekeys = yes My /etc/MyGroup file :
FIGrp:::*,Ami FIGrp:::*,JohnNo. The , prefixing the key in the format means that more than onevalue exists in that field, separated by commas, like the /etc/groupfile. The man page is quite specific. Your file would need to read:
FIGrp:::Ami,JohnThe man rlm_passwd docs are pretty specific about that example:Parsea file similar to the /etc/group file.If you're generating the file yourself, you can use a simpler format:
passwd mygroup { filename = /etc/mygroup format = ~Group-Name:*User-Name hashsize = 50 allowmultiplekeys = yes}...andsgroup:user1group:user2othergroup:user3
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20 You're not trying to match the group name. See man users FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u ':=' is not a comparison operator. Read the man page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
On 8/28/06, Alan DeKok [EMAIL PROTECTED] wrote: Ami Schieber [EMAIL PROTECTED] wrote: I'm still unable to see a match to the Group entry when I run radiusd -X but only to the user and to DEFAULT entries : users: Matched entry Ami at line 1 users: Matched entry DEFAULT at line 20You're not trying to match the group name.See man users man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host SYNOPSIS users [OPTION]... [ FILE ] DESCRIPTION Output who is currently logged in according to FILE. If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common. --help display this help and exit --version output version information and exit AUTHOR Written by Joseph Arceneaux and David MacKenzie. REPORTING BUGS Report bugs to bug-coreutils@gnu.org. COPYRIGHT Copyright 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO The full documentation for users is maintained as a Texinfo manual. If the info and users pro- grams are properly installed at your site, the command info coreutils users should give you access to the complete manual. FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u':=' is not a comparison operator.Read the man page. I've changed the ':=' operator to '==' , so my file looks like : FIGrp Auth-Type := Local, MyGroup-Name == FIGrp Reply-Message = Hello from Group, %u Is my comparison correct ? Am I right to try and match the attribute name (MyGroup-Name) with the actual group name (FIGrp) ? Should it be in the users file ? Thanks, Ami Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber wrote: man users doesn't show me anything I find related to users file of FreeRadius : NAME users - print the user names of users currently logged in to the current host Try man 5 users. Man page names are only unique within section numbers. Alternatively, man -a users will show you all the pages calles users from each section in turn. You want to read and understand man 5 users carefully else you'll get nowhere with FreeRadius. Additionally I'd point out since you didn't know how to use man properly, you might need to check a basic primer on unix else your time with FreeRadius will be EXTREMELY frustrating. You said you had tried: Ami User-Password == ami123 Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes FIGrpAuth-Type := Local, MyGroup-Name := FIGrp Reply-Message = Hello from Group FIGrp, %u DEFAULT Pool-Name := main_pool, Auth-Type := Local Fall-Through = Yes ...which is virtually all wrong. You want: Ami User-Password := ami123 Fall-Through = yes DEFAULT MyGroup-Name == FIGrp Reply-Message = Hello from group FIGrp, Fall-Through = yes DEFAULT Pool-Name := main_pool With the server properly configured, you should not need to set Auth-Type and will ALMOST CERTAINLY break things if you do. You don't use == to compare passwords, but use := to *set* the server-side copy. You don't use := to compare, you use ==, and group names never go on the left-hand-side - either usernames or DEFAULT. Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: Ok. I've probably mis-read the documents. Can someone please provide an example of how to specify group membership to a user and then define return values for this group ? Should I cut paste the documentation from man rlm_passwd here? What part of that documentation is unclear? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Alan, Thanks for the pointers. All examples discuss unix groups and I need to avoid using those. Can I create a file with several definitions like : Finance = userA,userB,userC Engineering = diffuserA,diffuserB,diffuserC and somewhere else have another definition like: Finance: Reply-Message = Hello Finance user %u Engineering: Reply-Message = Hello Engineering user %u and in users file, have userA Auth-Type := Local, User-Password == A123, Group == Finance userB Auth-Type := Local, User-Password == B123, Group == Finance userC Auth-Type := Local, User-Password == C123, Group == Finance diffuserA Auth-Type := Local, User-Password == A456, Group == Engineering diffuserA Auth-Type := Local, User-Password == B456, Group == Engineering diffuserA Auth-Type := Local, User-Password == C456, Group == Engineering I'd appericiate some help with achieving this. Thanks, Ami On 8/23/06, Alan DeKok [EMAIL PROTECTED] wrote: Ami Schieber [EMAIL PROTECTED] wrote: I've seen several QA about local groups of users but they all refer to system groups (i.e. - /etc/group configuration). I'd like to have a Group definition that will include attributes that are common to all users that belong in this group.See the FAQ, and man rlm_passwd, which describes exactly this. Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: Thanks for the pointers. All examples discuss unix groups and I need to avoid using those. The examples I pointed you to do NOT discuss Unix groups. Go read man rlm_passwd. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local groups in FreeRadius ?
Ami Schieber [EMAIL PROTECTED] wrote: I've seen several QA about local groups of users but they all refer to system groups (i.e. - /etc/group configuration). I'd like to have a Group definition that will include attributes that are common to all users that belong in this group. See the FAQ, and man rlm_passwd, which describes exactly this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
