Re: Multiple NAS Vendors, one user-id?
On Thu, 6 Jan 2005, James Feger wrote: Okay, So I am a newbie with just enough knowledge to know this should work, and have spent a few hours reading all the different cool things RADIUS does for me. However, I cant get it to do what we need, and I am sure its lack of experience. I have read the various FAQ's and help files, but I must still be missing something. 1. Problem: We are using RADIUS to authenticate logins to routers. Not for PPP, dialup, etc, but for command line authentication for network engineers or admins. We are using more than one vendor, which means the attributes sent back to the NAS device are different. 2. What works so far: I have been able to create a basic users file and authenticate logins for my differen vendor equipment. Logins work flawlessly, but using the "freeradius -X" I notice the server is sending all attributes, even if they arent for that vendor. This was expected, based on how I set the thing up: USERAuth-Type = System Juniper-Local-User-Name = READ_ONLY, Riverstone-User-Level = 15 3. What I did different to keep that from happening. I created a huntgroup called BB that had a list of IP's for all the Junipers. So when I logged in to one of those devices the first entry in the users file was used. If I logged into a device not in the huntgroup list the second entry in the user file was used. This worksbut it is sloppy, yes? :) USERHuntgroup-Name == BB, Auth-Type = System Juniper-Local-User-Name = READ_ONLY, USERAuth-Type = System Riverstone-User-Level = 15 3. So how am I really supposed to make this work? :) I have been told to use realms, but everything I see makes it look like you have to put @ in the username. Is this true? If so, that defeats the purpose of one username. Okay, so this is all working now, using MySQL as the grouping/user account DB. Many thanks go to Dustin Doris for all of his work. He pretty much created the solution and gave it to me to test in my environment. I will post his solution, and my variation of it, which I picked because it seemed easier to maintain in our small shop. 1. The Goal, as stated above, is to have the freeradius server reply with only the attributes the NAS vendor cares about, while allowing the users to have one login, and not rely on multiple realms. This was acheived with grouping. I will post Dustin's solution, which worked flawlessly, and then I will post my solution, which works, but is less reliant on the User-Profile settings. --- - Ok, here is what I did. You'll have to modify it a bit to match your setup, but this is the basics. I setup 2 users in radcheck. These will be my actual users. mysql> select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | test1| user-password | == | test1 | | 2 | test2| user-password | == | test2 | ++--+---++---+ I setup 4 users in usergroup. The first two put my actual users into a group. The other 2 are User-Profile users. They don't exist in radcheck, they are just there for reply attributes. mysql> select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | test1| test1 | | 2 | test2| test2 | | 3 | profile1 | profile1 | | 4 | profile2 | profile2 | ++--+---+ I setup two entries in groupradreply. These entries are for my User-Profile users. These will tell freeradius what reply values to send back for those user-profile users. mysql> select * from radgroupreply; ++---+--+++--+ | id | GroupName | Attribute| op | Value | prio | ++---+--+++--+ | 1 | profile1 | Cisco-AVPair | = | profile 1 user |0 | | 2 | profile2 | Cisco-AVPair | = | profile 2 user |0 | ++---+--+++--+ Now, in the users file I setup my checks and assign a user-profile based on it. These don't include huntgroups for easy testing, but show you what to do. If the user that comes in is in test1 group, assign the reply values for the profile1 user. If it comes in and is part of test2, assign the profile2 user reply values. **NOTE, that it ended up being Sql-Group, not just Group. DEFAULT Sql-Group == "test1", User-Profile := "profile1" DEFAULT Sql-Group == "test2", User-Profile := "profile2" Now, I send my packets over with radclient. # radclient localhost auth testing123 user-name = test1 user-password = test1 Received response ID 110, code 2, length = 42 Cisco-AVPair = "profile 1 user" # radclient localhost auth testing123 user-name = test2 user-password = test2 Received response ID 111, code 2, length = 42 Cisco-AVPair = "profile 2 use
Re: Multiple NAS Vendors, one user-id?
On Fri, 7 Jan 2005, Dustin Doris wrote: On Fri, 7 Jan 2005, Dustin Doris wrote: Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group. Have your users file say something like. DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" Juniper-Local-User-Name = "UNLIMITED" DEFAULT Huntgroup-Name == Juniper, Group == "read_only" Juniper-Local-User-Name = "READ_ONLY" This seems like the answer, but I am again being stupid and must be missing something. When I try to login now, I get authenticated, but the Attributes never get sent back. Here is what I have defined: DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER Juniper-Local-User-Name = "UNRESTRICTED", Fall-Through = Yes DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE Riverstone-User-Level = 15, Fall-Through = Yes jfeger Auth-Type = System Group = "J-UNRESTRICTED" In the huntgroups file: JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email) So, when I ssh to the IP of the NAS box and attempt to login, I get authenticated, but none of the attributes are sent back: rlm_realm: No '@' in User-Name = "jfeger", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched jfeger at 34 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) Sending Access-Accept of id 10 to X.X.X.X:2315 Finished request 0 So, what am I missing, or have out of sequence? I have tried taking Fall-Through off, I have tried putting the Huntgroup before the Groupetc... Thanks, James I think that you can't put the group a user is in in the users file. I would suggest putting your users and groups into some type of backend like mysql or ldap. I believe you could also get what you want in the password module, with something like what is in the etc_group module in the default radiusd.conf file. Or you can use the unix module and store all your users and groups in /etc/passwd, /etc/shadow, /etc/group. That would mean having local users on that machine, however. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Okay, So this seemed to work, but it was a little sloppy. I was able to add the local user (local on the *nix box) to a group called j-unrestricted, and it worked well. The downside, I am now managing users with the /etc/group file and the /etc/freeradius/users file. That is weak. On to MySQL I have ventured. I have the basics up and running, but now I am to the part about simulating the users file into the MySQL DB. I used the standard db create script to get all the proper tables defined etc, and like I said, basic auth worked. However, how do I go about setting up DEFAULT to emulate what I have above? Does it go in 'radcheck', 'radreply' 'radgroupchecl' 'radgroupreply' etc? I have found a a few useful documents out there, and done some digging but I am still not clear on how to define the this stuff based on the functioning users file I had. Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Jan 7, 2005, at 3:32 PM, Dustin Doris wrote: On Fri, 7 Jan 2005, Dustin Doris wrote: Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group. Have your users file say something like. DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" Juniper-Local-User-Name = "UNLIMITED" DEFAULT Huntgroup-Name == Juniper, Group == "read_only" Juniper-Local-User-Name = "READ_ONLY" This seems like the answer, but I am again being stupid and must be missing something. When I try to login now, I get authenticated, but the Attributes never get sent back. Here is what I have defined: DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER Juniper-Local-User-Name = "UNRESTRICTED", Fall-Through = Yes DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE Riverstone-User-Level = 15, Fall-Through = Yes jfeger Auth-Type = System Group = "J-UNRESTRICTED" I think that you can't put the group a user is in in the users file. I would suggest putting your users and groups into some type of backend like mysql or ldap. I believe you could also get what you want in the password module, with something like what is in the etc_group module in the default radiusd.conf file. Or you can use the unix module and store all your users and groups in /etc/passwd, /etc/shadow, /etc/group. That would mean having local users on that machine, however. Remember that the users file is parsed top down. Reverse the order of the logic, and you should get it to work. Also note the use of the 'set' operator ':='. jimbob Group := "J-UNRESTRICTED" Fall-Through = Yes billybob Group := "J-RESTRICTED" Fall-Through = Yes DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == "JUNIPER" Juniper-Local-User-Name = "unrestricted", Fall-Through = Yes DEFAULT Group == "J-RESTRICTED", Huntgroup-Name == "JUNIPER" Juniper-Local-User-Name = "unrestricted", Fall-Through = Yes DEFAULT Auth-Type = System -Chris -- \\\|||/// \ StarNet - A US LEC Company \ Chris Parker \ ~ ~ / \ Wholesale Internet\ Director, Engineering | @ @ |\ http://www.megapop.net \ (847) 963-0116 x321 oOo---(_)---oOo--\-- VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
> > > > On Fri, 7 Jan 2005, Dustin Doris wrote: > > > >> Maybe you can do groups. For example, setup an unlimited group > >> and a read_only group. Then put the users into the appropriate group. > >> > >> Have your users file say something like. > >> > >> DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" > >>Juniper-Local-User-Name = "UNLIMITED" > >> > >> DEFAULT Huntgroup-Name == Juniper, Group == "read_only" > >>Juniper-Local-User-Name = "READ_ONLY" > > > > This seems like the answer, but I am again being stupid and must be missing > > something. When I try to login now, I get authenticated, but the Attributes > > never get sent back. Here is what I have defined: > > > > DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER > >Juniper-Local-User-Name = "UNRESTRICTED", > > Fall-Through = Yes > > > > DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE > >Riverstone-User-Level = 15, > > Fall-Through = Yes > > > > jfeger Auth-Type = System > >Group = "J-UNRESTRICTED" > > > > > > > > In the huntgroups file: > > JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email) > > > > > > > > So, when I ssh to the IP of the NAS box and attempt to login, I get > > authenticated, but none of the attributes are sent back: > > > > > >rlm_realm: No '@' in User-Name = "jfeger", looking up realm NULL > >rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: No EAP-Message, not doing EAP > > modcall[authorize]: module "eap" returns noop for request 0 > >users: Matched jfeger at 34 > > modcall[authorize]: module "files" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > rad_check_password: Found Auth-Type System > > auth: type "System" > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 0 > > modcall[authenticate]: module "unix" returns ok for request 0 > > modcall: group authenticate returns ok for request 0 > > Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) > > Sending Access-Accept of id 10 to X.X.X.X:2315 > > Finished request 0 > > > > > > So, what am I missing, or have out of sequence? > > I have tried taking Fall-Through off, I have tried putting the Huntgroup > > before the Groupetc... > > > > Thanks, > > James > > > > > I think that you can't put the group a user is in in the users file. I would suggest putting your users and groups into some type of backend like mysql or ldap. I believe you could also get what you want in the password module, with something like what is in the etc_group module in the default radiusd.conf file. Or you can use the unix module and store all your users and groups in /etc/passwd, /etc/shadow, /etc/group. That would mean having local users on that machine, however. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Fri, 7 Jan 2005, Dustin Doris wrote: Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group. Have your users file say something like. DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" Juniper-Local-User-Name = "UNLIMITED" DEFAULT Huntgroup-Name == Juniper, Group == "read_only" Juniper-Local-User-Name = "READ_ONLY" This seems like the answer, but I am again being stupid and must be missing something. When I try to login now, I get authenticated, but the Attributes never get sent back. Here is what I have defined: DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER Juniper-Local-User-Name = "UNRESTRICTED", Fall-Through = Yes DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE Riverstone-User-Level = 15, Fall-Through = Yes jfeger Auth-Type = System Group = "J-UNRESTRICTED" In the huntgroups file: JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email) So, when I ssh to the IP of the NAS box and attempt to login, I get authenticated, but none of the attributes are sent back: rlm_realm: No '@' in User-Name = "jfeger", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched jfeger at 34 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) Sending Access-Accept of id 10 to X.X.X.X:2315 Finished request 0 So, what am I missing, or have out of sequence? I have tried taking Fall-Through off, I have tried putting the Huntgroup before the Groupetc... Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
> > On Thu, 6 Jan 2005, Dustin Doris wrote: > > > Why don't you make some default entries up front and allow fall-through? > > > > For example. > > > > DEFAULT Huntgroup-Name == "x" > > Reply-Attribute = X > > Fall-Through = yes > > > > DEFAULT Huntgroup-Name == "y" > > Reply-Attribute = y > > Fall-Through = yes > > > > USER User-Password == "password" > > > > USER2 User-Password == "password2" > > > > Then the reply attributes are defined for each huntgroup, not for each > > user. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > This seems like an excellent idea, and I was about to implement this when > I came accross the next issue. :) > > Each username for the Juniper authentication is sending > "Juniper-Local-User-Name" attributes back. Not all of the > Juniper-Local-User-Name's are going to be the same. > > Example: > > USER1 Auth-Type = System > Juniper-Local-User-Name = UNRESTRICTED > Riverstone-User-Level = 15 > > USER2 Auth-Type = System > Juniper-Local-User-Name = READ_ONLY > Riverstone-User-Level = 15 > > So, with this said, if I used the DEFAULT for each huntrgoup with > fallthrough, I still end up with either two user entries for each vendor, > or sending all attributes under the one username. > > Someone previously mentioned this isnt bad, but I just think its "dirty". > :) Is this acceptable, or is there a better way? > > Im thinking along the lines of an if statement logic...but I dont know how > to set that up. > > If Huntgroup = Juniper > Then send only Juniper Attributes > > If Huntgroup = Riverstone > Then send only Riverstone Attributes > > Am I smoking the good stuff or is this doable? > > > Thanks, > James > Maybe you can do groups. For example, setup an unlimited group and a read_only group. Then put the users into the appropriate group. Have your users file say something like. DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" Juniper-Local-User-Name = "UNLIMITED" DEFAULT Huntgroup-Name == Juniper, Group == "read_only" Juniper-Local-User-Name = "READ_ONLY" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
On Thu, 6 Jan 2005, Dustin Doris wrote: Why don't you make some default entries up front and allow fall-through? For example. DEFAULT Huntgroup-Name == "x" Reply-Attribute = X Fall-Through = yes DEFAULT Huntgroup-Name == "y" Reply-Attribute = y Fall-Through = yes USER User-Password == "password" USER2 User-Password == "password2" Then the reply attributes are defined for each huntgroup, not for each user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This seems like an excellent idea, and I was about to implement this when I came accross the next issue. :) Each username for the Juniper authentication is sending "Juniper-Local-User-Name" attributes back. Not all of the Juniper-Local-User-Name's are going to be the same. Example: USER1 Auth-Type = System Juniper-Local-User-Name = UNRESTRICTED Riverstone-User-Level = 15 USER2 Auth-Type = System Juniper-Local-User-Name = READ_ONLY Riverstone-User-Level = 15 So, with this said, if I used the DEFAULT for each huntrgoup with fallthrough, I still end up with either two user entries for each vendor, or sending all attributes under the one username. Someone previously mentioned this isnt bad, but I just think its "dirty". :) Is this acceptable, or is there a better way? Im thinking along the lines of an if statement logic...but I dont know how to set that up. If Huntgroup = Juniper Then send only Juniper Attributes If Huntgroup = Riverstone Then send only Riverstone Attributes Am I smoking the good stuff or is this doable? Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
> Okay, > So I am a newbie with just enough knowledge to know this should work, and > have spent a few hours reading all the different cool things > RADIUS does for me. However, I cant get it to do what we need, and I am sure > its lack of experience. I have read the various FAQ's and > help files, but I must still be missing something. > > 1. Problem: > We are using RADIUS to authenticate logins to routers. Not for PPP, > dialup, etc, but for command line authentication for network > engineers or admins. We are using more than one vendor, which means the > attributes sent back to the NAS device are different. > > 2. What works so far: > I have been able to create a basic users file and authenticate logins > for my differen vendor equipment. Logins work flawlessly, > but using the "freeradius -X" I notice the server is sending all attributes, > even if they arent for that vendor. This was expected, based > on how I set the thing up: > > USERAuth-Type = System > Juniper-Local-User-Name = READ_ONLY, > Riverstone-User-Level = 15 > > 3. What I did different to keep that from happening. I created a huntgroup > called BB that had a list of IP's for all the Junipers. So > when I logged in to one of those devices the first entry in the users file > was used. If I logged into a device not in the huntgroup list > the second entry in the user file was used. This worksbut it is sloppy, > yes? :) > > USERHuntgroup-Name == BB, Auth-Type = System > Juniper-Local-User-Name = READ_ONLY, > > USERAuth-Type = System > Riverstone-User-Level = 15 > > > 3. So how am I really supposed to make this work? :) I have been told to use > realms, but everything I see makes it look like you have to > put @ in the username. Is this true? If so, that defeats the > purpose of one username. > > PS - My first attempt to send this got blocked due to me sending it from the > wrong email address, sorry for the DUP if the original actually makes it past > moderation. > > > Thanks, > James > Why don't you make some default entries up front and allow fall-through? For example. DEFAULT Huntgroup-Name == "x" Reply-Attribute = X Fall-Through = yes DEFAULT Huntgroup-Name == "y" Reply-Attribute = y Fall-Through = yes USER User-Password == "password" USER2 User-Password == "password2" Then the reply attributes are defined for each huntgroup, not for each user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple NAS Vendors, one user-id?
James Feger <[EMAIL PROTECTED]> wrote: > I have been able to create a basic users file and > authenticate logins for my differen vendor equipment. Logins work > flawlessly, but using the "freeradius -X" I notice the server is > sending all attributes, even if they arent for that vendor. Is that a problem? If so, why? > 3. What I did different to keep that from happening. I created a huntgroup > called BB that had a list of IP's for all the Junipers. So > when I logged in to one of those devices the first entry in the users file > was used. If I logged into a device not in the huntgroup list > the second entry in the user file was used. This worksbut it is sloppy, > yes? :) Why do you need to do that? The NAS will ignore any attributes it doesn't understand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
