Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote: I'm not sure what the syntax rules for the authorize{} section of the config files are; I was unable to find any description in the docs of how one goes about figuring out how to write these conditional statements. What language is it? $ man unlang It seems C-like, but only kindof. Did I miss this in the documentation? And the only way I could tell that I could use the variable Realm is because it was in the debugging output of freeradius. I couldn't find a list of available variables on the wiki, other than http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which is very incomplete non self-explanatory. The variables are attributes in a RADIUS packet. So there *is* no complete list, because every site has different attributes. I'm just confused as to how I was supposed to figure all this out without doing what I did, which was bang my head against the wall for a long time. I kinda figured there was some default way I was supposed to be doing what I was doing, but I gave up and did what feels like a hack to me. Is it OK? Am I missing a clear place where all of this is described? The comments at the top of radiusd.conf say: # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Oh. Now I'm embarrassed. Thanks and sorry! :) -Josiah Alan DeKok wrote: # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
I appear to have gotten this working by adding the following to my authorize {} section: if (Realm == localdomain.edu) { files ldap } Obviously removing the reference to files and ldap from elsewhere in the authorize section. Then I do LDAP group checking in the users file like this: # Allow Students DEFAULT Ldap-Group == 30 # ...and Staff DEFAULT Ldap-Group == 40 # ...and Faculty DEFAULT Ldap-Group == 50 # ...and nobody else! DEFAULT Auth-Type := Reject Reply-Message = Only current faculty, staff or students are allowed to log in. ...and in radiusd.conf, the following non-default config in the ldap section to establish how to find Ldap-Group: base_filter = (objectclass=posixAccount) groupname_attribute = gidNumber groupmembership_filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name})) groupmembership_attribute = gidNumber And then I have set up my proxy hosts for other realms (domains) in proxy.conf This seems to accomplish what I want, which is to check LDAP groups during authorization only if the realm is local. I'm not sure what the syntax rules for the authorize{} section of the config files are; I was unable to find any description in the docs of how one goes about figuring out how to write these conditional statements. What language is it? It seems C-like, but only kindof. Did I miss this in the documentation? And the only way I could tell that I could use the variable Realm is because it was in the debugging output of freeradius. I couldn't find a list of available variables on the wiki, other than http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which is very incomplete non self-explanatory. I'm just confused as to how I was supposed to figure all this out without doing what I did, which was bang my head against the wall for a long time. I kinda figured there was some default way I was supposed to be doing what I was doing, but I gave up and did what feels like a hack to me. Is it OK? Am I missing a clear place where all of this is described? This is a fabulous piece of software, and I appreciate its license, its functionality, and its highly-configurable nature, I just feel like I'm missing something :) All the best, -Josiah Wm. Josiah Erikson wrote: I see. I can, indeed, remove Auth-Type := LDAP from the users file and it still works. Cool! However, the behavior described in the documentation is not what I'm seeing, and I'm still getting (contrary to what I said in my previous email) authorization requests not being proxied, even though I have, in my authorize section, the suffix directive previous to files and ldap, which is where I check the LDAP group If my realm is @hampshire.edu, everything works as I want it to, because it doesn't proxy. But when I try to authenticate as a fake user in my test proxy realm (I just want to see it try to proxy), it looks in the local LDAP database! Huh? It says it's preparing to proxy authentication, as it should... how do I make it either proxy authorization as well, or skip authorization for non-local domains? How should I go about this? I must be misunderstanding something. I don't want it to do anything locally if I've set it to proxy! I get the following relevant output from freeradius -X: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118, length=66 User-Name = [EMAIL PROTECTED] User-Password = passwowrd NAS-IP-Address = 172.20.66.104 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm testdomain.edu for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm testdomain.edu rlm_realm: Adding Stripped-User-Name = dude rlm_realm: Proxying request from user dude to realm testdomain.edu rlm_realm: Adding Realm = testdomain.edu rlm_realm: Preparing to proxy authentication request to realm testdomain.edu ++[suffix] returns updated ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0 rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to ldap.hampshire.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp()
Re: one RADIUS server per realm setup
I see. I can, indeed, remove Auth-Type := LDAP from the users file and it still works. Cool! However, the behavior described in the documentation is not what I'm seeing, and I'm still getting (contrary to what I said in my previous email) authorization requests not being proxied, even though I have, in my authorize section, the suffix directive previous to files and ldap, which is where I check the LDAP group If my realm is @hampshire.edu, everything works as I want it to, because it doesn't proxy. But when I try to authenticate as a fake user in my test proxy realm (I just want to see it try to proxy), it looks in the local LDAP database! Huh? It says it's preparing to proxy authentication, as it should... how do I make it either proxy authorization as well, or skip authorization for non-local domains? How should I go about this? I must be misunderstanding something. I don't want it to do anything locally if I've set it to proxy! I get the following relevant output from freeradius -X: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118, length=66 User-Name = [EMAIL PROTECTED] User-Password = passwowrd NAS-IP-Address = 172.20.66.104 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm testdomain.edu for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm testdomain.edu rlm_realm: Adding Stripped-User-Name = dude rlm_realm: Proxying request from user dude to realm testdomain.edu rlm_realm: Adding Realm = testdomain.edu rlm_realm: Preparing to proxy authentication request to realm testdomain.edu ++[suffix] returns updated ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0 rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to ldap.hampshire.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu expand: (uid=%{Stripped-User-Name}) - (uid=dude) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for dude expand: (uid=%{Stripped-User-Name}) - (uid=dude) expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 118 to 127.0.0.1 port 34022 Reply-Message = Only current faculty, staff or students are allowed to log in. Waking up in 4.9 seconds. Cleaning up request 0 ID 118 with timestamp +2 Ready to process requests. Alan DeKok wrote: Wm. Josiah Erikson wrote: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) Then it works. It's fine. That message is for the majority of people who force LDAP to be used for authentication, and the wonder why EAP doesn't work. Remember: LDAP is a
Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) Then it works. It's fine. That message is for the majority of people who force LDAP to be used for authentication, and the wonder why EAP doesn't work. Remember: LDAP is a database. It's not an authentication server. However, is there a better way to do this that I'm not understanding? Why shouldn't I set Auth-Type := LDAP ? You probably don't need to set it. If you simply deleted that from the users file, your configuration would probably still work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi, I'm the guy that's trying to kinda duplicate eduroam, if you remember - I had an outdated server and Alan recommended I update to v2.0.1, which I have now done. I've gotten this working (after updating my server and building freeradius packages for it) - in 2.0.1, when I uncommented the IPASS option in the authorize section, which says: # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. which is exactly what I wanted, and it seems to do what I want now - when it finds a non-local realm, it no longer tries to authorize locally. Good. Everything is peachy. However... question. It says in radiusd.conf: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) I'm only doing it because I wanted to reject or accept local users based on groups, so I have the following in radiusd.conf: groupname_attribute = gidNumber groupmembership_filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name})) and then the following in users: # Allow Students DEFAULT Ldap-Group == 200, Auth-Type := LDAP # ...and Staff DEFAULT Ldap-Group == 250, Auth-Type := LDAP # ...and Faculty DEFAULT Ldap-Group == 300, Auth-Type := LDAP # ...and nobody else! DEFAULT Auth-Type := Reject Reply-Message = Only current faculty, staff or students are allowed to log in. It seems to do what I want. We don't store the group name in the LDAP user entry, so I'm using the gid, which works fine. However, is there a better way to do this that I'm not understanding? Why shouldn't I set Auth-Type := LDAP ? Thanks so much! I'm just trying to pay attention to the documentation, which tells me very strongly not to do exactly what I'm doing, even though it really seems to work. -Josiah [EMAIL PROTECTED] wrote: Hi, 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. yes, thats exactly what you do proxy stuff for - you'll define your local realm, and null realm etc. you then define the realms and the RADIUS server address for each of those realms. the requests then get proxied to the remote systems. its similar to what we do with eduroam in europe - and myself with JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming I'm currently using freeradius 1.0.2, but I can upgrade if I need to. definately upgrade - 2.0.1 the proxy stuff is soo much better (failovers, dead timers, status requests etc) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
I had to log onto the website to see Alan's reply for some reason (I think I need to adjust my spam filters) - thanks for that! So I'm replying to my original message instead of to Alan's. Alan says proxying does this for me, but in fact it doesn't (in my old version anyway). proxying seems to work only for authentication and not for authorization. Yes, we are trying to copy what eduroam does, for the most part. I'll try upgrading my version, since I'm so painfully behind, and hopefully it will work as described. Thanks! -Josiah Wm. Josiah Erikson wrote: Hello all, We are trying to set up a cross-auth proxy setup between our five RADIUS servers in different realms at five different institutions, so that any active student, staff, or faculty from any of our institutions can go to any of the other institutions and log onto the network. This means that if a user from institution B comes to my institution, I want my RADIUS server to ask the RADIUS server over at institution B instead of using the local setup. I've gotten much of it working, both authorizing and authenticating against our LDAP database here, but something about the authorization step is unclear to me. At the moment, I have it set up so that if I get a login request, it checks to see if the user is a member of the correct group(s) (authorization), and THEN authenticates the user, checking the realm to see where it should send the request for authentication. This all works very well, except that the authorization step only works if the user is one of MY users. If the user is one of the other four-college users, then the authorization step fails (since the user doesn't exists in my LDAP database) and the user is rejected. So I think I need to do one of three things: 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. 2. Skip authorization entirely unless the user is a member of a specific realm. Again, it's not clear to me how to do this. Any ideas? 3. something else I haven't thought of yet. This must be something other people do too, yes? We'd like to be able to do the authorization step, because I don't want, for instance, alumns or guest users, (who are in the LDAP database) to be able to log in. I'm currently using freeradius 1.0.2, but I can upgrade if I need to. Thanks for any help, and if more info is needed, just ask! -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi, 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. yes, thats exactly what you do proxy stuff for - you'll define your local realm, and null realm etc. you then define the realms and the RADIUS server address for each of those realms. the requests then get proxied to the remote systems. its similar to what we do with eduroam in europe - and myself with JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming I'm currently using freeradius 1.0.2, but I can upgrade if I need to. definately upgrade - 2.0.1 the proxy stuff is soo much better (failovers, dead timers, status requests etc) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
one RADIUS server per realm setup
Hello all, We are trying to set up a cross-auth proxy setup between our five RADIUS servers in different realms at five different institutions, so that any active student, staff, or faculty from any of our institutions can go to any of the other institutions and log onto the network. This means that if a user from institution B comes to my institution, I want my RADIUS server to ask the RADIUS server over at institution B instead of using the local setup. I've gotten much of it working, both authorizing and authenticating against our LDAP database here, but something about the authorization step is unclear to me. At the moment, I have it set up so that if I get a login request, it checks to see if the user is a member of the correct group(s) (authorization), and THEN authenticates the user, checking the realm to see where it should send the request for authentication. This all works very well, except that the authorization step only works if the user is one of MY users. If the user is one of the other four-college users, then the authorization step fails (since the user doesn't exists in my LDAP database) and the user is rejected. So I think I need to do one of three things: 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. 2. Skip authorization entirely unless the user is a member of a specific realm. Again, it's not clear to me how to do this. Any ideas? 3. something else I haven't thought of yet. This must be something other people do too, yes? We'd like to be able to do the authorization step, because I don't want, for instance, alumns or guest users, (who are in the LDAP database) to be able to log in. I'm currently using freeradius 1.0.2, but I can upgrade if I need to. Thanks for any help, and if more info is needed, just ask! -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html