Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote:
I'm not sure what the syntax rules for the authorize{} section of the
config files are; I was unable to find any description in the docs of
how one goes about figuring out how to write these conditional
statements. What language is it?
$ man unlang
It seems C-like, but only kindof. Did I
miss this in the documentation? And the only way I could tell that I
could use the variable Realm is because it was in the debugging output
of freeradius. I couldn't find a list of available variables on the
wiki, other than
http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which
is very incomplete non self-explanatory.
The variables are attributes in a RADIUS packet. So there *is* no
complete list, because every site has different attributes.
I'm just confused as to how I was supposed to figure all this out
without doing what I did, which was bang my head against the wall for a
long time. I kinda figured there was some default way I was supposed to
be doing what I was doing, but I gave up and did what feels like a
hack to me. Is it OK? Am I missing a clear place where all of this is
described?
The comments at the top of radiusd.conf say:
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the authorize, authenticate, accounting, etc. sections.
# See man unlang for details.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Oh. Now I'm embarrassed. Thanks and sorry! :) -Josiah Alan DeKok wrote: # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
I appear to have gotten this working by adding the following to my
authorize {} section:
if (Realm == localdomain.edu) {
files
ldap
}
Obviously removing the reference to files and ldap from elsewhere in
the authorize section. Then I do LDAP group checking in the users file
like this:
# Allow Students
DEFAULT Ldap-Group == 30
# ...and Staff
DEFAULT Ldap-Group == 40
# ...and Faculty
DEFAULT Ldap-Group == 50
# ...and nobody else!
DEFAULT Auth-Type := Reject
Reply-Message = Only current faculty, staff or students
are allowed to log in.
...and in radiusd.conf, the following non-default config in the ldap
section to establish how to find Ldap-Group:
base_filter = (objectclass=posixAccount)
groupname_attribute = gidNumber
groupmembership_filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name}))
groupmembership_attribute = gidNumber
And then I have set up my proxy hosts for other realms (domains) in
proxy.conf
This seems to accomplish what I want, which is to check LDAP groups
during authorization only if the realm is local.
I'm not sure what the syntax rules for the authorize{} section of the
config files are; I was unable to find any description in the docs of
how one goes about figuring out how to write these conditional
statements. What language is it? It seems C-like, but only kindof. Did I
miss this in the documentation? And the only way I could tell that I
could use the variable Realm is because it was in the debugging output
of freeradius. I couldn't find a list of available variables on the
wiki, other than
http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which
is very incomplete non self-explanatory.
I'm just confused as to how I was supposed to figure all this out
without doing what I did, which was bang my head against the wall for a
long time. I kinda figured there was some default way I was supposed to
be doing what I was doing, but I gave up and did what feels like a
hack to me. Is it OK? Am I missing a clear place where all of this is
described?
This is a fabulous piece of software, and I appreciate its license, its
functionality, and its highly-configurable nature, I just feel like I'm
missing something :)
All the best,
-Josiah
Wm. Josiah Erikson wrote:
I see. I can, indeed, remove Auth-Type := LDAP from the users file and
it still works. Cool!
However, the behavior described in the documentation is not what I'm
seeing, and I'm still getting (contrary to what I said in my previous
email) authorization requests not being proxied, even though I have,
in my authorize section, the suffix directive previous to files
and ldap, which is where I check the LDAP group
If my realm is @hampshire.edu, everything works as I want it to,
because it doesn't proxy. But when I try to authenticate as a fake
user in my test proxy realm (I just want to see it try to proxy), it
looks in the local LDAP database! Huh? It says it's preparing to proxy
authentication, as it should... how do I make it either proxy
authorization as well, or skip authorization for non-local domains?
How should I go about this?
I must be misunderstanding something. I don't want it to do anything
locally if I've set it to proxy! I get the following relevant output
from freeradius -X:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 34022,
id=118, length=66
User-Name = [EMAIL PROTECTED]
User-Password = passwowrd
NAS-IP-Address = 172.20.66.104
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm testdomain.edu for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm testdomain.edu
rlm_realm: Adding Stripped-User-Name = dude
rlm_realm: Proxying request from user dude to realm testdomain.edu
rlm_realm: Adding Realm = testdomain.edu
rlm_realm: Preparing to proxy authentication request to realm
testdomain.edu
++[suffix] returns updated
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0
rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to
ldap.hampshire.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter
(uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
Re: one RADIUS server per realm setup
I see. I can, indeed, remove Auth-Type := LDAP from the users file and
it still works. Cool!
However, the behavior described in the documentation is not what I'm
seeing, and I'm still getting (contrary to what I said in my previous
email) authorization requests not being proxied, even though I have, in
my authorize section, the suffix directive previous to files and
ldap, which is where I check the LDAP group
If my realm is @hampshire.edu, everything works as I want it to, because
it doesn't proxy. But when I try to authenticate as a fake user in my
test proxy realm (I just want to see it try to proxy), it looks in the
local LDAP database! Huh? It says it's preparing to proxy
authentication, as it should... how do I make it either proxy
authorization as well, or skip authorization for non-local domains? How
should I go about this?
I must be misunderstanding something. I don't want it to do anything
locally if I've set it to proxy! I get the following relevant output
from freeradius -X:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 34022, id=118,
length=66
User-Name = [EMAIL PROTECTED]
User-Password = passwowrd
NAS-IP-Address = 172.20.66.104
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm testdomain.edu for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm testdomain.edu
rlm_realm: Adding Stripped-User-Name = dude
rlm_realm: Proxying request from user dude to realm testdomain.edu
rlm_realm: Adding Realm = testdomain.edu
rlm_realm: Preparing to proxy authentication request to realm
testdomain.edu
++[suffix] returns updated
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0
rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to
ldap.hampshire.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
expand: (uid=%{Stripped-User-Name}) - (uid=dude)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for dude
expand: (uid=%{Stripped-User-Name}) - (uid=dude)
expand: dc=hampshire, dc=edu - dc=hampshire, dc=edu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=hampshire, dc=edu, with filter (uid=dude)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 118 to 127.0.0.1 port 34022
Reply-Message = Only current faculty, staff or students are
allowed to log in.
Waking up in 4.9 seconds.
Cleaning up request 0 ID 118 with timestamp +2
Ready to process requests.
Alan DeKok wrote:
Wm. Josiah Erikson wrote:
# Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
Uh. OK. That's exactly what I'm doing, and it's working :)
Then it works. It's fine.
That message is for the majority of people who force LDAP to be used
for authentication, and the wonder why EAP doesn't work.
Remember: LDAP is a
Re: one RADIUS server per realm setup
Wm. Josiah Erikson wrote: # Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. Uh. OK. That's exactly what I'm doing, and it's working :) Then it works. It's fine. That message is for the majority of people who force LDAP to be used for authentication, and the wonder why EAP doesn't work. Remember: LDAP is a database. It's not an authentication server. However, is there a better way to do this that I'm not understanding? Why shouldn't I set Auth-Type := LDAP ? You probably don't need to set it. If you simply deleted that from the users file, your configuration would probably still work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi,
I'm the guy that's trying to kinda duplicate eduroam, if you
remember - I had an outdated server and Alan recommended I update to
v2.0.1, which I have now done.
I've gotten this working (after updating my server and building
freeradius packages for it) - in 2.0.1, when I uncommented the IPASS
option in the authorize section, which says:
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
which is exactly what I wanted, and it seems to do what I want now -
when it finds a non-local realm, it no longer tries to authorize
locally. Good. Everything is peachy.
However... question. It says in radiusd.conf:
# Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
Uh. OK. That's exactly what I'm doing, and it's working :) I'm only
doing it because I wanted to reject or accept local users based on
groups, so I have the following in radiusd.conf:
groupname_attribute = gidNumber
groupmembership_filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name}))
and then the following in users:
# Allow Students
DEFAULT Ldap-Group == 200, Auth-Type := LDAP
# ...and Staff
DEFAULT Ldap-Group == 250, Auth-Type := LDAP
# ...and Faculty
DEFAULT Ldap-Group == 300, Auth-Type := LDAP
# ...and nobody else!
DEFAULT Auth-Type := Reject
Reply-Message = Only current faculty, staff or students
are allowed to log in.
It seems to do what I want. We don't store the group name in the LDAP
user entry, so I'm using the gid, which works fine.
However, is there a better way to do this that I'm not understanding?
Why shouldn't I set Auth-Type := LDAP ?
Thanks so much! I'm just trying to pay attention to the documentation,
which tells me very strongly not to do exactly what I'm doing, even
though it really seems to work.
-Josiah
[EMAIL PROTECTED] wrote:
Hi,
1. Proxy authorization as well - it's not clear how to do this. Can you?
I'd really just like to forward the entire request elsewhere, before
anything else happens, so I'd like to check the realm FIRST, and not do
anything if it's not a local realm.
yes, thats exactly what you do proxy stuff for - you'll define your
local realm, and null realm etc. you then define the realms and the
RADIUS server address for each of those realms. the requests
then get proxied to the remote systems.
its similar to what we do with eduroam in europe - and myself with
JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming
I'm currently using freeradius 1.0.2, but I can upgrade if I need to.
definately upgrade - 2.0.1 the proxy stuff is soo much better
(failovers, dead timers, status requests etc)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
I had to log onto the website to see Alan's reply for some reason (I think I need to adjust my spam filters) - thanks for that! So I'm replying to my original message instead of to Alan's. Alan says proxying does this for me, but in fact it doesn't (in my old version anyway). proxying seems to work only for authentication and not for authorization. Yes, we are trying to copy what eduroam does, for the most part. I'll try upgrading my version, since I'm so painfully behind, and hopefully it will work as described. Thanks! -Josiah Wm. Josiah Erikson wrote: Hello all, We are trying to set up a cross-auth proxy setup between our five RADIUS servers in different realms at five different institutions, so that any active student, staff, or faculty from any of our institutions can go to any of the other institutions and log onto the network. This means that if a user from institution B comes to my institution, I want my RADIUS server to ask the RADIUS server over at institution B instead of using the local setup. I've gotten much of it working, both authorizing and authenticating against our LDAP database here, but something about the authorization step is unclear to me. At the moment, I have it set up so that if I get a login request, it checks to see if the user is a member of the correct group(s) (authorization), and THEN authenticates the user, checking the realm to see where it should send the request for authentication. This all works very well, except that the authorization step only works if the user is one of MY users. If the user is one of the other four-college users, then the authorization step fails (since the user doesn't exists in my LDAP database) and the user is rejected. So I think I need to do one of three things: 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. 2. Skip authorization entirely unless the user is a member of a specific realm. Again, it's not clear to me how to do this. Any ideas? 3. something else I haven't thought of yet. This must be something other people do too, yes? We'd like to be able to do the authorization step, because I don't want, for instance, alumns or guest users, (who are in the LDAP database) to be able to log in. I'm currently using freeradius 1.0.2, but I can upgrade if I need to. Thanks for any help, and if more info is needed, just ask! -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one RADIUS server per realm setup
Hi, 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. yes, thats exactly what you do proxy stuff for - you'll define your local realm, and null realm etc. you then define the realms and the RADIUS server address for each of those realms. the requests then get proxied to the remote systems. its similar to what we do with eduroam in europe - and myself with JRS (the 'UK side' of eduroam') - http://www.ja.net/roaming I'm currently using freeradius 1.0.2, but I can upgrade if I need to. definately upgrade - 2.0.1 the proxy stuff is soo much better (failovers, dead timers, status requests etc) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
one RADIUS server per realm setup
Hello all, We are trying to set up a cross-auth proxy setup between our five RADIUS servers in different realms at five different institutions, so that any active student, staff, or faculty from any of our institutions can go to any of the other institutions and log onto the network. This means that if a user from institution B comes to my institution, I want my RADIUS server to ask the RADIUS server over at institution B instead of using the local setup. I've gotten much of it working, both authorizing and authenticating against our LDAP database here, but something about the authorization step is unclear to me. At the moment, I have it set up so that if I get a login request, it checks to see if the user is a member of the correct group(s) (authorization), and THEN authenticates the user, checking the realm to see where it should send the request for authentication. This all works very well, except that the authorization step only works if the user is one of MY users. If the user is one of the other four-college users, then the authorization step fails (since the user doesn't exists in my LDAP database) and the user is rejected. So I think I need to do one of three things: 1. Proxy authorization as well - it's not clear how to do this. Can you? I'd really just like to forward the entire request elsewhere, before anything else happens, so I'd like to check the realm FIRST, and not do anything if it's not a local realm. 2. Skip authorization entirely unless the user is a member of a specific realm. Again, it's not clear to me how to do this. Any ideas? 3. something else I haven't thought of yet. This must be something other people do too, yes? We'd like to be able to do the authorization step, because I don't want, for instance, alumns or guest users, (who are in the LDAP database) to be able to log in. I'm currently using freeradius 1.0.2, but I can upgrade if I need to. Thanks for any help, and if more info is needed, just ask! -- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
