[RADIATOR] Use AD group membership for SQL lookups?
Hi there.
I'm a n00b in RADIUS so please bear with me.
I've read a couple of links found via Google and either I can't define my
question correctly or I'm rather alone in what I'm trying to do?
I have Radiator on Red Hat Linux authenticating via Winbind/NTLM to an Active
Directory server, probably a Server 2008.
I have two LDAP2 sections checking group memberships and so far all is working.
The goal is to send attributes to a Cisco ASA that contain access-lists, which
group policy to use and so on and all data for this is tested and working.
Steps from what I understand is
1: check username/password combo. - OK
2: Search from a set of AD groups until a match EVENTUALLY is found. -OK
3: query MySQL for attributes/values based on username. - OK
4: query MySQL for the attributes and values based on group name. - Problem here
5: If no group matches: select a default set of attributes from MySQL - problem
here. Could get away whith an Access-Rejected also.
The closest I've get seems to be this one, suggesting PostAuthHooks:
http://www.open.com.au/pipermail/radiator/2014-February/019667.html
I've just begun reading about this but I'm a lousy programmer so I decided to
ask here for a simpler solution if possible.
Below is my cleaned up config, trace 5 debug and the SQL data. For now the SQL
query for groups is static, I made it that way for sanity check.
(BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in
Freeradius this is accomplished with different assignment operators (':='
instead of '=' if I remember it right).
How is this implemented in Radiator?)
Or am I doomed to use hooks?
Best regards and thanks in advance, sorry for poor English and n00b skillZ.
Martin Burman
-
Client 1.2.8.247
Secret testing123
Identifier justanidentifier
/Client
AuthBy NTLM
Domain DOM.AIN.SE
DefaultDomain DOM.AIN.SE
UsernameMatchesWithoutRealm
Identifier pfntlm
UsernameFormat %U
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 EAPType
MSCHAP-V2, PAP /AuthBy
AuthBy LDAP2
Identifier pfldapFWVPN-Test
Host 1.2.3.11
Port 3268
AuthDN CN=...
AuthPassword UltraSecret
BaseDN DC=DOM,DC=AIN,DC=SE
UsernameAttr sAMAccountName
NoCheckPassword
SearchFilter
((%0=%U)(memberOf=CN=FWVPN-Test,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE))
NoDefault
NoDefaultIfFound
Debug 15
/AuthBy
AuthBy LDAP2
### supposed to fail, used to check if Radiator continues as expected
Identifier pfldapNonExistent
Host 1.2.3.11
Port 3268
AuthDN CN=...
AuthPassword UtraSecret
BaseDN DC=DOM,DC=AIN,DC=SE
UsernameAttr sAMAccountName
NoCheckPassword
SearchFilter
((%0=%U)(memberOf=CN=NonExistentGroup,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE))
NoDefault
NoDefaultIfFound
Debug 15
/AuthBy
AuthBy SQL
### Works
Identifier SQLAccounting
DBSourcedbi:mysql:radius:localhost:3306
DBUsername rad
AuthSelect select PASSWORD,REPLYATTR from SUBSCRIBERS where USERNAME=%0
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, reply
/AuthBy
AuthBy SQL
### Stuck here
Identifier SQLgroupcheck
DBSourcedbi:mysql:radius:localhost:3306
DBUsername rad
### A variable with group name would be great, static SQL as mentioned above
AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where
GROUPNAME='FWVPN-Test'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, reply
/AuthBy
Handler User-Name=mytestuser
Identifier tjosan
AuthByPolicy ContinueWhileAccept
AuthBy pfntlm
AuthBy GROUP
AuthByPolicy ContinueUntilAccept
AuthBy pfldapNonExistent
AuthBy pfldapFWVPN-Test
/AuthBy
AuthBy SQLAccounting
AuthBy SQLgroupcheck
/Handler
___
Mon Apr 14 11:53:06 2014: DEBUG: Packet dump:
*** Received from 1.2.8.247 port 60086
Packet length = 76
01 98 00 4c 4c 35 96 77 df d8 1c e1 8d eb 9b 27
c9 64 37 ba 3e 30 4f 4d 8d e9 88 37
Code: Access-Request
Identifier: 152
Authentic: L5...
Attributes:
User-Name = mytestuser
User-Password = sqrubbed
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 196...
Mon Apr 14 11:53:06 2014: DEBUG: Handling request with Handler
'User-Name=mytestuser', Identifier 'tjosan'
Mon Apr 14 11:53:06 2014: DEBUG: Deleting session for mytestuser, 127.0.0.1, 0
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthNTLM: pfntlm
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM looks for match with
mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1
Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Password:: ==
Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute NT-Domain:: x
Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Username:: x
Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: Authenticated: Yes
Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: .
Mon
Re: [RADIATOR] Radiator/AuthWimax.pm BS ID Questions
On 04/14/2014 07:07 AM, Adam O'Reilly wrote:
Just wanting to find out the reasoning behind this:
200 my $bsid = $p-get_attr('WiMAX-BS-ID');
201 ($napid, $bsid) = unpack('a3 a3', $bsid)
The reason is we are seeing WiMAX-BS-ID come in like this
WiMAX-BS-ID = 000XXXX001
(Removed the identifying parts)
The AuthWimax Code then inserts irt into the device_session table as:
bsid: 000
Any help would be greatly appreciated.
I think the reason is this:
http://resources.wimaxforum.org/sites/wimaxforum.org/files/technical_document/2009/07/WMF-T33-001-R010v04_Network-Stage3-Base.pdf
Section 5.4.2.46 BS-ID says about the attribute value:
Octet-String (6 Octets). Representing NAP operator identifier
(first 3 Octets) and the Base Station ID (next 3 Octets).
Looking at a more recent doc,
WMF-T33-001-R015v03
WMF Approved
(2011-11-14)
the same definition is also there, unchanged.
Maybe your equipment has a configuration option to use different format?
Thanks,
Heikki
--
Heikki Vatiainen h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Use AD group membership for SQL lookups?
On 04/14/2014 05:56 PM, Martin Burman wrote:
1: check username/password combo. - OK
2: Search from a set of AD groups until a match EVENTUALLY is found. -OK
3: query MySQL for attributes/values based on username. - OK
4: query MySQL for the attributes and values based on group name. - Problem
here
Hello Martin,
thanks for the full examples. About step 2, I'd use AuthAttrDef to pick
and choose just the attributes that are interesting. If you store
attributes in the reply, for example, you can pick them in step 4. with
something like this:
AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME=?
AuthAttrDef %{x-memberof}
It might be you need to do a small Hook to pick just the interesting
part from the returned memberOf value. That interesting part can then be
stored in the reply.
If you use this:
AuthAttrDef memberOf,x-memberof,request
You will get the full value of memberOf in the request. If you do this:
AuthAttrDef memberOf
the attributes will not stored in request or reply, but will be
available from the LDAP result for you to process with PostSearchHook
and store in the request for later use.
(BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in
Freeradius this is accomplished with different assignment operators (':='
instead of '=' if I remember it right).
How is this implemented in Radiator?)
If you use GENERIC with AuthColumnDef, it will add all attributes from
SQL and cisco-avpair can be there multiple times. There is no separate
assigment operator.
Or am I doomed to use hooks?
Maybe :)
Thanks,
Heikki
--
Heikki Vatiainen h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Correction to CheckPoint Gaia dictionary entry
Hi, I'd just thought I'd share this with anyone who is interested. I was troubleshooting Radius with the Gaia CheckPoint OS today and found that we had problems assigning roles to users via the Radius attributes. We fixed this by modifying the following in the Radiator dictionary file: We replaced the commented lines with the VENDORATTR lines. # # CheckPoint # VENDORCheckPoint 2620 #ATTRIBUTE CP-Gaia-User-Role 229 string #ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer VENDORATTR 2620 CP-Gaia-User-Role 229 string VENDORATTR 2620 CP-Gaia-SuperUser-Access 230 integer After we made this change the User Role seemed to function correctly. I hope this helps. Jason ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Correction to CheckPoint Gaia dictionary entry
On 04/14/2014 11:26 PM, Jason Griffith wrote: VENDORCheckPoint 2620 #ATTRIBUTE CP-Gaia-User-Role 229 string #ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer VENDORATTR 2620 CP-Gaia-User-Role 229 string VENDORATTR 2620 CP-Gaia-SuperUser-Access 230 integer After we made this change the User Role seemed to function correctly. I hope this helps. Hello Jason, you are correct, the CheckPoint vendor specific attributes were entered incorrectly in the dictionary. These will be corrected in the next patch set. Thanks! Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
