Hi all
I'm struggling with something in FreeRADIUS 0.81 and wondered if anyone has any
suggestions. I have several VPNs to client sites and need a way to grant
access to some VPNs to some users, eg -
user1 has access to client1 and client2, but is not allowed to connect to
client3
user2 has access to client2 and client3, but is not allowed to connect to
client1.
All of our users will have SecurID tokens, so the FreeRADIUS server is being
used as a proxy in front of the ACE server. I had orginally thought about
using realms as follows -
[EMAIL PROTECTED] Auth-Type := Local
Framed-IP-Address = 1.2.3.4
[EMAIL PROTECTED] Auth-Type := Local
Framed-IP-Address = 2.3.4.5
[EMAIL PROTECTED] Auth-Type := Reject
and in my proxy.conf -
Realm DEFAULT {
authhost = a.b.c.d
accthost = LOCAL
secret = xxxx
}
I had hoped that this would proxy all users to ACE with their
stripped-user-name (eg user1, so that each user only needs 1 account in ACE),
and would then add the other return attributes (eg framed-ip-address) from the
users file, or reject the user if it is not present in the file (or present
with Auth-Type := Reject as above). Unfortunately, the user-name seems to be
getting stripped by FreeRADIUS, so it matches the users file before proxying,
but then does not match after the proxy reply.
The following example shows a login as [EMAIL PROTECTED]; this matches line 69 in
users (note, I have also swapped round the processing order in radiusd.conf so
that it processes users before realms); proxies to a test server (another copy
of FreeRADIUS on localhost:1645); and then falls through to a default in users
(line 195) because now it's looking for a user called user1 (without the
@client1). This means that [EMAIL PROTECTED] is not getting any extra return
attributes, and [EMAIL PROTECTED] (which has an explicit Reject in users) is
accepted.
rad_recv: Access-Request packet from host 127.0.0.1:1027, id=251, length=65
User-Name = "[EMAIL PROTECTED]"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
users: Matched [EMAIL PROTECTED] at 69
modcall[authorize]: module "files" returns ok
rlm_realm: Looking up realm client1 for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = "user1"
rlm_realm: Proxying request from user user1 to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
modcall[authorize]: module "suffix" returns updated
modcall: group authorize returns updated
Sending Access-Request of id 1 to 127.0.0.1:1645
User-Name = "user1"
User-Password = "*\330\260\024\272U\367\360#\202\210\213|5\210s"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Proxy-State = "251"
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=1, length=38
Reply-Message = "Hello user1"
Proxy-State = 0x323531
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
users: Matched DEFAULT at 195
modcall[authorize]: module "files" returns ok
rlm_realm: Proxy reply, or no user name. Ignoring.
modcall[authorize]: module "suffix" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: 'Hello user1'
Sending Access-Accept of id 251 to 127.0.0.1:1027
Reply-Message = "Hello user1"
Finished request 0
Going to the next request
I thought that the username should still match the original request. doc/proxy
says -
- The remote server replies with ACK or REJECT
On ACK: The initial Auth-Type is set to Accept
On REJECT: The initial Auth-Type is set to Reject
Then the users file is processed as usual. The username used at
this point is the one after hints file processing (regardless of
the "hints" option). It also includes the realm (regardless of the
setting of the "nostrip" option) unless the realm is LOCAL.
Does anyone know if I'm doing something wrong here, or is there an easier way
to do this?
TIA,
Mike Smith
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
