Proxying to a virtual server through unlang?

Tue, 03 Jan 2012 00:35:16 -0800 

Hi All,
I'm trying to get into the unlang world since it seems really powerful but I can't get my hands around a simple virtual server switching scenario. 


I basically want to switch to a virtual server based on some attributes, 
Service-Type for instance. This is because on some network hardware I 
can't add a radius server for every type of authentication. So 
everything (802.1x, mac-auth, prompt auth goes to the same server)


I found a thread suggesting to do the following:
(http://freeradius.1045715.n5.nabble.com/virtual-servers-tt2769141.html)

authorize {
        switch "Service-Type" {
                #MAC authentication
                case 'Call-Check' {
                        update control {
                                server[mac-auth]
                        }
                }
                #NAS console authentication
                case 'NAS-Prompt-User' {
                        update control {
                                server[mac-auth]
                        }
                }
        }
}

This works as the debug logs shows:

# Executing section authorize from file 
/etc/freeradius/sites-enabled/nas-auth



However it only executes the authorize section of the nas-auth virtual 
server.


I could create realms for the virtual servers and proxy to them by

using Proxy-To-Realm := "mac-auth" instead of the server[] directive. 
But I kind of liked the minimal unlang approach. Is there any good way 
of accomplishing this purely with unlang or is it still best to use the 
proxying approach using realms?



Here's a log of the process. As you can see it only issues the authorize 
section of the nas-auth virtual server as apposed to going through the 
full server when using Proxy-To-Realm.



rad_recv: Access-Request packet from host 10.6.254.62 port 1025, id=152, 
length=95

        User-Name = "testusr"
        User-Password = "testpwd"
        NAS-IP-Address = 10.6.254.62
        NAS-Identifier = "ST-AN07258-412"
        NAS-Port-Type = Virtual
        Service-Type = NAS-Prompt-User
        Message-Authenticator = 0x63ee5e1b0f7b81e883780f9e57c2941c

# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++- entering switch Service-Type {...}
+++- entering case NAS-Prompt-User {...}
server nas-auth { # nested call

# Executing section authorize from file 
/etc/freeradius/sites-enabled/nas-auth

+- entering group authorize {...}
++? if (Service-Type == 'NAS-Prompt-User')
? Evaluating (Service-Type == 'NAS-Prompt-User') -> TRUE
++? if (Service-Type == 'NAS-Prompt-User') -> TRUE
++- entering if (Service-Type == 'NAS-Prompt-User') {...}
[edir-ldap] performing user authorization for testusr
[edir-ldap]     expand: %{Stripped-User-Name} ->
[edir-ldap]     ... expanding second conditional
[edir-ldap]     expand: %{User-Name} -> testusr

[edir-ldap] 	expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(cn=testusr)

[edir-ldap]     expand: ou=users,o=radius -> ou=users,o=radius
  [edir-ldap] ldap_get_conn: Checking Id: 0
  [edir-ldap] ldap_get_conn: Got Id: 0

  [edir-ldap] performing search in ou=users,o=radius, with filter 
(cn=testusr)

[edir-ldap] checking if remote access for testusr is allowed by cn

[edir-ldap] Added the eDirectory password testpwd in check items as 
Cleartext-Password

[edir-ldap] No default NMAS login sequence
[edir-ldap] looking for check items in directory...
[edir-ldap] looking for reply items in directory...
[edir-ldap] user testusr authorized to use remote access
  [edir-ldap] ldap_release_conn: Release Id: 0
+++[edir-ldap] returns ok
++- if (Service-Type == 'NAS-Prompt-User') returns ok
++ ... skipping else for request 4: Preceding "if" was taken
} # server nas-auth with nested call
++++[server[nas-auth]] returns ok
+++- case NAS-Prompt-User returns ok
++- switch Service-Type returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
Login OK: [testusr] (from client primary-network port 0)

# Executing section post-auth from file 
/etc/freeradius/sites-enabled/default

+- entering group post-auth {...}
++[exec] returns noop

++? if ("%{request:Calling-Station-Id}" =~ 
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i 
)

        expand: %{request:Calling-Station-Id} ->

? Evaluating ("%{request:Calling-Station-Id}" =~ 
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i) 
-> FALSE
++? if ("%{request:Calling-Station-Id}" =~ 
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i 
) -> FALSE

++[callingstationid2vlanid] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++[reply] returns notfound
Sending Access-Accept of id 152 to 10.6.254.62 port 1025
        Service-Type = Framed-User
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "132"



Rg,

Arnaud--
Stichting z25.org
Concordiastraat 67A
3551 EM Utrecht
The Netherlands
+31-(0)6-41861063

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to