I did not explain it very good.
What I want to do is.
Put phonenumber,etc attributes in radreply for a user.
1. Authenticate user via Radius via Microsoft NPS server
2. Run my exec authorization script to send OTP password
3. Challenge reponse
4. Auth OTP
My config... this all works if user is in SQL.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type zotp {
ZOTP
}
unix
eap
}
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
sql
expiration
logintime
pap
if(control:Auth-Type == 'zotp'){
ZOTP
if (updated) {
update control {
Response-Packet-Type := Access-Challenge
}
handled
}
}
}
Is there a way to do this? Get something from proxy and something from SQL and
then Auth and authorize?
Here is output from working user.
rad_recv: Access-Request packet from host 127.0.0.1 port 39099, id=10, length=45
User-Name = "test2"
User-Password = "test2"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'test2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'test2' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM usergroup WHERE username = 'test2' ORDER BY
priority
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 'test2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'test2' ORDER BY
id
[sql] User found in group test2
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'test2' ORDER BY
id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (control:Auth-Type == 'zotp')
? Evaluating (control:Auth-Type == 'zotp') -> TRUE
++? if (control:Auth-Type == 'zotp') -> TRUE
++- entering if (control:Auth-Type == 'zotp') {...}
[ZOTP] expand: %{User-Name} -> test2
[ZOTP] expand: %{User-Password} -> test2
[ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu
[ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm
[ZOTP] expand: %{reply:Offset} -> 1
[ZOTP] expand: %{reply:OTP-Type} -> SMS
[ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091
[ZOTP] expand: %{State} ->
Exec-Program output: Reply-Message += "Enter SMS.", State = "25128",
Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS.", State = "25128",
Exec-Program: returned: 9
+++[ZOTP] returns updated
+++? if (updated)
? Evaluating (updated) -> TRUE
+++? if (updated) -> TRUE
+++- entering if (updated) {...}
++++[control] returns updated
++++[handled] returns handled
+++- if (updated) returns handled
++- if (control:Auth-Type == 'zotp') returns handled
Sending Access-Challenge of id 10 to 127.0.0.1 port 39099
Framed-IP-Address := 172.20.3.34
Reply-Message += "Enter SMS."
State = 0x3235313238
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 10 with timestamp +58
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 39099, id=11, length=70
Framed-IP-Address = 172.20.3.34
Reply-Message = "Enter SMS."
State = 0x3235313238
User-Name = "test2"
User-Password = "3fwy7h"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'test2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'test2' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM usergroup WHERE username = 'test2' ORDER BY
priority
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 'test2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'test2' ORDER BY
id
[sql] User found in group test2
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'test2' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'test2' ORDER BY
id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (control:Auth-Type == 'zotp')
? Evaluating (control:Auth-Type == 'zotp') -> TRUE
++? if (control:Auth-Type == 'zotp') -> TRUE
++- entering if (control:Auth-Type == 'zotp') {...}
[ZOTP] expand: %{User-Name} -> test2
[ZOTP] expand: %{User-Password} -> 3fwy7h
[ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu
[ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm
[ZOTP] expand: %{reply:Offset} -> 1
[ZOTP] expand: %{reply:OTP-Type} -> SMS
[ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091
[ZOTP] expand: %{State} -> 0x3235313238
Exec-Program output: Reply-Message := "Accepted.",
Exec-Program-Wait: value-pairs: Reply-Message := "Accepted.",
Exec-Program: returned: 0
+++[ZOTP] returns ok
+++? if (updated)
? Evaluating (updated) -> FALSE
+++? if (updated) -> FALSE
++- if (control:Auth-Type == 'zotp') returns ok
Found Auth-Type = zotp
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group zotp {...}
[ZOTP] expand: %{User-Name} -> test2
[ZOTP] expand: %{User-Password} -> 3fwy7h
[ZOTP] expand: %{reply:RadiusPassword} -> A45AdlG.TyuCLZWiUtmXIjxXGtHPYdu
[ZOTP] expand: %{reply:Secret} -> mmmmmmmmmmmmmmmm
[ZOTP] expand: %{reply:Offset} -> 1
[ZOTP] expand: %{reply:OTP-Type} -> SMS
[ZOTP] expand: %{reply:OTP-Mobilenumber} -> 30913091
[ZOTP] expand: %{State} -> 0x3235313238
Exec-Program output: Reply-Message := "Accepted.",
Exec-Program-Wait: value-pairs: Reply-Message := "Accepted.",
Exec-Program: returned: 0
++[ZOTP] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/raddb/sites-enabled/default
Sending Access-Accept of id 11 to 127.0.0.1 port 39099
Framed-IP-Address := 172.20.3.34
Reply-Message := "Accepted."
Finished request 2.
Med venlig hilsen | Best regards
Thomas Raabo
Senior Network Engineer CCIE #33466
_____________________________________________
[email protected] | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66
-----Oprindelig meddelelse-----
Fra: [email protected]
[mailto:[email protected]] På vegne af
Alan DeKok
Sendt: 16. oktober 2012 14:22
Til: FreeRadius users mailing list
Emne: Re: authorize after proxy.
Thomas Raabo - Zitcom A/S wrote:
> Is it possible to do authentication and then authorization on the SQL db?
post-auth {
...
sql.authorize
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
