Re: add realm to user based on NAS-IP
Arran Cudbard-Bell schrieb: rlm_realm instances do much the same job as the Proxy-To-Realm reply item, just they also handle splitting the username into it's component parts. Usually you would use one or the other, but not both. Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = realm User-Name = [EMAIL PROTECTED] 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = [EMAIL PROTECTED] In both cases the request didn't reach the home server. Erm I thought your original question was, how do I proxy a user to a realm based on the NAS-IP-Address and how do I rewrite that username with that realm name If thats the case ... why are you using [EMAIL PROTECTED] as your test user??? I logged on with [EMAIL PROTECTED] to proof the proxy function of the proxy server. For the other tests my login was only abc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Alan DeKok wrote: Alexander Papenburg wrote: Okay I tested both ways: 1st with suffix disabled in authorize section of radiusd.conf and: DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := realm User-Name = [EMAIL PROTECTED] In the users file? That sets the User-Name used in the reply, not the one being sent to the home server. 2nd with suffix enabled and: DEFAULT NAS-IP-Address == 10.0.0.1 User-Name = [EMAIL PROTECTED] DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := realm Ah yes, still the top entry should have worked, username would have to be rewritten in hints file. Or with attr_rewrite. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm := realm Ah yes, still the top entry should have worked, username would have to be rewritten in hints file. Or with attr_rewrite. Yippiieee, the request has been sent through to the home-server. Still need to work on the username but i don't expect big problems with that. Thanks to both of you A word of warning with the username, if your using EAP then the username is also sent within the EAP tunnel. If the username sent in the eap tunnel and the username sent in the access request packet don't match, then the user will be rejected. So if you rewrite the username at the proxying server, be sure to have the relevant hint on the home_server to rewrite the username back into it's original form :) And sorry your were having problems, I forgot the : in the Proxy-To-Realm. :( -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Hi Arran, hi Alexander and hi Freeradius-List, I ran into problems regarding to the Proxy-to-realm thing... :( My Setup: 10.0.0.1 A cisco Router 10.0.1.20 My Terminal 192.168.0.1 Radius (Home Server) 192.168.0.2 Radius (Proxy) At first a successful login with username [EMAIL PROTECTED]: --snip1-- User-Name = [EMAIL PROTECTED] Reply-Message = Password: User-Password = testtest NAS-Port = 2 NAS-Port-Id = tty2 NAS-Port-Type = Virtual Calling-Station-Id = 10.0.1.20 NAS-IP-Address = 10.0.0.1 Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module chap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module mschap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm realm for User-Name = [EMAIL PROTECTED] Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Found realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from user abc to realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Adding Realm = realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy authentication request to realm realm Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module suffix returns updated for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module eap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module files returns notfound for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 0 Tue Apr 10 19:41:10 2007 : Debug: proxy: creating 688187c3:1812 Tue Apr 10 19:41:10 2007 : Debug: proxy: allocating 688187c3:1812 0 Sending Access-Request of id 0 to 192.168.0.1 port 1812 User-Name = [EMAIL PROTECTED] Reply-Message = Password: User-Password = testtest NAS-Port = 2 NAS-Port-Id = tty2 NAS-Port-Type = Virtual Calling-Station-Id = 10.0.1.20 NAS-IP-Address = 10.0.0.1 Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24 Tue Apr 10 19:41:10 2007 : Debug: proxy: de-allocating 688187c3:1812 0 Tue Apr 10 19:41:10 2007 : Debug: rl_next: returning NULL Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1 handled so far) Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module eap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy (returns noop) for request 0 Tue Apr 10 19:41:10 2007 : Debug: authorize: Skipping authorize in post-proxy stage Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Found Auth-Type Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 86 to 10.0.0.1 port 1645 Tue Apr 10
Re: add realm to user based on NAS-IP
Alexander Papenburg wrote: Hi Arran, hi Alexander and hi Freeradius-List, I ran into problems regarding to the Proxy-to-realm thing... :( My Setup: 10.0.0.1 A cisco Router 10.0.1.20 My Terminal 192.168.0.1 Radius (Home Server) 192.168.0.2 Radius (Proxy) At first a successful login with username [EMAIL PROTECTED]: --snip1-- User-Name = [EMAIL PROTECTED] Reply-Message = Password: User-Password = testtest NAS-Port = 2 NAS-Port-Id = tty2 NAS-Port-Type = Virtual Calling-Station-Id = 10.0.1.20 NAS-IP-Address = 10.0.0.1 Tue Apr 10 19:41:10 2007 : Debug: Processing the authorize section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group authorize for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module preprocess returns ok for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module chap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module mschap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Looking up realm realm for User-Name = [EMAIL PROTECTED] Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Found realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Proxying request from user abc to realm realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Adding Realm = realm Tue Apr 10 19:41:10 2007 : Debug: rlm_realm: Preparing to proxy authentication request to realm realm Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module suffix returns updated for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module eap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[authorize]: module files returns notfound for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group authorize (returns updated) for request 0 Tue Apr 10 19:41:10 2007 : Debug: proxy: creating 688187c3:1812 Tue Apr 10 19:41:10 2007 : Debug: proxy: allocating 688187c3:1812 0 Sending Access-Request of id 0 to 192.168.0.1 port 1812 User-Name = [EMAIL PROTECTED] Reply-Message = Password: User-Password = testtest NAS-Port = 2 NAS-Port-Id = tty2 NAS-Port-Type = Virtual Calling-Station-Id = 10.0.1.20 NAS-IP-Address = 10.0.0.1 Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host 192.168.0.1:1812, id=0, length=24 Tue Apr 10 19:41:10 2007 : Debug: proxy: de-allocating 688187c3:1812 0 Tue Apr 10 19:41:10 2007 : Debug: rl_next: returning NULL Tue Apr 10 19:41:10 2007 : Debug: Thread 2 got semaphore Tue Apr 10 19:41:10 2007 : Debug: Thread 2 handling request 0, (1 handled so far) Proxy-State = 0x3836 Tue Apr 10 19:41:10 2007 : Debug: Processing the post-proxy section of radiusd.conf Tue Apr 10 19:41:10 2007 : Debug: modcall: entering group post-proxy for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: calling eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modsingle[post-proxy]: returned from eap (rlm_eap) for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall[post-proxy]: module eap returns noop for request 0 Tue Apr 10 19:41:10 2007 : Debug: modcall: leaving group post-proxy (returns noop) for request 0 Tue Apr 10 19:41:10 2007 : Debug: authorize: Skipping authorize in post-proxy stage Tue Apr 10 19:41:10 2007 : Debug: rad_check_password: Found Auth-Type Tue Apr 10 19:41:10 2007 : Debug:
Re: add realm to user based on NAS-IP
Alexander Papenburg wrote: You should also comment out any rlm_realm instances in the authorize section. The Problem is, suffix is already commented out in authorize section. IMHO the user [EMAIL PROTECTED] (see 1st try) won't work either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_realm instances do much the same job as the Proxy-To-Realm reply item, just they also handle splitting the username into it's component parts. Usually you would use one or the other, but not both. Erm I thought your original question was, how do I proxy a user to a realm based on the NAS-IP-Address and how do I rewrite that username with that realm name If thats the case ... why are you using [EMAIL PROTECTED] as your test user??? --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Hello, Alexander! You wrote on Sat, 31 Mar 2007 18:11:46 +0200: AP i wonder if it is possible to add a realm to a username based on the AP NAS-IP the request come from. AP For instance: AP - user abc logs on router 10.0.0.1 AP - router 10.0.0.1 asks a freeradius proxy for user abc AP - freeradius-proxy recognize the ip and add @realm to the username AP and AP proxy the request to another freeradius-server based on AP realm-entry AP in proxy.conf I use following method for adding realm based on NAS-Identifier: user abc transforms to [EMAIL PROTECTED]. This is made in hints: DEFAULT Suffix !~ @. Realm = %{NAS-Identifier:-unknown} With best regards, Alexander V. Klepikov. E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add realm to user based on NAS-IP
Message: 1 Date: Sat, 31 Mar 2007 18:11:46 +0200 From: Alexander Papenburg [EMAIL PROTECTED] Subject: add realm to user based on NAS-IP To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-15; format=flowed Hi all, i wonder if it is possible to add a realm to a username based on the NAS-IP the request come from. For instance: - user abc logs on router 10.0.0.1 - router 10.0.0.1 asks a freeradius proxy for user abc - freeradius-proxy recognize the ip and add @realm to the username and proxy the request to another freeradius-server based on realm-entry in proxy.conf Unfortunatly I found many solutions in the past 2 hours (like proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the right one for me. %) So help would be much appreciated. Thanks in advance Alexander If your using eap, you can't rewrite the username as then the username in the outer identity won't match the one in the eap tunnel and eap message will be rejected by your radius home server. Unless at your home server you strip the realm part of the user-name attribute off again Your best bet for this is to use the users file and the proxy-to-realm 'check-item'. so you'd have in the users file on your proxying radius server DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = MyRealm User-Name = [EMAIL PROTECTED] Then add these to your hints file on your home radius server (though you may have to rewrite them depending on the regex engine your home server is using). # Writes stripped username to use in authorization (user@|%|/domain) DEFAULT User-Name =~ ^([[:alnum:]]*)(@|%|/)([[:alnum:].]*)$ User-Name = %{1} # Wrties alternate stripped username to use in authorization (domain\\user) DEFAULT User-Name =~ ^([[:alnum:].]*)([[:alnum:]]*)$ User-Name = %{2} Hope this helps :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add realm to user based on NAS-IP
Hi all, i wonder if it is possible to add a realm to a username based on the NAS-IP the request come from. For instance: - user abc logs on router 10.0.0.1 - router 10.0.0.1 asks a freeradius proxy for user abc - freeradius-proxy recognize the ip and add @realm to the username and proxy the request to another freeradius-server based on realm-entry in proxy.conf Unfortunatly I found many solutions in the past 2 hours (like proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the right one for me. %) So help would be much appreciated. Thanks in advance Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html