RE: Grouping after Kerberos 5 authentication accepted?
Hello Alan, It works! After I changed the authorize_check_query the FreeRadius is now able to check for attributes after Kerberos authentications. Thanks! Regards, Jason -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 8:13 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote: For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty. So, I edited the postauth_query in sql.conf: I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping after Kerberos 5 authentication accepted?
Jason Chan wrote: Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? You can configure things in the post-authentication phase. My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). Authentication is independent of grouping. Where are the user groups coming from? They're not in Kerberos. See the FAQ for an example of performing some action based on a Unix group. See man rlm_passwd for configuring groups that exist only on the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grouping after Kerberos 5 authentication accepted?
Thank you Alan. I read the documentations and now I'm able to use Kerberos and MySQL along with FreeRadius. Thank you for your help. However, I'm stuck in the last part of the project which is to reply the accept request along with assigned attributes. For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty. So, I edited the postauth_query in sql.conf: postauth_query = SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id I can't get the 'Service-Type = Administrative-User' in the accept-reply package. Am I missing something here? Any help would be appreciated. Regards, Jason -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 10:27 AM To: [EMAIL PROTECTED] Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote: You are correct, the grouping isn't come from Kerberos. I'm going to build a mysql database in the FreeRadius server to handle all the grouping/permissions. What fields do I need for the database? I searched on the FreeRadius website and I can't find any information related to SQL See the doc directory. There are schemas and examples. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping after Kerberos 5 authentication accepted?
I have been following your thread and am interrested to find out how do d you get freeradius to do authentication wiht kerberos? any config examples would be helpfull. On 4/18/07, Jason Chan [EMAIL PROTECTED] wrote: Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grouping after Kerberos 5 authentication accepted?
I'm using Redhat Enterprise Linux and here is my steps to setup FreeRadius 1) Make SURE you have installed MIT Kerberos on your linux (krb5 packages) 2) Configure Realm, KDC servers, etc... for your linux (system-config-authentication for redhat) 3) Install FreeRadius 4) Make SURE you have rlm_krb5 modules in /usr/local/lib 5) Open and edit /usr/local/etc/raddb/radiusd.conf: Add the following in modules {...} (around line 580) # Kerbero 5 module krb5 { authtype = Kerberos } And the following in authenticate {...} (around line 1920) Auth-Type Kerberos { krb5 } Add the following in users file DEFAULT Auth-Type := Kerberos It should work. If radiusd complains about Pre-Auth failed then double check your Linux Kerberos setting -Original Message- From: Donny Jekels [mailto:[EMAIL PROTECTED] Sent: Thursday, April 19, 2007 3:20 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? I have been following your thread and am interrested to find out how do d you get freeradius to do authentication wiht kerberos? any config examples would be helpfull. On 4/18/07, Jason Chan [EMAIL PROTECTED] wrote: Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping after Kerberos 5 authentication accepted?
Jason Chan wrote: For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty. So, I edited the postauth_query in sql.conf: I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html