Re: Reject user without realm
Marcos Roberto Greiner wrote: Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto Ok , so you just want to Reject users who don't provide a realm ? Then you would need an entry in the users file like this DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, Auth-Type := Reject --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == NULL, Auth-Type := Reject == users == hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner pgpAUsH7FbwDX.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Arran Cudbard-Bell wrote: Marcos Roberto Greiner wrote: Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto Ok , so you just want to Reject users who don't provide a realm ? Then you would need an entry in the users file like this DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, Auth-Type := Reject That didn't work. When the user adds the 'local' domain (provider1.com), the hints file strips the domain for the checking against the database. After that, the new entry in the users file will reject the user, because there is no longer any domain in the login. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Kevin Bonner wrote: On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == NULL, Auth-Type := Reject == users == hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. The problem here was that I couldn't find the proper entry to add to the users file :-( rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner I mistyped domain1 and provider1. The entry at line 36 is provider1. The Hints file I wrote incorrectly in the explanation. It actually contains provider1. I tried to change the 'Strip-User-Name = Yes' to 'Strip-User-Name = NO' in the Hints file, but got the problem that I didn't know what would be to correct entry in the users file. With the change, with the @provider1 domain, the server is replying properly, but without domain, the server didn't replying at all. I then tried your suggestion of adding the 'DEFAULT Realm == NULL, Auth-Type := Reject' entry. Same case as above. Without a domain, the server simply didn't answer, not even a with a reject. BUT, looking at the debug output of Radius -X I found the missing piece. In the proxy.conf file, the NULL entry was commented. I removed the comments, pointed it to LOCAL, and the entry you suggested for the users file (DEFAULT Realm == NULL) kicked in. It's now working as desired. Thank you for your help, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html