Hi there. I'm a n00b in RADIUS so please bear with me. I've read a couple of links found via Google and either I can't define my question correctly or I'm rather alone in what I'm trying to do?
I have Radiator on Red Hat Linux authenticating via Winbind/NTLM to an Active Directory server, probably a Server 2008. I have two LDAP2 sections checking group memberships and so far all is working. The goal is to send attributes to a Cisco ASA that contain access-lists, which group policy to use and so on and all data for this is tested and working. Steps from what I understand is 1: check username/password combo. - OK 2: Search from a set of AD groups until a match EVENTUALLY is found. -OK 3: query MySQL for attributes/values based on username. - OK 4: query MySQL for the attributes and values based on group name. - Problem here 5: If no group matches: select a default set of attributes from MySQL - problem here. Could get away whith an Access-Rejected also. The closest I've get seems to be this one, suggesting PostAuthHooks: http://www.open.com.au/pipermail/radiator/2014-February/019667.html I've just begun reading about this but I'm a lousy programmer so I decided to ask here for a simpler solution if possible. Below is my cleaned up config, trace 5 debug and the SQL data. For now the SQL query for groups is static, I made it that way for sanity check. (BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in Freeradius this is accomplished with different assignment operators (':=' instead of '=' if I remember it right). How is this implemented in Radiator?) Or am I doomed to use hooks? Best regards and thanks in advance, sorry for poor English and n00b skillZ. Martin Burman ----------------------------------------------------------------------------- <Client 1.2.8.247> Secret testing123 Identifier justanidentifier </Client> <AuthBy NTLM> Domain DOM.AIN.SE DefaultDomain DOM.AIN.SE UsernameMatchesWithoutRealm Identifier pfntlm UsernameFormat %U NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 EAPType MSCHAP-V2, PAP </AuthBy> <AuthBy LDAP2> Identifier pfldapFWVPN-Test Host 1.2.3.11 Port 3268 AuthDN CN=... AuthPassword UltraSecret BaseDN DC=DOM,DC=AIN,DC=SE UsernameAttr sAMAccountName NoCheckPassword SearchFilter (&(%0=%U)(memberOf=CN=FWVPN-Test,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE)) NoDefault NoDefaultIfFound Debug 15 </AuthBy> <AuthBy LDAP2> ### supposed to fail, used to check if Radiator continues as expected Identifier pfldapNonExistent Host 1.2.3.11 Port 3268 AuthDN CN=... AuthPassword UtraSecret BaseDN DC=DOM,DC=AIN,DC=SE UsernameAttr sAMAccountName NoCheckPassword SearchFilter (&(%0=%U)(memberOf=CN=NonExistentGroup,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE)) NoDefault NoDefaultIfFound Debug 15 </AuthBy> <AuthBy SQL> ### Works Identifier SQLAccounting DBSource dbi:mysql:radius:localhost:3306 DBUsername rad AuthSelect select PASSWORD,REPLYATTR from SUBSCRIBERS where USERNAME=%0 AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply </AuthBy> <AuthBy SQL> ### Stuck here Identifier SQLgroupcheck DBSource dbi:mysql:radius:localhost:3306 DBUsername rad ### A variable with group name would be great, static SQL as mentioned above AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME='FWVPN-Test' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply </AuthBy> <Handler User-Name=mytestuser> Identifier tjosan AuthByPolicy ContinueWhileAccept AuthBy pfntlm <AuthBy GROUP> AuthByPolicy ContinueUntilAccept AuthBy pfldapNonExistent AuthBy pfldapFWVPN-Test </AuthBy> AuthBy SQLAccounting AuthBy SQLgroupcheck </Handler> ___________________________________________________________________ Mon Apr 14 11:53:06 2014: DEBUG: Packet dump: *** Received from 1.2.8.247 port 60086 .... Packet length = 76 01 98 00 4c 4c 35 96 77 df d8 1c e1 8d eb 9b 27 .... c9 64 37 ba 3e 30 4f 4d 8d e9 88 37 Code: Access-Request Identifier: 152 Authentic: L5... Attributes: User-Name = "mytestuser" User-Password = sqrubbed NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = <196>... Mon Apr 14 11:53:06 2014: DEBUG: Handling request with Handler 'User-Name=mytestuser', Identifier 'tjosan' Mon Apr 14 11:53:06 2014: DEBUG: Deleting session for mytestuser, 127.0.0.1, 0 Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthNTLM: pfntlm Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM looks for match with mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Password:: XXXX== Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute NT-Domain:: x Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Username:: x Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: Authenticated: Yes Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: . Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM ACCEPT: : mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: AuthBy NTLM result: ACCEPT, Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthGROUP: Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthLDAP2: pfldapNonExistent Mon Apr 14 11:53:06 2014: INFO: Connecting to 1.2.3.11:3268 Mon Apr 14 11:53:06 2014: INFO: Attempting to bind to LDAP server 1.2.3.11:3268 Mon Apr 14 11:53:06 2014: DEBUG: No entries for mytestuser found in LDAP database <--- EXPECTED Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 looks for match with mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 REJECT: No such user: mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthGROUP: pfldapNonExistent result: REJECT, No such user Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthLDAP2: pfldapFWVPN-Test Mon Apr 14 11:53:06 2014: INFO: Connecting to 1.2.3.11:3268 Mon Apr 14 11:53:06 2014: INFO: Attempting to bind to LDAP server 1.2.3.11:3268 Mon Apr 14 11:53:06 2014: DEBUG: LDAP got result for CN=mytestuser,OU=x Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectClass: top person organizationalPerson user Mon Apr 14 11:53:06 2014: DEBUG: LDAP got cn: mytestuser Mon Apr 14 11:53:06 2014: DEBUG: LDAP got sn: x Mon Apr 14 11:53:06 2014: DEBUG: LDAP got description: xx Mon Apr 14 11:53:06 2014: DEBUG: LDAP got postOfficeBox: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got givenName: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got distinguishedName: CN=mytestuser,... Mon Apr 14 11:53:06 2014: DEBUG: LDAP got instanceType: 4 Mon Apr 14 11:53:06 2014: DEBUG: LDAP got whenCreated: 20110212155531.0Z Mon Apr 14 11:53:06 2014: DEBUG: LDAP got whenChanged: 20140411194112.0Z Mon Apr 14 11:53:06 2014: DEBUG: LDAP got displayName: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got uSNCreated: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got memberOf: CN=FLD-..... CN=FWVPN-Test,OU=Groups,OU=AppApp,DC=..... Mon Apr 14 11:53:06 2014: DEBUG: LDAP got uSNChanged: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got department: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got company: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got proxyAddresses: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got name: mytestuser Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectGUID: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got userAccountControl: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got pwdLastSet: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got primaryGroupID: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectSid: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got sAMAccountName: mytestuser Mon Apr 14 11:53:06 2014: DEBUG: LDAP got sAMAccountType: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got showInAddressBook: CN=All Mail Users.... Mon Apr 14 11:53:06 2014: DEBUG: LDAP got userPrincipalName: mytestu...@dom.ain.se Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectCategory: CN=Person,CN=Schema,CN=... Mon Apr 14 11:53:06 2014: DEBUG: LDAP got dSCorePropagationData: . Mon Apr 14 11:53:06 2014: DEBUG: LDAP got lastLogonTimestamp: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got mail: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got mobile: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got extensionAttribute1: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got mailNickname: mytestuser Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchELCMailboxFlags: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchPoliciesExcluded: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchRecipientDisplayType: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchSafeRecipientsHash: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchVersion: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchHideFromAddressLists: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchUMDtmfMap: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got internetEncoding: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchMailboxGuid: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchSafeSendersHash: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got targetAddress: SMTP: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchRecipientTypeDetails: Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchUserCulture: Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 looks for match with mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 ACCEPT: : mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthGROUP: pfldapFWVPN-Test result: ACCEPT, Mon Apr 14 11:53:06 2014: DEBUG: AuthBy GROUP result: ACCEPT, Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLAccounting Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLAccounting Mon Apr 14 11:53:06 2014: DEBUG: Connecting to 'dbi:mysql:radius:localhost:3306' Mon Apr 14 11:53:06 2014: DEBUG: Query to 'dbi:mysql:radius:localhost:3306': 'select PASSWORD,REPLYATTR from SUBSCRIBERS where USERNAME='mytestuser'': Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL looks for match with mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL ACCEPT: : mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: AuthBy SQL result: ACCEPT, Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLgroupcheck Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLgroupcheck Mon Apr 14 11:53:06 2014: DEBUG: Query to 'dbi:mysql:radius:localhost:3306': 'select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME='FWVPN-Test'': Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL looks for match with mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL ACCEPT: : mytestuser [mytestuser] Mon Apr 14 11:53:06 2014: DEBUG: AuthBy SQL result: ACCEPT, Mon Apr 14 11:53:06 2014: DEBUG: Access accepted for mytestuser Mon Apr 14 11:53:06 2014: DEBUG: Packet dump: *** Sending to 1.2.8.247 port 60086 .... Packet length = 32 02 98 00 20 f8 5d c0 9a 7e b2 8d 5a e1 6a 50 22 13 60 39 be 08 06 c0 a8 2d 43 07 06 00 00 00 01 Code: Access-Accept Identifier: 152 Authentic: <248>]... Attributes: Framed-IP-Address = 192.168.45.67 Framed-Protocol = PPP mysql> select * from GROUPSCRIBERS; +-------------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+ | GROUPNAME | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR | REPLYATTR | TIMELEFT | +-------------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+ | mikem | fred | 1xMKc0GIVUNbE | Service-Type = Framed-User | Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,cisco-avpair = "testing testing" | 100 | | FWVPN-Test | NULL | NULL | NULL | Framed-Protocol = PPP | NULL | +-------------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+ 2 rows in set (0.00 sec) mysql> select * from SUBSCRIBERS; +----------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+ | USERNAME | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR | REPLYATTR | TIMELEFT | +----------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+ | mikem | fred | 1xMKc0GIVUNbE | Service-Type = Framed-User | Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,cisco-avpair = "testing testing" | 100 | | mytestuser | NULL | NULL | NULL | Framed-IP-Address = 192.168.45.67 | NULL | +----------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+ 2 rows in set (0.01 sec) _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
