Discussion:
Reply with group attribute
Markus Wernig
2009-03-13 09:25:38 UTC
Permalink
Hello all

I'm terribly new to RADIUS, so please excuse my ignorance.

What I'm looking for (and can't find in neither man nor wiki nor google)
is how to send back the group an authenticated user is in together with
the authentication result.

I have a VPN gateway that authenticates users against freeradius, using
the unix authentication scheme (the users are all real unix users on the
freeradius server). All ok, works a charme. Now we have the requirement
to apply different security settings to different user groups. The user
groups are the unix groups the different users are in on the freeradius
server. So I need the radius server to return the user's group
information together with the Access-Accept.
I'm sorry but for the life of me I can't find any information on how
this is done.

Could somebody please point me to the right direction?

Thanks /markus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 11:30:30 UTC
Permalink
Hello all

I found some hint on how the VPN gateway expects the group information
from the RADIUS server to be presented:

--- QUOTE ---
To use RADIUS groups, you must define a return attribute on the RADIUS
Server, in the RADIUS user profile. This RADIUS attribute is returned to
the VPN gateway that contains the group name to which the user belongs.
By default the Class attribute is used (IETF RADIUS attribute number
25), though other RADIUS attributes can be used.
[...]
Modify the RADIUS users to include a “class” RADIUS attribute on the
users' Return list that corresponds to the Firewall user group they will
be using for their access.
[...]

--- UNQUOTE ---

So, the question is: How do I make freeradius return the users' group as
a "class" attribute in the authentication reply?

Thanks for any hint.
/markus
Post by Markus Wernig
What I'm looking for (and can't find in neither man nor wiki nor google)
is how to send back the group an authenticated user is in together with
the authentication result.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t***@kalik.net
2009-03-13 11:52:17 UTC
Permalink
Post by Markus Wernig
So, the question is: How do I make freeradius return the users' group as
a "class" attribute in the authentication reply?
Like every other: Class:= whatever. In your case Class := "%{Group}".
Read man unlang.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 14:20:36 UTC
Permalink
Hi Ivan, thanks for your help

Unfortunately I don't know where to put that line.
If I put it into the users file, in the DEFAULT section like this:

DEFAULT Auth-Type = System
Class := "%{Group}",
Fall-Through = 1
...

The reply looks like this (at least in the logfile):

Packet-Type = Access-Accept
Fri Mar 13 15:54:45 2009
Class := 0x

So, afaict, the group attribute doesn't make it into the reply.
Where should I put that line? Do I need to echo it?

thx again
/markus
Post by t***@kalik.net
Post by Markus Wernig
So, the question is: How do I make freeradius return the users' group as
a "class" attribute in the authentication reply?
Like every other: Class:= whatever. In your case Class := "%{Group}".
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t***@kalik.net
2009-03-13 14:37:40 UTC
Permalink
Post by Markus Wernig
Unfortunately I don't know where to put that line.
DEFAULT Auth-Type = System
Class := "%{Group}",
Fall-Through = 1
....
Are you using some ancient version?
Post by Markus Wernig
Packet-Type = Access-Accept
Fri Mar 13 15:54:45 2009
Class := 0x
It did make it - but it's empty.
Post by Markus Wernig
So, afaict, the group attribute doesn't make it into the reply.
Where should I put that line? Do I need to echo it?
Use unlang afer unix in authorize.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 17:52:34 UTC
Permalink
Post by t***@kalik.net
Are you using some ancient version?
I was using 1.1.7 first, but have upgraded to 2.1.0 now.
Still the same behaviour.
Post by t***@kalik.net
Post by Markus Wernig
So, afaict, the group attribute doesn't make it into the reply.
Where should I put that line? Do I need to echo it?
Use unlang afer unix in authorize.
Sorry, I don't understand that.
There is an authorize section in /etc/freeradius/sites-enabled/default.
If I change it to
unix {
Class := "%{Group}"
}

I get the following error when starting freeradius:
Unknown action '%{Group}'

/markus

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t***@kalik.net
2009-03-13 18:38:51 UTC
Permalink
Post by Markus Wernig
Post by t***@kalik.net
Use unlang afer unix in authorize.
Sorry, I don't understand that.
Reading man pages helps with that:

http://freeradius.org/radiusd/man/unlang.html
Post by Markus Wernig
There is an authorize section in /etc/freeradius/sites-enabled/default.
Yes, that's where it is in 2.x. I had a look at the unix module and it
doesn't populate Group attribute (for some years now as it turnes out).
You need to use passwd module to populate Group:

http://freeradius.org/radiusd/man/rlm_passwd.html

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 19:08:48 UTC
Permalink
Post by t***@kalik.net
Yes, that's where it is in 2.x. I had a look at the unix module and it
doesn't populate Group attribute (for some years now as it turnes out).
What a pity.
I found this in modules/etc_group:
"The Group-Name attribute is automatically created by the Unix module,
and does checking against /etc/group automatically."
This entry was already in the 1.1.7 modules/etc_group
Is this possible on a system using shadow passwords?

Thank you
/markus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 18:37:28 UTC
Permalink
Post by t***@kalik.net
Are you using some ancient version?
1.1.7 (comes with ubuntu 8.04). I see that 2.1.3 is released, which
seems quite a large difference.
Post by t***@kalik.net
Use unlang afer unix in authorize.
What do you mean by "after unix"?

So I've put the following in radiusd.conf:

authorize {
...
unix
update "reply" {
Class := "%{Group}"
}
...
}

Which gives the ERROR: "Cannot find a configuration entry for module
"update"".

Clear, update is not a module. But where does such a directive go?

thx /markus

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2009-03-13 19:16:07 UTC
Permalink
Post by Markus Wernig
1.1.7 (comes with ubuntu 8.04). I see that 2.1.3 is released, which
seems quite a large difference.
Post by t***@kalik.net
Use unlang afer unix in authorize.
What do you mean by "after unix"?
authorize {
...
unix
update "reply" {
This won't work in 1.1.7.
Post by Markus Wernig
Class := "%{Group}"
}
...
}
Which gives the ERROR: "Cannot find a configuration entry for module
"update"".
Clear, update is not a module. But where does such a directive go?
In a new version of the server.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 19:23:47 UTC
Permalink
Post by Alan DeKok
In a new version of the server.
Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it
populate the Group or Group-Name attribute. doh
/m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t***@kalik.net
2009-03-13 19:36:57 UTC
Permalink
Post by Markus Wernig
Post by Alan DeKok
In a new version of the server.
Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it
populate the Group or Group-Name attribute. doh
Did you read rlm_passwd man page?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-13 20:31:35 UTC
Permalink
Post by t***@kalik.net
Did you read rlm_passwd man page?
Of course

So I put

filename "/etc/group" {
format = "My-Group-Name:::*,User-Name"
}

into /etc/freeradius/modules/passwd

and
ATTRIBUTE My-Group-Name 3000 string

into /etc/freeradius/dictionary
(btw. can't put in "Group-Name" because it seems to be already defined
somewhere else, so I suppose I should somehow be able to access it ... )

Could not find a place where to initialise the passwd module.

put
update reply {
Class := %{My-Group-Name},
Class += %{passwd:My-Group-Name},
Class += %{Group}
}
into post-auth

under freeradius -X I still get
...
expand: %{My-Group-Name} ->
WARNING: Unknown module "passwd" in string expansion
"%{passwd:My-Group-Name}"
expand: %{passwd:My-Group-Name} ->
expand: %{Group} ->
++[reply] returns noop
...
Sending Access-Accept .....
Class = 0x
Class = 0x
Class = 0x


/m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
t***@kalik.net
2009-03-13 22:00:27 UTC
Permalink
Post by Markus Wernig
Post by t***@kalik.net
Did you read rlm_passwd man page?
Of course
I have posted the link to man unlang as well. It does say which quotes to
use to expand the variable, which lists exist ...
Post by Markus Wernig
update reply {
Class := %{My-Group-Name},
Class += %{passwd:My-Group-Name},
Class += %{Group}
}
into post-auth
It's "%{control:My-Group-Name}". Quotes, list and all.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-17 07:59:44 UTC
Permalink
Post by t***@kalik.net
Post by t***@kalik.net
Did you read rlm_passwd man page?
It's "%{control:My-Group-Name}". Quotes, list and all.
Yes, that did it! Quotes were there, but the "control" list part wasn't.
Thank you for your help!

ps: It might be just me, but I was far from deducting that from the man
page: " ... The "control" list is the list of attributes maintainted
internally by the server that controls how the server processes the
request. ..." mislead me totally.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2009-03-14 08:09:10 UTC
Permalink
Post by Markus Wernig
Could not find a place where to initialise the passwd module.
You list it in the "authorize" section.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig
2009-03-17 07:51:37 UTC
Permalink
Post by Alan DeKok
Post by Markus Wernig
Could not find a place where to initialise the passwd module.
You list it in the "authorize" section.
This lead to errors (from memory: no config found for passwd module).
I then used the etc_group module from the example, listed _that_ in
authorize - and all is well. Thank you very much!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2009-03-13 20:51:41 UTC
Permalink
Post by Markus Wernig
Post by Alan DeKok
In a new version of the server.
Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it
populate the Group or Group-Name attribute. doh
It doesn't populate the Group attribute. One user may be in 10 or
more groups. Maybe 100. That gets difficult to manage.

The Group attribute is for comparison. Is the user in group X? Yes?
Match. Or... don't match.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Continue reading on narkive:
Loading...