Discussion:
How to config to get group attributes
John Duino
2004-05-05 01:21:16 UTC
Permalink
I'm a complete radius newbie and I can't manage to get this to work.
Running v0.9.3 on Fedora Core 1. I'm using Unix authentication (system
uses NIS) and I'm attempting to access this from an Aventail EX1500.

Users authenticate fine, but I am not getting any group information back
to the Aventail. tcpdump confirms no info being passed. The group info
is primarily in NIS, but I have even tried putting some in the local
/etc/group for testing without success.

I do not totally (obviously) grasp the intricacies of the radiusd.conf
file, multiple authentication schemes, etc. but here are the things I
did that I thought would make it work:

I uncommented and/or changed the following in radiusd.conf:
passwd etc_group {
filename = /etc/group
format = "=Group-Name:::*,User-Name"
hashsize = 50
ignorenislike = no
allowmultiplekeys = yes
delimiter = ":"
}

Do I need to add something else somewhere? HELP!

TIA!
--
John Duino <***@nateng.com>
National Engineering Technology


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Milver S. Nisay
2004-05-05 07:33:47 UTC
Permalink
Post by John Duino
I'm a complete radius newbie and I can't manage to get this to work.
Running v0.9.3 on Fedora Core 1. I'm using Unix authentication (system
uses NIS) and I'm attempting to access this from an Aventail EX1500.
Users authenticate fine, but I am not getting any group information back
to the Aventail. tcpdump confirms no info being passed. The group info
is primarily in NIS, but I have even tried putting some in the local
/etc/group for testing without success.
i understand that you are trying to authenticate group users?
Post by John Duino
I do not totally (obviously) grasp the intricacies of the radiusd.conf
file, multiple authentication schemes, etc. but here are the things I
radiusd -X helps a lot on debugging mode
FC1 includes freeradius package. have done it freeradius+MySQL under FC1 as
well.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2004-05-05 14:22:46 UTC
Permalink
Post by John Duino
Users authenticate fine, but I am not getting any group information back
to the Aventail. tcpdump confirms no info being passed. The group info
is primarily in NIS, but I have even tried putting some in the local
/etc/group for testing without success.
There are no standard RADIUS attributes to send group information in
a RADIUS packet.

As of recently in the CVS snapshots, there is a "dictionary.unix"
file, with Unix group related attributes. However... if the NAS
documentation doesn't say it understands those attributes, then it
won't use them.
Post by John Duino
I'm using Unix authentication (system uses NIS) and I'm attempting
to access this from an Aventail EX1500.
Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can
be configured to do authentication against /etc/passwd, but the
Aventail NAS doesn't know that this is happening.
Post by John Duino
I do not totally (obviously) grasp the intricacies of the radiusd.conf
file, multiple authentication schemes, etc.
It has nothing to do with "radiusd.conf".

Why are you trying to send Unix group information to the NAS?

Alan Dekok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Duino
2004-05-05 16:00:56 UTC
Permalink
Post by Alan DeKok
Post by John Duino
Users authenticate fine, but I am not getting any group information back
to the Aventail. tcpdump confirms no info being passed. The group info
is primarily in NIS, but I have even tried putting some in the local
/etc/group for testing without success.
There are no standard RADIUS attributes to send group information in
a RADIUS packet.
I do not know if it is "standard" (eg, RFC defined) but it is possible.
See discussion below.
Post by Alan DeKok
As of recently in the CVS snapshots, there is a "dictionary.unix"
file, with Unix group related attributes. However... if the NAS
documentation doesn't say it understands those attributes, then it
won't use them.
The NAS understands the "Attribute value pairs" information, in this
case either Class(25) or FilterId(11) labeling, with the returned value
being the group name(s). See discussion below.
Post by Alan DeKok
Post by John Duino
I'm using Unix authentication (system uses NIS) and I'm attempting
to access this from an Aventail EX1500.
Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can
be configured to do authentication against /etc/passwd, but the
Aventail NAS doesn't know that this is happening.
Merely a grammatical slip. I know the Aventail is using Radius.
FreeRadius is using the system's Unix-based authentication, which in
this case is NIS-based.
Post by Alan DeKok
Post by John Duino
I do not totally (obviously) grasp the intricacies of the radiusd.conf
file, multiple authentication schemes, etc.
It has nothing to do with "radiusd.conf".
Why are you trying to send Unix group information to the NAS?
Why does it not have to do with radiusd.conf? The section I posted
previously labeled "passwd etc_group", and is directly FROM the default
radiusd.conf, is described as doing exactly what I expect/hope. The
radius server, upon positive authentication, should also then parse the
group directory (/etc/group, in this case, including its NIS extension)
and return in the Authenticator additional information labeled as
"Attribute value pairs" that would, in this case, be the groups the user
belongs to.

I am trying to get this for it allows me to use 'predefined' groupings
of people (in this case, people within certain unix-based groups) as
another criteria in my ACLs on the Aventail.
--
John Duino <***@nateng.com>
National Engineering Technology


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2004-05-05 16:21:18 UTC
Permalink
Post by John Duino
The NAS understands the "Attribute value pairs" information, in this
case either Class(25) or FilterId(11) labeling, with the returned value
being the group name(s). See discussion below.
It would have helped if you said this at the start. Talking about
"why your solution doesn't do what you expect" is often a waste of
time.

Instead, talk about what you want to do. In this case, it's:

- send a Class or Filter-Id attribute to the NAS, with the content
being the names of the Unix groups to which the user belongs.
Post by John Duino
Why does it not have to do with radiusd.conf?
The issue is that your problem was poorly defined. No amount of
editing "radiusd.conf" will cause your problem to become well-defined.
Post by John Duino
The section I posted
previously labeled "passwd etc_group", and is directly FROM the default
radiusd.conf, is described as doing exactly what I expect/hope.
No, it's not. It adds a "Group-Name" attribute, not a Class or
Filter-Id.

If you edit it to add "Class", or "Filter-Id", it will be a little
better.
Post by John Duino
The radius server, upon positive authentication, should also then
parse the group directory (/etc/group, in this case, including its
NIS extension)
The "passwd" module doesn't read directories. It reads files. It's
documented as reading files. It's not documented as interacting with
NIS.

So the "passwed" module won't read "directories", with "NIS
extensions". You've got to point it to each and every "group" file
you want it to read. To do this, you probably need multiple instances
of the module, one for each file you want it to read.
Post by John Duino
and return in the Authenticator additional information labeled as
"Attribute value pairs" that would, in this case, be the groups the user
belongs to.
If you return them in the correct attributes.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Duino
2004-05-05 16:57:00 UTC
Permalink
Post by Alan DeKok
Post by John Duino
The NAS understands the "Attribute value pairs" information, in this
case either Class(25) or FilterId(11) labeling, with the returned value
being the group name(s). See discussion below.
It would have helped if you said this at the start. Talking about
"why your solution doesn't do what you expect" is often a waste of
time.
Well, as I stated, I am a newbie at Radius and FreeRadius, and thus, do
not know all the 'proper' terms. And if I knew how to completely phrase
my question I would probably know how to solve it!
Post by Alan DeKok
- send a Class or Filter-Id attribute to the NAS, with the content
being the names of the Unix groups to which the user belongs.
Post by John Duino
The section I posted
previously labeled "passwd etc_group", and is directly FROM the default
radiusd.conf, is described as doing exactly what I expect/hope.
No, it's not. It adds a "Group-Name" attribute, not a Class or
Filter-Id.
If you edit it to add "Class", or "Filter-Id", it will be a little
better.
Well, again, if I knew exactly of which I speak, I would not be asking
for help.
Post by Alan DeKok
The "passwd" module doesn't read directories. It reads files. It's
documented as reading files. It's not documented as interacting with
NIS.
I'm a bit confused then: if it doesn't read directories (as in a
directory server, eg NIS) how is it currently authenticating me via NIS?
Post by Alan DeKok
So the "passwed" module won't read "directories", with "NIS
extensions". You've got to point it to each and every "group" file
you want it to read. To do this, you probably need multiple instances
of the module, one for each file you want it to read.
Okay, but at this point for me that's like saying, "To get to the moon
you simply have to build a rocket." I am asking for help in configuring
freeradius; what do I need to do? Is module example "passwd etc_group"
the correct place to start? If so, and since I thought I already did
that and it did not work for me, what am I doing wrong?
--
John Duino <***@nateng.com>
National Engineering Technology


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2004-05-05 17:19:52 UTC
Permalink
Post by John Duino
Well, as I stated, I am a newbie at Radius and FreeRadius, and thus, do
not know all the 'proper' terms. And if I knew how to completely phrase
my question I would probably know how to solve it!
The issue isn't so much phrasing as intent. You described what you
were doing, not what you wanted.
Post by John Duino
Post by Alan DeKok
If you edit it to add "Class", or "Filter-Id", it will be a little
better.
Well, again, if I knew exactly of which I speak, I would not be asking
for help.
I'm sorry, but I expect people to be able to read the configuration
file, and make some simple conclusions from it. In this case, you
expected a configuration which had NO MENTION of "Class" or
"Filter-Id" to somehow magically use them.
Post by John Duino
Post by Alan DeKok
The "passwd" module doesn't read directories. It reads files. It's
documented as reading files. It's not documented as interacting with
NIS.
I'm a bit confused then: if it doesn't read directories (as in a
directory server, eg NIS) how is it currently authenticating me via NIS?
It's not. The passwd module doesn't authenticate anyone.

You're probalby using system authentication. In that case, there's
a system call used by FreeRADIUS to get the user's password. That
system call eventually ends up using NIS, but FreeRADIUS doesn't know
that.
Post by John Duino
I am asking for help in configuring freeradius; what do I need to
do? Is module example "passwd etc_group" the correct place to start?
If so, and since I thought I already did that and it did not work
for me, what am I doing wrong?
I told you. Replace "Group-Name" with "Class" or "Filter-Id".
Point the "/etc/group" configuration at a group file from the
/etc/group directory on your system.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Duino
2004-05-05 20:01:05 UTC
Permalink
Post by Alan DeKok
I'm sorry, but I expect people to be able to read the configuration
file, and make some simple conclusions from it. In this case, you
expected a configuration which had NO MENTION of "Class" or
"Filter-Id" to somehow magically use them.
Conclusions are one thing. For those of us who don't know the difference
it is a leap of knowledge.
Post by Alan DeKok
You're probalby using system authentication. In that case, there's
a system call used by FreeRADIUS to get the user's password. That
system call eventually ends up using NIS, but FreeRADIUS doesn't know
that.
Understood, and that makes sense. I was (logically) jumping past the
functional steps.
Post by Alan DeKok
I told you. Replace "Group-Name" with "Class" or "Filter-Id".
Point the "/etc/group" configuration at a group file from the
/etc/group directory on your system.
Sorry, that wasn't obvious to me from your previous post.

For completeness of this exchange, I added the following to
radiusd.conf:
passwd etc_group {
filename = /etc/group
format = "=Class:::*,User-Name"
hashsize = 50
ignorenislike = no
allowmultiplekeys = yes
delimiter = ":"
}

and then added "etc_group" in the "authorize" section.
Oh, and because I'm using Fedora, the rlm_passwd is not included. I
downloaded the source and rebuilt freeradius using the RH Spec file
after adding "rlm_passwd" to "src/modules/stable".

Now it works! Hurray! Thank you!

Now one more question: is there any way to get FreeRadius to look at the
NIS information, directly or indirectly?
--
John Duino <***@nateng.com>
National Engineering Technology


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2004-05-05 20:13:27 UTC
Permalink
Post by John Duino
Now it works! Hurray! Thank you!
You're welcome.
Post by John Duino
Now one more question: is there any way to get FreeRadius to look at the
NIS information, directly or indirectly?
NIS supplies a lot of information. Are you looking to have it read
group information from NIS? If so, there's no built-in way to do it.

You can, however, run an external shell script to do it. See the
"groups" command. Run the groups command from a shell script(see
scripts/exec-program-wait), and turn the output into a list of "Class
+= group" attributes. The server will do the rest.

Test the shell script from the command-line first, though...

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Duino
2004-05-05 22:21:29 UTC
Permalink
Post by Alan DeKok
Post by John Duino
Now one more question: is there any way to get FreeRadius to look at the
NIS information, directly or indirectly?
NIS supplies a lot of information. Are you looking to have it read
group information from NIS? If so, there's no built-in way to do it.
You can, however, run an external shell script to do it. See the
"groups" command. Run the groups command from a shell script(see
scripts/exec-program-wait), and turn the output into a list of "Class
+= group" attributes. The server will do the rest.
Brilliant, now we're talkin'!
I added the following Exec-Program-Wait to the raddb/users file:
DEFAULT Auth-Type = System
Exec-Program-Wait = "/usr/local/System/bin/nis-group-list.sh",
Fall-Through = 1

And the nis-group-list.sh script is:

#!/bin/bash
export UN=`echo $USER_NAME|tr -d \"`
for FF in `/usr/bin/groups $UN | cut -d":" -f2`
do
echo "Class += \"$FF\","
done
echo Framed-IP-Address = 255.255.255.255
exit 0

One strange side-effect was encountered that the export line is used to
overcome. The environment variable $USER_NAME includes quotes around the
name (e.g., if the username is 'joe' the string translates literally as
"joe" including the quotes). 'groups' takes the quotes literally and
errors (cuz the user "joe" doesn't exist, only joe does). So I strip the
quotes. No biggie.

Thanks again for the help! I wouldn't have found the script example
without you as it appears RedHat/Fedora doesn't include them in the
install, only with the source.
--
John Duino <***@nateng.com>
National Engineering Technology


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jared Jones
2004-05-05 23:02:39 UTC
Permalink
The tables in the FreeRadius MySQL schema are quite confusing.
How are (clients/NAS) implemented in this schema?
Is there any tutorial available or some sort of data dictionary to help
explain the table's functionality as well as the fields?
Any help is appreciated.

Thanks,
Jared Jones



P.S. For those of you that helped me with the 'failed to open stream' post
Thank you, it was a permissions thing.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Paul Hampson
2004-05-07 06:01:47 UTC
Permalink
Post by Jared Jones
The tables in the FreeRadius MySQL schema are quite confusing.
How are (clients/NAS) implemented in this schema?
Unless something changed and I didn't notice, we _don't_ implement
clients or NAS in the SQL stuff. Those tables are just placeholders...

It used to say so directly above the table definitions, I thought.
Post by Jared Jones
Is there any tutorial available or some sort of data dictionary to help
explain the table's functionality as well as the fields?
For those tables, no. For the radcheck/radreply/radgroupcheck/
radgroupreply/usergroup tables, the SQL statements _are_ the
documentation. The statements work like the files module's files do,
returning a series of attribute/value pairs.
Post by Jared Jones
Any help is appreciated.
Well, I hope that helps.

--
Paul "TBBle" Hampson, on a webmail client!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...