Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

classic Classic list List threaded Threaded
14 messages Options
| Threaded
Open this post in threaded view
|

Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
Hello,

Could anyone provide instructions on how to configure Freeradius server on a Synology NAS to authenticate Cisco RV340 users?  Specifically, I need to configure the server to send radius attribute class 25 with user group name back to the client (RV340).

Thanks,

vl

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Alan DeKok-2
On Sep 3, 2019, at 4:39 PM, Levin, Vladimir <[hidden email]> wrote:
> Could anyone provide instructions on how to configure Freeradius server on a Synology NAS to authenticate Cisco RV340 users?  Specifically, I need to configure the server to send radius attribute class 25 with user group name back to the client (RV340).

  We don't have documentation for commercial vendors here.  Please read *their* documentation to see what they accept.

  If you want to send a Class attribute back to the NAS, read "man unlang".  It contains complete descriptions of how to send attributes.  Plus, read sites-available/default.  There are lots of examples there.

  i.e. *read* the documentation instead of asking other people to do your work for you.  If you can't be bothered to read the documentation and follow it, we can't be bothered, too.

  And *where* is the group name stored?  FreeRADIUS isn't a database.  We don't store groups.  So it has to come from somewhere.

  How can we help you if you ask vague questions, and don't give us enough information?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
In reply to this post by Levin, Vladimir
1. I was unable to find any vendor documention that would explain how to make it work.  Both, Synology and Cisco, development level technical support couldn't help either and referred me to Freeradius or "other online sources".
2. I am not familiar with RADIUS server environment nor am I a programmer, so even after reading the documentation I am still not sure which file(s) to input the code into or what the correct code should be.
3. I am not looking for a lecture (though, if that's what gets you off, I am happy to provide the opportunity) nor for other people to do my work for me (I've spent many hours trying to get it to work with nothing to show for it), but was rather hoping that someone has already solved that problem and was willing to share the solution.  
4. The group names are stored in the local user database of the Synology NAS; its RADIUS server, which is essentially Freeradius, is configured via GUI to use that database.
5. If I knew what additional information is needed, I'd be glad to provide it, if I can.

vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Alan DeKok
Sent: Tuesday, September 03, 2019 1:49 PM
To: FreeRadius users mailing list
Subject: ++++SPAM++++ Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Sep 3, 2019, at 4:39 PM, Levin, Vladimir <[hidden email]> wrote:
> Could anyone provide instructions on how to configure Freeradius server on a Synology NAS to authenticate Cisco RV340 users?  Specifically, I need to configure the server to send radius attribute class 25 with user group name back to the client (RV340).

  We don't have documentation for commercial vendors here.  Please read *their* documentation to see what they accept.

  If you want to send a Class attribute back to the NAS, read "man unlang".  It contains complete descriptions of how to send attributes.  Plus, read sites-available/default.  There are lots of examples there.

  i.e. *read* the documentation instead of asking other people to do your work for you.  If you can't be bothered to read the documentation and follow it, we can't be bothered, too.

  And *where* is the group name stored?  FreeRADIUS isn't a database.  We don't store groups.  So it has to come from somewhere.

  How can we help you if you ask vague questions, and don't give us enough information?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Alan DeKok-2
On Sep 3, 2019, at 9:22 PM, Levin, Vladimir <[hidden email]> wrote:
>
> 1. I was unable to find any vendor documention that would explain how to make it work.  Both, Synology and Cisco, development level technical support couldn't help either and referred me to Freeradius or "other online sources".

  My point was that we can answer questions about FreeRADIUS.  We *can't* answer questions about what attributes are needed by a particular NAS.  Or, what values should be used for those attributes.  Only the vendor documentation has that information.

  Once you know which attributes need to be returned, and what values they have, it's easy to configure FreeRADIUS.  And we can definitely help there.

> 2. I am not familiar with RADIUS server environment nor am I a programmer, so even after reading the documentation I am still not sure which file(s) to input the code into or what the correct code should be.

  "correct code" to do... what?

  Saying "I'm not familiar with RADIUS" is a *terrible* answer.  We know.  You MUST be willing to *learn* about it.

> 3. I am not looking for a lecture (though, if that's what gets you off, I am happy to provide the opportunity) nor for other people to do my work for me (I've spent many hours trying to get it to work with nothing to show for it), but was rather hoping that someone has already solved that problem and was willing to share the solution.  

  I was hoping you would answer my question instead of complaining or making personal insults.

  The point was if you want to return an attribute, there is TONS of documentation telling you what to do.  Just look for "Class" in the default configuration, and you will see examples of comparing the Class attribute to something, or setting its value.

  And no, no one has solved your particular problem before.  It's unusual, hence my reply of "what do you mean?"  If it was a common problem, then it would have been documented.

  Yes, it's 2019.  Complaints about the FreeRADIUS documentation are no longer relevant.  While the documentation isn't perfect, it clearly describes the syntax of the configuration files.  The default virtual servers are heavily commented and documented.

  All that is necessary is that you *read* it, and ask *specific questions* when you don't understand something.

  It's just not useful to say "I've spent many hours trying to get it to work with nothing to show for it".  That's a complaint of "I did stuff and it didn't work.  But I'm not going to tell you what I did!"

  How do you expect us to be able to help you, then?

> 4. The group names are stored in the local user database of the Synology NAS; its RADIUS server, which is essentially Freeradius, is configured via GUI to use that database.

  That means nothing.  WHAT kind of database is it?  HOW does FreeRADIUS query it?

> 5. If I knew what additional information is needed, I'd be glad to provide it, if I can.

  Give sufficient technical information so that people can help you.

  Your description is vague.  "Database" isn't helpful.  "MySQL" is helpful.  "MySQL and here's a copy of the schema" is helpful.

  You're asking us how to configure "stuff".  And when I point out that description isn't good enough, you don't respond with a clearer description.  That's not productive.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Fajar A. Nugraha-2
In reply to this post by Levin, Vladimir
On Wed, Sep 4, 2019 at 8:24 AM Levin, Vladimir <[hidden email]> wrote:
>
> 1. I was unable to find any vendor documention that would explain how to make it work.  Both, Synology and Cisco, development level technical support couldn't help either and referred me to Freeradius or "other online sources".
> 2. I am not familiar with RADIUS server environment nor am I a programmer, so even after reading the documentation I am still not sure which file(s) to input the code into or what the correct code should be.
> 3. I am not looking for a lecture (though, if that's what gets you off, I am happy to provide the opportunity) nor for other people to do my work for me (I've spent many hours trying to get it to work with nothing to show for it), but was rather hoping that someone has already solved that problem and was willing to share the solution.
> 4. The group names are stored in the local user database of the Synology NAS; its RADIUS server, which is essentially Freeradius, is configured via GUI to use that database.
> 5. If I knew what additional information is needed, I'd be glad to provide it, if I can.


To summarize what you wrote:
- synology includes a radius software, which is supposed to be freeradius
- you have no details on how synology implement their radius
- you want to use its bundled radius to authenticate cisco

Is that correct?

If so, then it seems that the only supported use of synology's radius
is whatever they tell you it can do (e.g. authenticate NAS users). If
you're using it for something other than its supported use, then
you're basically on your own.

Having said that, you might be able to perform additional
configguration on it if:
- you have no problem with potentially breaking (or voiding warranty)
your synlogy nas
- you have access to command line
- you are familiar with configuring software directly via command line
- you can read (and implement) the docs

As for "send radius attribute", if it were a normal freeradius
installation with mysql backend, and the attribute is specific to each
user, you probably need to add entries to radreply table, e.g.
https://wiki.freeradius.org/guide/SQL-HOWTO#populating-sql

However if you have only access to synology's GUI, and it does not
show similar option, and you don't have access to the underlying
database directly, then your best bet is to simply install a separate
freeradius server for cisco.

--
Fajar

>
> vl
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Alan DeKok
> Sent: Tuesday, September 03, 2019 1:49 PM
> To: FreeRadius users mailing list
> Subject: ++++SPAM++++ Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users
>
> On Sep 3, 2019, at 4:39 PM, Levin, Vladimir <[hidden email]> wrote:
> > Could anyone provide instructions on how to configure Freeradius server on a Synology NAS to authenticate Cisco RV340 users?  Specifically, I need to configure the server to send radius attribute class 25 with user group name back to the client (RV340).
>
>   We don't have documentation for commercial vendors here.  Please read *their* documentation to see what they accept.
>
>   If you want to send a Class attribute back to the NAS, read "man unlang".  It contains complete descriptions of how to send attributes.  Plus, read sites-available/default.  There are lots of examples there.
>
>   i.e. *read* the documentation instead of asking other people to do your work for you.  If you can't be bothered to read the documentation and follow it, we can't be bothered, too.
>
>   And *where* is the group name stored?  FreeRADIUS isn't a database.  We don't store groups.  So it has to come from somewhere.
>
>   How can we help you if you ask vague questions, and don't give us enough information?
>
>   Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
In reply to this post by Levin, Vladimir


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Fajar A. Nugraha
Sent: Tuesday, September 03, 2019 8:14 PM
To: FreeRadius users mailing list
Subject: ++++SPAM++++ Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Wed, Sep 4, 2019 at 8:24 AM Levin, Vladimir <[hidden email]> wrote:
>
> 1. I was unable to find any vendor documention that would explain how to make it work.  Both, Synology and Cisco, development level technical support couldn't help either and referred me to Freeradius or "other online sources".
> 2. I am not familiar with RADIUS server environment nor am I a programmer, so even after reading the documentation I am still not sure which file(s) to input the code into or what the correct code should be.
> 3. I am not looking for a lecture (though, if that's what gets you off, I am happy to provide the opportunity) nor for other people to do my work for me (I've spent many hours trying to get it to work with nothing to show for it), but was rather hoping that someone has already solved that problem and was willing to share the solution.
> 4. The group names are stored in the local user database of the Synology NAS; its RADIUS server, which is essentially Freeradius, is configured via GUI to use that database.
> 5. If I knew what additional information is needed, I'd be glad to provide it, if I can.


To summarize what you wrote:
- synology includes a radius software, which is supposed to be freeradius
- you have no details on how synology implement their radius
- you want to use its bundled radius to authenticate cisco

Is that correct?[]  Yes, that is absolutely correct.

If so, then it seems that the only supported use of synology's radius
is whatever they tell you it can do (e.g. authenticate NAS users). If
you're using it for something other than its supported use, then
you're basically on your own.

Having said that, you might be able to perform additional
configguration on it if:
- you have no problem with potentially breaking (or voiding warranty)
your synlogy nas[]  I don't have a problem with that.
- you have access to command line[]  I do.
- you are familiar with configuring software directly via command line[]  To a certain degree.
- you can read (and implement) the docs[]  I guess that remains to be seen.

As for "send radius attribute", if it were a normal freeradius
installation with mysql backend, and the attribute is specific to each
user, you probably need to add entries to radreply table, e.g.
https://wiki.freeradius.org/guide/SQL-HOWTO#populating-sql

However if you have only access to synology's GUI, and it does not
show similar option, and you don't have access to the underlying
database directly, then your best bet is to simply install a separate
freeradius server for cisco.

--
Fajar

>
> vl
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Alan DeKok
> Sent: Tuesday, September 03, 2019 1:49 PM
> To: FreeRadius users mailing list
> Subject: ++++SPAM++++ Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users
>
> On Sep 3, 2019, at 4:39 PM, Levin, Vladimir <[hidden email]> wrote:
> > Could anyone provide instructions on how to configure Freeradius server on a Synology NAS to authenticate Cisco RV340 users?  Specifically, I need to configure the server to send radius attribute class 25 with user group name back to the client (RV340).
>
>   We don't have documentation for commercial vendors here.  Please read *their* documentation to see what they accept.
>
>   If you want to send a Class attribute back to the NAS, read "man unlang".  It contains complete descriptions of how to send attributes.  Plus, read sites-available/default.  There are lots of examples there.
>
>   i.e. *read* the documentation instead of asking other people to do your work for you.  If you can't be bothered to read the documentation and follow it, we can't be bothered, too.
>
>   And *where* is the group name stored?  FreeRADIUS isn't a database.  We don't store groups.  So it has to come from somewhere.
>
>   How can we help you if you ask vague questions, and don't give us enough information?
>
>   Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
In reply to this post by Levin, Vladimir
1. According to Cisco tech support (and as I wrote in my original post) I need FreeRADIUS server to send RADIUS attribute class 25 with the user group name to the client (RV340).  The  http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-td2781054.html  thread seems to be dealing with similar issue, though it's over 10 years old.  In his 2nd, 4:30 am, post Markus Wernig is asking the same question as I am, but I am not sure I fully understand what exactly he ended up doing.
2. See above.  Also, I have read the documentation, but it's still unclear to me how I should proceed.
3. There was only 1 non-rhetorical question in your previous post and I did answer it to the best of my knowledge and understanding.  Also, I couldn't find any Class attribute examples you are referring to.
4. I think it's MySQL database; I don't know how FreeRADIUS queries it.  
5. Once again, I'm not a developer, but an end user of a Synology NAS and I don't have information about its inner workings.  According to Synology development team, what I'm trying to achieve "is not a default option they support" and my only alternative is to try to modify the settings myself.  Obviously this isn't my area of expertise and I'm clearly out of my depth here, so any help I can get is very appreciated.

vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Alan DeKok
Sent: Tuesday, September 03, 2019 7:42 PM
To: FreeRadius users mailing list
Subject: ++++SPAM++++ Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Sep 3, 2019, at 9:22 PM, Levin, Vladimir <[hidden email]> wrote:
>
> 1. I was unable to find any vendor documention that would explain how to make it work.  Both, Synology and Cisco, development level technical support couldn't help either and referred me to Freeradius or "other online sources".

  My point was that we can answer questions about FreeRADIUS.  We *can't* answer questions about what attributes are needed by a particular NAS.  Or, what values should be used for those attributes.  Only the vendor documentation has that information.

  Once you know which attributes need to be returned, and what values they have, it's easy to configure FreeRADIUS.  And we can definitely help there.

> 2. I am not familiar with RADIUS server environment nor am I a programmer, so even after reading the documentation I am still not sure which file(s) to input the code into or what the correct code should be.

  "correct code" to do... what?

  Saying "I'm not familiar with RADIUS" is a *terrible* answer.  We know.  You MUST be willing to *learn* about it.

> 3. I am not looking for a lecture (though, if that's what gets you off, I am happy to provide the opportunity) nor for other people to do my work for me (I've spent many hours trying to get it to work with nothing to show for it), but was rather hoping that someone has already solved that problem and was willing to share the solution.  

  I was hoping you would answer my question instead of complaining or making personal insults.

  The point was if you want to return an attribute, there is TONS of documentation telling you what to do.  Just look for "Class" in the default configuration, and you will see examples of comparing the Class attribute to something, or setting its value.

  And no, no one has solved your particular problem before.  It's unusual, hence my reply of "what do you mean?"  If it was a common problem, then it would have been documented.

  Yes, it's 2019.  Complaints about the FreeRADIUS documentation are no longer relevant.  While the documentation isn't perfect, it clearly describes the syntax of the configuration files.  The default virtual servers are heavily commented and documented.

  All that is necessary is that you *read* it, and ask *specific questions* when you don't understand something.

  It's just not useful to say "I've spent many hours trying to get it to work with nothing to show for it".  That's a complaint of "I did stuff and it didn't work.  But I'm not going to tell you what I did!"

  How do you expect us to be able to help you, then?

> 4. The group names are stored in the local user database of the Synology NAS; its RADIUS server, which is essentially Freeradius, is configured via GUI to use that database.

  That means nothing.  WHAT kind of database is it?  HOW does FreeRADIUS query it?

> 5. If I knew what additional information is needed, I'd be glad to provide it, if I can.

  Give sufficient technical information so that people can help you.

  Your description is vague.  "Database" isn't helpful.  "MySQL" is helpful.  "MySQL and here's a copy of the schema" is helpful.

  You're asking us how to configure "stuff".  And when I point out that description isn't good enough, you don't respond with a clearer description.  That's not productive.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Fajar A. Nugraha
In reply to this post by Levin, Vladimir
On Wed, Sep 4, 2019 at 3:02 PM Levin, Vladimir <[hidden email]> wrote:
> Is that correct?[]  Yes, that is absolutely correct.

You should use quoting when replying message, to make your replies
easier to read. e.g:
https://en.wikipedia.org/wiki/Posting_style#Quoted_line_prefix

> - you have no problem with potentially breaking (or voiding warranty)
> your synlogy nas[]  I don't have a problem with that.
> - you have access to command line[]  I do.
> - you are familiar with configuring software directly via command line[]  To a certain degree.
> - you can read (and implement) the docs[]  I guess that remains to be seen.
>
> As for "send radius attribute", if it were a normal freeradius
> installation with mysql backend, and the attribute is specific to each
> user, you probably need to add entries to radreply table, e.g.
> https://wiki.freeradius.org/guide/SQL-HOWTO#populating-sql

You can try to follow the example then. Looking at
https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.rfc2865#L35
, the attribute name should be just what you wrote earlier: 'Class'.
Try adding it (or find the way to add it using synology gui) to
radreply table for your test user.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Alan DeKok-2
In reply to this post by Levin, Vladimir


> On Sep 4, 2019, at 5:26 AM, Levin, Vladimir <[hidden email]> wrote:
>
> 1. According to Cisco tech support (and as I wrote in my original post) I need FreeRADIUS server to send RADIUS attribute class 25 with the user group name to the client (RV340).

  I already explained that I understand that.  Yet you're still explaining it over and over.

  I've seen this lots.  It indicates that you're stuck on the problem and not on the solution.  You SHOULD read my response, realize that I understand the need to use Class, and then STOP REPEATING IT.

  Learning from simple email messages shows that you can read the documentation and learn from it.  Being unable to learn from email messages explains why the documentation doesn't mean anything to you.

> 3. There was only 1 non-rhetorical question in your previous post and I did answer it to the best of my knowledge and understanding.  Also, I couldn't find any Class attribute examples you are referring to.

  Because you're looking in the Synology configuration.  They've butchered it to do whatever it is they do.  They do NOT include the default documentation or configuration in their product.

  You are aware that we aren't Synology, right?  And that you CAN download a default FreeRADIUS configuration and read it, right?  And that when I refer to the "default configuration", I mean THE SOFTWARE WE WROTE AND DISTRIBUTE.  And not the Synology thing that we know nothing about?

> 4. I think it's MySQL database; I don't know how FreeRADIUS queries it.  

  If Synology ships FreeRADIUS that's configured to use MySQL, then the configuration files are on local disk.  If you can get access to local disk, then you can find those files.  This is Unix administration 101.

> 5. Once again, I'm not a developer, but an end user of a Synology NAS and I don't have information about its inner workings.  According to Synology development team, what I'm trying to achieve "is not a default option they support" and my only alternative is to try to modify the settings myself.

  i.e. you paid money for a product, but they won't help you.  So your response is to come here, and ask *us* for help.  For free.  And, give a vague description of the problem.

>  Obviously this isn't my area of expertise and I'm clearly out of my depth here, so any help I can get is very appreciated.

  I'm trying to help you, and not being very successful.

  The issue here is simple: You've paid money for a product that doesn't do what you want.

  On top of that, we cannot help you configure a product we know nothing about.  Sure, it's based on FreeRADIUS.  But we don't know how they've configured it.  We don't know where the files are on disk.  And you can't give us that information.

  Which means we can't help you.  *You* need to understand the product you bought *first*.  Then, explain those technical details clearly and simply.  Once that's done, we can likely help you.

  But if your expectation is that we can help you based on "I don't know", or "I want to do stuff", then you are severely mistaken.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
In reply to this post by Levin, Vladimir
Hi Fajar,

Just to be clear: the user accounts and groups already exist in Synology's local database.  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
1. Created  /usr/local/synoradius/groups  file with the following content:
update reply {
        Class := "%{Group}"
}
2. Updated the  post-auth  statement of  /usr/local/synoradius/rad_site_def_local  file as follows:
post-auth {
        exec
        $INCLUDE /usr/local/synoradius/groups
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
3. Restarted the server and tested.  No go.

The client log reads "charon: Localdb:authorization failed as group is NULL".

Below is the server log:
Type Date & Time Event
2019-09-04 18:59:06 Info Ready to process requests
2019-09-04 18:59:06 Debug (0) Cleaning up request packet ID 166 with timestamp +36671
2019-09-04 18:59:01 Debug Waking up in 4.9 seconds.
2019-09-04 18:59:01 Debug (0) Finished request
2019-09-04 18:59:01 Debug (0) Class := 0x
2019-09-04 18:59:01 Debug (0) Sent Access-Accept Id 166 from 192.168.1.101:1812 to 192.168.1.100:57745 length 0
2019-09-04 18:59:01 Auth (0) Login OK: [username] (from client RV340 port 11121)
2019-09-04 18:59:01 Debug (0) } # post-auth = noop
2019-09-04 18:59:01 Debug (0) } # update reply = noop
2019-09-04 18:59:01 Debug (0) Class := 0x
2019-09-04 18:59:01 Debug (0) -->
2019-09-04 18:59:01 Debug (0) EXPAND %{Group}
2019-09-04 18:59:01 Debug (0) update reply {
2019-09-04 18:59:01 Debug (0) [exec] = noop
2019-09-04 18:59:01 Debug (0) modsingle[post-auth]: returned from exec (rlm_exec)
2019-09-04 18:59:01 Debug (0) modsingle[post-auth]: calling exec (rlm_exec)
2019-09-04 18:59:01 Debug (0) post-auth {
2019-09-04 18:59:01 Debug (0) # Executing section post-auth from file /usr/local/synoradius/rad_site_def_local
2019-09-04 18:59:01 Debug (0) } # Auth-Type PAP = ok
2019-09-04 18:59:01 Debug (0) [pap] = ok
2019-09-04 18:59:01 Debug (0) modsingle[authenticate]: returned from pap (rlm_pap)
2019-09-04 18:59:01 Debug (0) pap: User authenticated successfully
2019-09-04 18:59:01 Debug (0) pap: Comparing with "known good" Crypt-Password "$6$LFU97T6ajw2Q/a$zilaUncUFrH.XW9n4gN.kMq2osfBhcd2.D6UVa286NmOizyjxKZzpw2deyU4twmvfSgcXbfC2ABJiLM0iLVxz."
2019-09-04 18:59:01 Debug (0) pap: Login attempt with password "password" (8)
2019-09-04 18:59:01 Debug (0) modsingle[authenticate]: calling pap (rlm_pap)
2019-09-04 18:59:01 Debug (0) Auth-Type PAP {
2019-09-04 18:59:01 Debug (0) # Executing group from file /usr/local/synoradius/rad_site_def_local
2019-09-04 18:59:01 Debug (0) Found Auth-Type = PAP
2019-09-04 18:59:01 Debug (0) } # authorize = updated
2019-09-04 18:59:01 Debug (0) [pap] = updated
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from pap (rlm_pap)
2019-09-04 18:59:01 Debug (0) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
2019-09-04 18:59:01 Debug (0) pap: Normalizing LM-Password from base64 encoding, 32 bytes -> 24 bytes
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling pap (rlm_pap)
2019-09-04 18:59:01 Debug (0) [logintime] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from logintime (rlm_logintime)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling logintime (rlm_logintime)
2019-09-04 18:59:01 Debug (0) [expiration] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from expiration (rlm_expiration)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling expiration (rlm_expiration)
2019-09-04 18:59:01 Debug (0) [smbpasswd] = ok
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from smbpasswd (rlm_passwd)
2019-09-04 18:59:01 Debug (0) smbpasswd: Added SMB-Account-CTRL-TEXT: '[U ]' to config
2019-09-04 18:59:01 Debug (0) smbpasswd: Added NT-Password: '54BC4927BD320C776E53E1B38F92496B' to config
2019-09-04 18:59:01 Debug (0) smbpasswd: Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to config
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling smbpasswd (rlm_passwd)
2019-09-04 18:59:01 Debug (0) [unix] = updated
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from unix (rlm_unix)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling unix (rlm_unix)
2019-09-04 18:59:01 Debug (0) [files] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from files (rlm_files)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling files (rlm_files)
2019-09-04 18:59:01 Debug (0) [eap] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from eap (rlm_eap)
2019-09-04 18:59:01 Debug (0) eap: No EAP-Message, not doing EAP
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling eap (rlm_eap)
2019-09-04 18:59:01 Debug (0) [synorad] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from synorad (rlm_synorad)
2019-09-04 18:59:01 Debug synorad: block list[(null)]
2019-09-04 18:59:01 Debug synorad: block list[(null)]
2019-09-04 18:59:01 Debug synorad: Full name[username]
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling synorad (rlm_synorad)
2019-09-04 18:59:01 Debug (0) [suffix] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from suffix (rlm_realm)
2019-09-04 18:59:01 Debug (0) suffix: No such realm "NULL"
2019-09-04 18:59:01 Debug (0) suffix: No '@' in User-Name = "username", looking up realm NULL
2019-09-04 18:59:01 Debug (0) suffix: Checking for suffix after "@"
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling suffix (rlm_realm)
2019-09-04 18:59:01 Debug (0) [digest] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from digest (rlm_digest)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling digest (rlm_digest)
2019-09-04 18:59:01 Debug (0) [mschap] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from mschap (rlm_mschap)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling mschap (rlm_mschap)
2019-09-04 18:59:01 Debug (0) [chap] = noop
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from chap (rlm_chap)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling chap (rlm_chap)
2019-09-04 18:59:01 Debug (0) [preprocess] = ok
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: returned from preprocess (rlm_preprocess)
2019-09-04 18:59:01 Debug (0) modsingle[authorize]: calling preprocess (rlm_preprocess)
2019-09-04 18:59:01 Debug (0) authorize {
2019-09-04 18:59:01 Debug (0) # Executing section authorize from file /usr/local/synoradius/rad_site_def_local
2019-09-04 18:59:01 Debug (0) session-state: No State attribute
2019-09-04 18:59:01 Debug (0) Service-Type = Authenticate-Only
2019-09-04 18:59:01 Debug (0) NAS-Port-Type = Virtual
2019-09-04 18:59:01 Debug (0) NAS-Port = 11121
2019-09-04 18:59:01 Debug (0) NAS-Identifier = "3rdparty"
2019-09-04 18:59:01 Debug (0) NAS-IP-Address = 192.168.1.100
2019-09-04 18:59:01 Debug (0) User-Password = "password"
2019-09-04 18:59:01 Debug (0) User-Name = "username"
2019-09-04 18:59:01 Debug (0) Received Access-Request Id 166 from 192.168.1.100:57745 to 192.168.1.101:1812 length 85

What am I missing or doing wrong?

Thank you,

vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Fajar A. Nugraha
Sent: Wednesday, September 04, 2019 2:41 AM
To: FreeRadius users mailing list
Subject: ++++SPAM++++ Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Wed, Sep 4, 2019 at 3:02 PM Levin, Vladimir <[hidden email]> wrote:
> Is that correct?[]  Yes, that is absolutely correct.

You should use quoting when replying message, to make your replies
easier to read. e.g:
https://en.wikipedia.org/wiki/Posting_style#Quoted_line_prefix

> - you have no problem with potentially breaking (or voiding warranty)
> your synlogy nas[]  I don't have a problem with that.
> - you have access to command line[]  I do.
> - you are familiar with configuring software directly via command line[]  To a certain degree.
> - you can read (and implement) the docs[]  I guess that remains to be seen.
>
> As for "send radius attribute", if it were a normal freeradius
> installation with mysql backend, and the attribute is specific to each
> user, you probably need to add entries to radreply table, e.g.
> https://wiki.freeradius.org/guide/SQL-HOWTO#populating-sql

You can try to follow the example then. Looking at
https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.rfc2865#L35
, the attribute name should be just what you wrote earlier: 'Class'.
Try adding it (or find the way to add it using synology gui) to
radreply table for your test user.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
In reply to this post by Levin, Vladimir
Alan,

1. Every single assumption you made in your last reply about what I'm doing, or thinking, or capable of is dead wrong and, frankly, insulting.  Also, I'm not a mind reader and your replies are anything but clear (or concise for that matter) and they contained no indication whatsoever that you understood the issue; quite the opposite, actually.
3. I'm doing nothing of the sort and you don't need to state the obvious.  
4. I know I can and I wasn't asking for help with that.
5. I wouldn't mind making a reasonable payment to someone who could do this for me.  The working files are in  /usr/local/synoradius/  folder by way of $INCLUDE statements in the corresponding files located in  /volume1/@appstore/RadiusServer/  folder.  Also, see my last reply to Fajar.

I know it's hard for you to understand, but try to look at me as a passerby who's had a misfortune to be stuck in your town for a couple of days and is trying to communicate with the locals without any prior knowledge of their dialect.  Chances are that, if I can make it work this time, I won't need to mess with FreeRADIUS ever again.

vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Alan DeKok
Sent: Wednesday, September 04, 2019 4:02 AM
To: FreeRadius users mailing list
Subject: ++++SPAM++++ Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users



> On Sep 4, 2019, at 5:26 AM, Levin, Vladimir <[hidden email]> wrote:
>
> 1. According to Cisco tech support (and as I wrote in my original post) I need FreeRADIUS server to send RADIUS attribute class 25 with the user group name to the client (RV340).

  I already explained that I understand that.  Yet you're still explaining it over and over.

  I've seen this lots.  It indicates that you're stuck on the problem and not on the solution.  You SHOULD read my response, realize that I understand the need to use Class, and then STOP REPEATING IT.

  Learning from simple email messages shows that you can read the documentation and learn from it.  Being unable to learn from email messages explains why the documentation doesn't mean anything to you.

> 3. There was only 1 non-rhetorical question in your previous post and I did answer it to the best of my knowledge and understanding.  Also, I couldn't find any Class attribute examples you are referring to.

  Because you're looking in the Synology configuration.  They've butchered it to do whatever it is they do.  They do NOT include the default documentation or configuration in their product.

  You are aware that we aren't Synology, right?  And that you CAN download a default FreeRADIUS configuration and read it, right?  And that when I refer to the "default configuration", I mean THE SOFTWARE WE WROTE AND DISTRIBUTE.  And not the Synology thing that we know nothing about?

> 4. I think it's MySQL database; I don't know how FreeRADIUS queries it.  

  If Synology ships FreeRADIUS that's configured to use MySQL, then the configuration files are on local disk.  If you can get access to local disk, then you can find those files.  This is Unix administration 101.

> 5. Once again, I'm not a developer, but an end user of a Synology NAS and I don't have information about its inner workings.  According to Synology development team, what I'm trying to achieve "is not a default option they support" and my only alternative is to try to modify the settings myself.

  i.e. you paid money for a product, but they won't help you.  So your response is to come here, and ask *us* for help.  For free.  And, give a vague description of the problem.

>  Obviously this isn't my area of expertise and I'm clearly out of my depth here, so any help I can get is very appreciated.

  I'm trying to help you, and not being very successful.

  The issue here is simple: You've paid money for a product that doesn't do what you want.

  On top of that, we cannot help you configure a product we know nothing about.  Sure, it's based on FreeRADIUS.  But we don't know how they've configured it.  We don't know where the files are on disk.  And you can't give us that information.

  Which means we can't help you.  *You* need to understand the product you bought *first*.  Then, explain those technical details clearly and simply.  Once that's done, we can likely help you.

  But if your expectation is that we can help you based on "I don't know", or "I want to do stuff", then you are severely mistaken.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Fajar A. Nugraha-2
In reply to this post by Levin, Vladimir
On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <[hidden email]> wrote:
>
> Hi Fajar,
>
> Just to be clear: the user accounts and groups already exist in Synology's local database.

Does freeradius get the same information from that database?

>  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
> 1. Created  /usr/local/synoradius/groups  file with the following content:
> update reply {
>         Class := "%{Group}"
> }

Have you determined that %{Group} actually contain the correct group?

> The client log reads "charon: Localdb:authorization failed as group is NULL".
>
> Below is the server log:
> Type    Date & Time     Event
> 2019-09-04 18:59:06     Info    Ready to process requests
> 2019-09-04 18:59:06     Debug   (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01     Debug   Waking up in 4.9 seconds.
> 2019-09-04 18:59:01     Debug   (0) Finished request
> 2019-09-04 18:59:01     Debug   (0) Class := 0x

Looking at this, it seems that %{Group} is expanded to null.

Where did synology define the group? If it's part of unix group, then
reading http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-tp2781054p2781071.html
, it does not store group membership in 'Group' attribute. You might
be able to use something like
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/etc_group
, but it might or might not work depending on what's in your
/etc/group.

If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL
query.

In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all: https://serverfault.com/a/845161

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
In reply to this post by Levin, Vladimir
Hi Fajar,

After reading your reply I've realized that, since all Synology users belong to the "users" group, I can simply use that value in the Class statement.  And it worked!  Now all that's left to do is to include "admin" group for router administration, but it looks like there's a syntax error in the 2nd line of the code I came up with:

update reply {
        if (&User-Name == "cisco") {
                Class := "admin"
        }
        else {
                Class := "users"
        }
}

Could you tell me what I'm doing wrong?

Thanks a lot,

vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Fajar A. Nugraha
Sent: Wednesday, September 04, 2019 10:04 PM
To: FreeRadius users mailing list
Subject: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <[hidden email]> wrote:
>
> Hi Fajar,
>
> Just to be clear: the user accounts and groups already exist in Synology's local database.

Does freeradius get the same information from that database?

>  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
> 1. Created  /usr/local/synoradius/groups  file with the following content:
> update reply {
>         Class := "%{Group}"
> }

Have you determined that %{Group} actually contain the correct group?

> The client log reads "charon: Localdb:authorization failed as group is NULL".
>
> Below is the server log:
> Type    Date & Time     Event
> 2019-09-04 18:59:06     Info    Ready to process requests
> 2019-09-04 18:59:06     Debug   (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01     Debug   Waking up in 4.9 seconds.
> 2019-09-04 18:59:01     Debug   (0) Finished request
> 2019-09-04 18:59:01     Debug   (0) Class := 0x

Looking at this, it seems that %{Group} is expanded to null.

Where did synology define the group? If it's part of unix group, then
reading http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-tp2781054p2781071.html
, it does not store group membership in 'Group' attribute. You might
be able to use something like
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/etc_group
, but it might or might not work depending on what's in your
/etc/group.

If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL
query.

In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all: https://serverfault.com/a/845161

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Levin, Vladimir
Never mind - I figured it out:

if (User-Name == "cisco") {
        update reply {
                Class := "admin"
        }
}
else {
        update reply {
                Class := "users"
        }
}

Thanks again,

vl
-----Original Message-----
From: Levin, Vladimir
Sent: Thursday, September 05, 2019 1:13 AM
To: FreeRadius users mailing list
Subject: RE: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

Hi Fajar,

After reading your reply I've realized that, since all Synology users belong to the "users" group, I can simply use that value in the Class statement.  And it worked!  Now all that's left to do is to include "admin" group for router administration, but it looks like there's a syntax error in the 2nd line of the code I came up with:

update reply {
        if (&User-Name == "cisco") {
                Class := "admin"
        }
        else {
                Class := "users"
        }
}

Could you tell me what I'm doing wrong?

Thanks a lot,

vl
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+vladlevin=[hidden email]] On Behalf Of Fajar A. Nugraha
Sent: Wednesday, September 04, 2019 10:04 PM
To: FreeRadius users mailing list
Subject: Re: Re: Re: Re: Configure Freeradius Server on a Synology NAS to Authenticate Cisco RV340 Users

On Thu, Sep 5, 2019 at 9:43 AM Levin, Vladimir <[hidden email]> wrote:
>
> Hi Fajar,
>
> Just to be clear: the user accounts and groups already exist in Synology's local database.

Does freeradius get the same information from that database?

>  My goal is to return the users' group as a Class attribute in the authentication reply to the RADIUS client (Cisco VPN router).  Here's what I did (working config files are located in  /usr/local/synoradius/):
> 1. Created  /usr/local/synoradius/groups  file with the following content:
> update reply {
>         Class := "%{Group}"
> }

Have you determined that %{Group} actually contain the correct group?

> The client log reads "charon: Localdb:authorization failed as group is NULL".
>
> Below is the server log:
> Type    Date & Time     Event
> 2019-09-04 18:59:06     Info    Ready to process requests
> 2019-09-04 18:59:06     Debug   (0) Cleaning up request packet ID 166 with timestamp +36671
> 2019-09-04 18:59:01     Debug   Waking up in 4.9 seconds.
> 2019-09-04 18:59:01     Debug   (0) Finished request
> 2019-09-04 18:59:01     Debug   (0) Class := 0x

Looking at this, it seems that %{Group} is expanded to null.

Where did synology define the group? If it's part of unix group, then
reading http://freeradius.1045715.n5.nabble.com/Reply-with-group-attribute-tp2781054p2781071.html
, it does not store group membership in 'Group' attribute. You might
be able to use something like
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/etc_group
, but it might or might not work depending on what's in your
/etc/group.

If your user/group are stored in sql, then it's another different
story. You might be able to get group membership using a custom SQL
query.

In any case, you can see what attributes you can use (for update
reply) in debug mode using debug_all: https://serverfault.com/a/845161

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html