Standard & Realm Authentication

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

Standard & Realm Authentication

Richard J Palmer

Hello All

We have been using FreeRadius for quite a long time to authenticate
PPPoE and L2TP sessions and hotspots. So far everything works.

However I'd like to add an extra function and wondered if you could
provide a pointers,

Generally Users send their username - we look in SQL and return Data
from radreply / ip pools etc. We have no problem there.

On our LNS / LAC Devices we also have a small number of sessions that
we forward to other ISPs. With these we don't have the username - but
forward based on realm

On our LNS We have:

---
 <match name="EXAMPLE-FWD"
          graph="EXAMPLE-FWD"
         username="*myexample.co.uk @example.ws"
          payload-table="0"
          relay-pick="true"
          relay-ip="1.2.3.4 1.2.3.5"
          relay-secret="test123"
          relay-hostname="test-hostname"/>
---

As an alternative the LNS can get this data from Radius - and given
the growing number of LNS devices - rather than keeping the sync up to
date on multiple devices it makes sence to run this as part of the
radius.

NOTE this is not a radius proxy - where we pass on the radius request
if it's a matching realm - BUT a radius reply to the LNS telling it to
forward the connection on to the customers LNS.

What I am trying to achieve in FreeRadius is

1) If there's an exact username (as now) continue as now
2) IF there's not a match either run a second SQL which will find the
realm - and return accept. And then pass back the necessary attributes
back to allow the session to forward.

Pretty happy to do most of the work here but some pointers would be
perfect.

I could I suppose do this by replacing the SQL query with a stored
procedure - but open to any better ideas?

Thanks in advance

Richard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Standard & Realm Authentication

Alan DeKok-2
On Feb 1, 2021, at 2:42 PM, Richard J Palmer <[hidden email]> wrote:
> We have been using FreeRadius for quite a long time to authenticate PPPoE and L2TP sessions and hotspots. So far everything works.

  That's good to hear. :)

> What I am trying to achieve in FreeRadius is
>
> 1) If there's an exact username (as now) continue as now
> 2) IF there's not a match either run a second SQL which will find the realm - and return accept. And then pass back the necessary attributes back to allow the session to forward.

  I'd break that down into 3 steps.  The question is how do you "find the realm" ?

> Pretty happy to do most of the work here but some pointers would be perfect.
>
> I could I suppose do this by replacing the SQL query with a stored procedure - but open to any better ideas?

  Run the SQL module as-is, ensuring that the key is User-Name:

        sql
        if (notfound) {
                ... extra magic goes here ...
        }

  You'll need to do a few things after this.  One is to figure out how to turn the User-Name into a realm.  Ideally you put this into some kind of regex / SQL table, whatever.  How this is done depends on you.  And with minimal information, we can't really recommend anything.  Put the realm name into a My-Realm attribute (Realm is already used for other things).

  Define My-Realm in raddb/dictionary:

ATTRIBUTE My-Realm 3000 string


  The next step is to edit the SQL queries to look up realm *or* User-Name, e.g. edit

raddb/mods-config/sql/main/mysql/queries.conf

...
        sql_user_name = "%{%{My-Realm}:-%{User-Name}}"

    Then, you can insert entries into the SQL tables, keyed by User-Name *or* realm.  then update the "extra magic here" from above:


        sql
        if (notfound) {
                ??? somehow get My-Realm from User-Name
                sql
        }

  And ensure that each of the My-Realm entries has the correct reply attributes.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Update_Control and Update_Reply in Post-Auth-Type = Reject

Aurélio de Souza Ribeiro Neto
Hello List,

     I want to Update_Control and Update_Reply for rejected users (not
in my database).

     My Users are coming from PAP Authentication method.

     If the users are not in my Database, I want to give an IP from a
specific Pool to this users.

     I did this in my default file in Post-Auth-Type REJECT session but
this settings are not Working

         Post-Auth-Type REJECT {
                 # log failed authentications in SQL, too.
                 # -sql
                 attr_filter.access_reject

                 # Insert EAP-Failure message if the request was
                 # rejected by policy instead of because of an
                 # authentication failure
                 # eap

                 #  Remove reply message if the response contains an
EAP-Message
                 remove_reply_message_if_eap

                 update control {
                  Pool-Name := "mkt_pool"
                 }

                 update reply {
                  Mikrotik-Rate-Limit := "2M/2M"
                  Framed-IP-Address !* ANY
                 }

         }

         Take a Look in my DEBUG output:

Ready to process requests
(0) Received Access-Request Id 71 from 172.17.200.2:33183 to
XXX.XXX.XXX.XXX:1812 length 148
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   NAS-Port = 15729152
(0)   NAS-Port-Type = Ethernet
(0)   User-Name = "testepppoe2"
(0)   Calling-Station-Id = "D8:77:8B:65:C5:B4"
(0)   Called-Station-Id = "CE - POP ENCOL 11"
(0)   NAS-Port-Id = "ether11"
(0)   Acct-Session-Id = "81a00200"
(0)   User-Password = "testeppp"
(0)   NAS-Identifier = "CE-ENCOL"
(0)   NAS-IP-Address = 172.17.200.2
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
-> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0) files: users: Matched entry DEFAULT at line 167
(0)     [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> testepppoe2
(0) sql: SQL-User-Name set to 'testepppoe2'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 77
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 77
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 76
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 76
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'mpc_freeradius' on
mysql.mpc.com.br via TCP/IP, server version 5.7.32-0ubuntu0.16.04.1-log,
protocol version 10
rlm_sql (sql): Reserved connection (6)
(0) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute,
R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'%{SQL-User-Name}'                                  AND M.usuario_login
=  BINARY '%{SQL-User-Name}'                                  AND
N.nasname =  '%{Nas-IP-Address}'                                  AND
N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = 
BINARY '%{SQL-User-Name}' AND plano_id NOT IN (6,8,9,793) AND gateway_id
= ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname =
'%{Nas-IP-Address}' )                                  ORDER BY
ID)                                  UNION
ALL                                  SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'%{SQL-User-Name}'                                  AND M.usuario_login
=  BINARY '%{SQL-User-Name}'                                  AND
M.grupocliente = 'ALL-POPS'
(0) sql:    --> SELECT DISTINCT (R.id), R.username, R.attribute,
R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'testepppoe2'                                  AND M.usuario_login = 
BINARY 'testepppoe2'                                  AND N.nasname = 
'172.17.200.2'                                  AND N.gw_id = (SELECT
gateway_id FROM mpc_lw.maclist WHERE usuario_login =  BINARY
'testepppoe2' AND plano_id NOT IN (6,8,9,793) AND gateway_id = ( SELECT
gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.200.2'
)                                  ORDER BY
ID)                                  UNION
ALL                                  SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'testepppoe2'                                  AND M.usuario_login = 
BINARY 'testepppoe2'                                  AND M.grupocliente
= 'ALL-POPS'
(0) sql: Executing select query: SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'testepppoe2'                                  AND M.usuario_login = 
BINARY 'testepppoe2'                                  AND N.nasname = 
'172.17.200.2'                                  AND N.gw_id = (SELECT
gateway_id FROM mpc_lw.maclist WHERE usuario_login =  BINARY
'testepppoe2' AND plano_id NOT IN (6,8,9,793) AND gateway_id = ( SELECT
gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.200.2'
)                                  ORDER BY
ID)                                  UNION
ALL                                  SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'testepppoe2'                                  AND M.usuario_login = 
BINARY 'testepppoe2'                                  AND M.grupocliente
= 'ALL-POPS'
(0) sql: WARNING: User not found in radcheck table.
rlm_sql (sql): 1 of 1 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'mpc_freeradius' on
mysql.mpc.com.br via TCP/IP, server version 5.7.32-0ubuntu0.16.04.1-log,
protocol version 10
rlm_sql (sql): Reserved connection (7)
rlm_sql (sql): Released connection (7)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (8), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'mpc_freeradius' on
mysql.mpc.com.br via TCP/IP, server version 5.7.32-0ubuntu0.16.04.1-log,
protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'testepppoe2' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup
WHERE username = 'testepppoe2' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (6)
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> testepppoe2
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)     update control {
(0)       Pool-Name := "mkt_pool"
(0)     } # update control = noop
(0)     update reply {
(0)       Mikrotik-Rate-Limit := "2M/2M"
(0)       Framed-IP-Address !* ANY
(0)     } # update reply = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [testepppoe2/testeppp] (from client
ce-pop-encol port 15729152 cli D8:77:8B:65:C5:B4)
(0) Delaying response for 1.000000 seconds
Waking up in 0.5 seconds.
Waking up in 0.4 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 71 from XXX.XXX.XXX.XXX:1812 to
172.17.200.2:33183 length 33
(0)   Mikrotik-Rate-Limit := "2M/2M"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 71 with timestamp +76
Ready to process requests

     How can I solve this?

     Thanks

Aurélio




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Update_Control and Update_Reply in Post-Auth-Type = Reject

Alan DeKok-2
On Feb 8, 2021, at 9:26 AM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>     I want to Update_Control and Update_Reply for rejected users (not in my database).
>
>     My Users are coming from PAP Authentication method.
>
>     If the users are not in my Database, I want to give an IP from a specific Pool to this users.

  Then you have to turn a reject into accept.  You can't assign IPs in an Access-Reject packet.

  And the server can't turn an Access-Reject into an Access-Accept.  You have to catch the error earlier in the process.

>     I did this in my default file in Post-Auth-Type REJECT session but this settings are not Working
>
>         Post-Auth-Type REJECT {
> ...
>                 update control {
>                  Pool-Name := "mkt_pool"
>                 }
>
>                 update reply {
>                  Mikrotik-Rate-Limit := "2M/2M"
>                  Framed-IP-Address !* ANY
>                 }

  None of that runs the IP pool module to assign IPs.

>         Take a Look in my DEBUG output:

  Yes!

> Ready to process requests
> ...
> (0)     [sql] = notfound

  That's the key.  Note also that the user *isn't* being rejected.  The user is unknown!

>     How can I solve this?

  In the "authorize" section, check for users who are not found:

authorize {
        ...
        sql
        if (notfound) {
                ... assign users from a different pool ...
                accept # force authentication to succeed
        }
        ...
}

  That should work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Log Incorrect Password and give Specific IP

Aurélio de Souza Ribeiro Neto
In reply to this post by Aurélio de Souza Ribeiro Neto
Hello List

     I have a scenario that I want to LOG Incorrect PAP password in
radius.log and give IP from a specific Pool to this user.

     I can give an IP from another pool in autenticate session changing
update control and update reply in PAP reject case, but how can I log
something like:

     Mon Mar  1 16:32:20 2021 : Auth: (1072468) Login incorrect (pap:
Crypt digest does not match "known good" digest): [testepppoe2/testeppp]
(from client ce-pop-encol port 15729869 cli 00:E0:4C:DA:BC:83)

     Some hint are welcome

     Thanks again

Aurelio




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Log Incorrect Password and give Specific IP

Alan DeKok-2
On Mar 1, 2021, at 6:44 PM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>
>     I have a scenario that I want to LOG Incorrect PAP password in radius.log and give IP from a specific Pool to this user.
>
>     I can give an IP from another pool in autenticate session changing update control and update reply in PAP reject case, but how can I log something like:
>
>     Mon Mar  1 16:32:20 2021 : Auth: (1072468) Login incorrect (pap: Crypt digest does not match "known good" digest): [testepppoe2/testeppp] (from client ce-pop-encol port 15729869 cli 00:E0:4C:DA:BC:83)

  The "log" section of radiusd.conf shows what can be logged.  It also shows how you can edit the log messages.

  Where did that example log entry come from?  Can you just copy the configuration from that system to another system?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Log Incorrect Password and give Specific IP

Aurélio de Souza Ribeiro Neto
Alan,

Em 01/03/2021 21:03, Alan DeKok escreveu:
> On Mar 1, 2021, at 6:44 PM, Aurélio de Souza Ribeiro Neto <[hidden email]> wrote:
>>      I have a scenario that I want to LOG Incorrect PAP password in radius.log and give IP from a specific Pool to this user.
>>
>>      I can give an IP from another pool in autenticate session changing update control and update reply in PAP reject case, but how can I log something like:
>>
>>      Mon Mar  1 16:32:20 2021 : Auth: (1072468) Login incorrect (pap: Crypt digest does not match "known good" digest): [testepppoe2/testeppp] (from client ce-pop-encol port 15729869 cli 00:E0:4C:DA:BC:83)
>    The "log" section of radiusd.conf shows what can be logged.  It also shows how you can edit the log messages.
>
>    Where did that example log entry come from?  Can you just copy the configuration from that system to another system?

     Maybe I'm not clear!

     In authorize method I want to log "Login Incorrect" and the give an
IP from a specified pool to user without reject the user.

     How can I do this?

Thanks




>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html