(RADIATOR) RewriteUsername - AuthBy LDAP

Scott Ehnert scott.ehnert at gmail.com
Tue Aug 2 19:40:59 CDT 2005 

Hello,

Warning: novice radius user...

What I am trying to accomplish is this:

Any given user tries to connect to a network device by connecting with
their username, i.e. 'ssh someuser at box.somenet.net'.  The Radius
server authenticates on user 'someuser', maps that to a pre-defined
access class, then rewrites 'someuser' to user 'full-access' after the
LDAP authentication has been completed.  User 'full-access' will be
defined as a user on the NAS, this way I don't have to define
individual users on each individual device, I can instead define a
class with appropriate privileges.

What happens now if I use the RewriteUsername function is that it does
the rewrite before the LDAP authorization occurs, returning an
Access-Reject as there is no username.

Is this something that can be accomplished as I have described it?  Is
there a different/better way?

----Archive info----
I found one reference in the archive that may be appropriate...

http://www.open.com.au/archives/radiator/2004-06/msg00170.html
You may need to remove the first User-Name before adding the second
one (whether this works on the Cisco remains to be seen).

	StripFromReply User-Name
	AddToReply User-Name = .....

----end Archive info----

my basic info follows.  I have the first rewrite to strip the Realm,
the second rewrite is currently for testing and is not intended to be
the final syntax.

config file snippet:

<Realm box.somenet.net>
        RewriteUsername s/^([^@]+).*/$1/
        <AuthBy LDAP2>
        NoDefault
        Host localhost
        AuthDN cn=admin, dc=somenet, dc=net
        AuthPassword <scrubbed>
        BaseDN dc=somenet, dc=net
        Version 3
        UsernameAttr    cn
        PasswordAttr   passwd
        ServerChecksPassword
        Debug 255
        RewriteUsername     s/^.*/radius2/
        </AuthBy>
        # Log accounting to a detail file
        AcctLogFileName %D/detail
</Realm>

radiusd output snippet:

Tue Aug  2 17:10:55 2005: DEBUG: No entries for radius2 found in LDAP database
Tue Aug  2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match with radius2
Tue Aug  2 17:10:55 2005: INFO: Access rejected for radius2: No such user
Tue Aug  2 17:10:55 2005: DEBUG: Packet dump:
*** Sending to 10.255.255.243 port 4491 ....

Packet length = 36
03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 216
Authentic:  Z<255><18><244><1><240>)<16><188><27>$<148><165><5><168>s
Attributes:
        Reply-Message = "Request Denied"


Thanks for any help,

-=Scott

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list