(RADIATOR) Group checking *only* with AuthBy UNIX?
Ray Van Dolson
rayvd at corp.digitalpath.net
Thu Jun 16 19:23:53 CDT 2005
Hope this isn't a repost. My original didn't appear on the list so am
resending.
Got things to work how I want. Here's how I'm doing it:
1. Match on Realm and NAS-IP-Address in Handler
2. Call PreAuthHook. This hook temporarily strips the real from the username,
checks for the user in the Unix password file and gets the associated group
out and adds it to the Access-Request packet as "Unix-Group"
3. Authenticate against the file digitalpath.speeds
4. This file matches on the Unix-Group set above and adds the Ascend rate
shaping attributes on a per-group basis. It also uses the Auth-Type check
attribute to call the AuthType block with the DigiAuth Identifier.
5. AuthBy FILE with Identifier of DigiAuth authenticates against a file with
username and password combos (could also contain our Framed-IP-Addresses).
The AuthBy block also handles adding our MPPE Keys, MPPE Encryption policy
and the interim interval settings.
So we're not really authenticating against the Unix PW file, just using it for
group membership tests which then are used to select the appropriate speed
plan and still authenticate using plain text for MSCHAPv2.
Still need to add some error checking for a default group (if the user's Unix
account is a member of a group I don't check for) or if the user doesn't exist
in the Unix password file.
But for now it does what I want. Hope someone out there finds this mildy
interesting.
Excerpt from radius.cfg:
<AuthBy FILE>
Identifier DigiAuth
# For testing only.
Nocache
AutoMPPEKeys yes
AddToReply MS-MPPE-Encryption-Policy=Encryption-Required,Acct-Interim-Interval=300
Filename %D/digitalpath.users
</AuthBy>
# Authentication Requests
<Handler Realm=domain.net,NAS-IP-Address=XXX.XXX.XX.X>
PacketTrace
PreAuthHook file:"%D/hooks/digitalpath_get_unix_group.pl"
<AuthBy FILE>
# For testing only.
Nocache
Filename %D/digitalpath.speeds
</AuthBy>
# Pass the reason for rejection back to the customer.
RejectHasReason
</Handler>
digitalpath_get_unix_group.pl:
sub {
# Setup local variables.
my $name;
my $passwd;
my $uid;
my $gid;
my $quota;
my $comment;
my $gcos;
my $dir;
my $shell;
my $expire;
# Retrieve the packet.
my $p = ${$_[0]};
# Retrive the request type.
my $code = $p->code();
if ($code eq 'Access-Request') {
my $group = $p->get_attr('Unix-Group');
if (!defined($group)) {
# Retrieve the username.
my $username = $p->get_attr('User-Name');
# Strip realm.
$username =~ s/^([^@]+).*/$1/;
# Does the username even exist?
if (($name, $passwd, $uid, $gid, $quota, $comment, $gcos, $dir, $shell, $expire) = getpwnam($username)) {
my $local_group = getgrgid($gid);
$p->add_attr('Unix-Group', $local_group);
&main::log($main::LOG_DEBUG, "PreAuthHook: Unix-Group resolved to $local_group");
}
}
}
return;
}
digitalpath.speeds:
# Basic Account - 384Kbps / 128Kbps
DEFAULT Auth-Type = DigiAuth, Unix-Group = wirmcb
Ascend-Data-Rate = 384000,
Ascend-Xmit-Rate = 128000
# Express - 2Mbps / 1Mbps
DEFAULT Auth-Type = DigiAuth, Unix-Group = wirmcexp
Ascend-Data-Rate = 2000000,
Ascend-Xmit-Rate = 1000000
# Excel - 1Mbps / 384Kbps
DEFAULT Auth-Type = DigiAuth, Unix-Group = wirmcexc
Ascend-Data-Rate = 1000000,
Ascend-Xmit-Rate = 384000
# Comp Relay Customer
DEFAULT Auth-Type = DigiAuth, Unix-Group = wirccrc
Ascend-Data-Rate = 4000000,
Ascend-Xmit-Rate = 2000000
digitalpath.users:
username at domain.net Password = "password"
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list