(RADIATOR) Group checking *only* with AuthBy UNIX?

Hugh Irvine hugh at open.com.au
Thu Jun 16 20:26:47 CDT 2005 

Hello Ray -

Thanks very much for your most informative post.

regards

Hugh


On 17 Jun 2005, at 10:23, Ray Van Dolson wrote:


> Hope this isn't a repost.  My original didn't appear on the list so am
> resending.
>
> Got things to work how I want.  Here's how I'm doing it:
>
> 1. Match on Realm and NAS-IP-Address in Handler
> 2. Call PreAuthHook.  This hook temporarily strips the real from  
> the username,
>    checks for the user in the Unix password file and gets the  
> associated group
>    out and adds it to the Access-Request packet as "Unix-Group"
> 3. Authenticate against the file digitalpath.speeds
> 4. This file matches on the Unix-Group set above and adds the  
> Ascend rate
>    shaping attributes on a per-group basis.  It also uses the Auth- 
> Type check
>    attribute to call the AuthType block with the DigiAuth Identifier.
> 5. AuthBy FILE with Identifier of DigiAuth authenticates against a  
> file with
>    username and password combos (could also contain our Framed-IP- 
> Addresses).
>    The AuthBy block also handles adding our MPPE Keys, MPPE  
> Encryption policy
>    and the interim interval settings.
>
> So we're not really authenticating against the Unix PW file, just  
> using it for
> group membership tests which then are used to select the  
> appropriate speed
> plan and still authenticate using plain text for MSCHAPv2.
>
> Still need to add some error checking for a default group (if the  
> user's Unix
> account is a member of a group I don't check for) or if the user  
> doesn't exist
> in the Unix password file.
>
> But for now it does what I want.  Hope someone out there finds this  
> mildy
> interesting.
>
> Excerpt from radius.cfg:
>
> <AuthBy FILE>
>         Identifier    DigiAuth
>         # For testing only.
>         Nocache
>         AutoMPPEKeys    yes
>         AddToReply    MS-MPPE-Encryption-Policy=Encryption- 
> Required,Acct-Interim-Interval=300
>         Filename    %D/digitalpath.users
> </AuthBy>
>
> # Authentication Requests
> <Handler Realm=domain.net,NAS-IP-Address=XXX.XXX.XX.X>
>         PacketTrace
>         PreAuthHook file:"%D/hooks/digitalpath_get_unix_group.pl"
>
>         <AuthBy FILE>
>                 # For testing only.
>                 Nocache
>                 Filename        %D/digitalpath.speeds
>         </AuthBy>
>
>         # Pass the reason for rejection back to the customer.
>         RejectHasReason
> </Handler>
>
> digitalpath_get_unix_group.pl:
>
> sub {
>   # Setup local variables.
>   my $name;
>   my $passwd;
>   my $uid;
>   my $gid;
>   my $quota;
>   my $comment;
>   my $gcos;
>   my $dir;
>   my $shell;
>   my $expire;
>
>   # Retrieve the packet.
>   my $p = ${$_[0]};
>
>   # Retrive the request type.
>   my $code = $p->code();
>
>   if ($code eq 'Access-Request') {
>     my $group = $p->get_attr('Unix-Group');
>
>     if (!defined($group)) {
>       # Retrieve the username.
>       my $username = $p->get_attr('User-Name');
>       # Strip realm.
>       $username =~ s/^([^@]+).*/$1/;
>
>       # Does the username even exist?
>       if (($name, $passwd, $uid, $gid, $quota, $comment, $gcos,  
> $dir, $shell, $expire) = getpwnam($username)) {
>         my $local_group = getgrgid($gid);
>         $p->add_attr('Unix-Group', $local_group);
>         &main::log($main::LOG_DEBUG, "PreAuthHook: Unix-Group  
> resolved to $local_group");
>       }
>     }
>   }
>   return;
> }
>
> digitalpath.speeds:
>
> # Basic Account - 384Kbps / 128Kbps
> DEFAULT Auth-Type = DigiAuth, Unix-Group = wirmcb
>         Ascend-Data-Rate = 384000,
>         Ascend-Xmit-Rate = 128000
> # Express - 2Mbps / 1Mbps
> DEFAULT Auth-Type = DigiAuth, Unix-Group = wirmcexp
>         Ascend-Data-Rate = 2000000,
>         Ascend-Xmit-Rate = 1000000
> # Excel - 1Mbps / 384Kbps
> DEFAULT Auth-Type = DigiAuth, Unix-Group = wirmcexc
>         Ascend-Data-Rate = 1000000,
>         Ascend-Xmit-Rate = 384000
> # Comp Relay Customer
> DEFAULT Auth-Type = DigiAuth, Unix-Group = wirccrc
>         Ascend-Data-Rate = 4000000,
>         Ascend-Xmit-Rate = 2000000
>
> digitalpath.users:
>
> username at domain.net        Password = "password"
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list