(RADIATOR) safeword multiple roles
Johan Frid
johan at frid.info
Thu May 8 06:59:18 CDT 2008
Hello hers is the copy off the config file and trace 5 debug, it's the
<ActionData><![CDATA[group=RO]]></ActionData> I'm want to use
/Johan Frid
###safeword.cfg###
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 5
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Realm DEFAULT>
<AuthBy SAFEWORD>
# The name or address of the host where the SafeWord
# PremierAccess server runs
# Defaults to localhost.
# Set this to the address of the SafeWord PremierAccess server
#Host localhost
Host 192.168.0.205
# Port to connet to on Host.
# Defaults to 5031, the default SafeWord EASSP2 port
Port 5031
# You can specify which EAP types can be used
# One-Time-Password and Generic-Token are supported
EAPType One-Time-Password,Generic-Token
AgentName secore
</AuthBy>
</Realm>
###END safeword.cfg###
####Trace 5 debug ###
Thu May 8 14:24:44 2008: DEBUG: Packet dump:
*** Received from 192.168.0.209 port 1043 ....
Packet length = 47
01 0a 00 2f 20 20 20 20 20 20 31 32 31 30 32 34
32 32 38 34 01 09 73 74 75 64 65 6e 74 02 12 6f
de 51 6a 63 15 a5 f0 82 0a 93 6f ef a9 57 92
Code: Access-Request
Identifier: 10
Authentic: 1210242284
Attributes:
User-Name = "student"
User-Password =
o<222>Qjc<21><165><240><130><10><147>o<239><169>W<146>
Thu May 8 14:24:44 2008: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu May 8 14:24:44 2008: DEBUG: Deleting session for student,
192.168.0.209,
Thu May 8 14:24:44 2008: DEBUG: Handling with Radius::AuthSAFEWORD:
Thu May 8 14:24:44 2008: DEBUG: Radius::AuthSAFEWORD looks for match
with student [student]
Thu May 8 14:24:44 2008: DEBUG: Sending request to SafeWord:
Content-length: 297
Task-id: 3
Content-type: AUTH_MSG
<?xml version='1.0' encoding="UTF-8"?>
<AuthenRequestMsg>
<Protocol version="201"/>
<ID type="name"><![CDATA[student]]></ID>
<SafeWordSystem name="STANDARD"/>
<Agent name="secore" type="RADIUS"/>
<AgentComment><![CDATA[Radiator Radius Server AuthBy
SAFEWORD]]></AgentComment>
</AuthenRequestMsg>
Thu May 8 14:24:45 2008: DEBUG: Got reply from SafeWord:
Content-type:AUTH_MSG
Task-id:3
Content-length:251
<?xml version="1.0" encoding="UTF-8"?>
<AuthenChallengeMsg>
<Protocol version="201"/>
<ID type="name"><![CDATA[student]]></ID>
<Challenges>
<DynamicPwdChallenge authenName="SafeWord" authenNumber="1" echo="false"/>
</Challenges>
</AuthenChallengeMsg>
Thu May 8 14:24:45 2008: DEBUG: Sending request to SafeWord:
Content-length: 375
Task-id: 4
Content-type: AUTH_MSG
<?xml version='1.0' encoding="UTF-8"?>
<AuthenResponseMsg>
<Protocol version="201"/>
<SafeWordSystem name="STANDARD"/>
<ID type="name"><![CDATA[student]]></ID>
<Responses>
<DynamicPwdResponse authenNumber="1" pwd="219647"/>
</Responses>
<Agent name="secore" type="RADIUS"/>
<AgentComment><![CDATA[Radiator Radius Server AuthBy
SAFEWORD]]></AgentComment>
</AuthenResponseMsg>
Thu May 8 14:24:45 2008: DEBUG: Got reply from SafeWord:
Content-type:AUTH_MSG
Task-id:4
Content-length:295
<?xml version="1.0" encoding="UTF-8"?>
<AuthenResultMsg>
<Protocol version="201"/>
<ID type="name"><![CDATA[student]]></ID>
<AuthenResult result="passed" resultCode="1"/>
<Authorizations>
<ActionData><![CDATA[group=RO]]></ActionData>
</Authorizations>
<StatusMsg></StatusMsg>
</AuthenResultMsg>
Thu May 8 14:24:45 2008: DEBUG: Radius::AuthSAFEWORD ACCEPT: : student
[student]
Thu May 8 14:24:45 2008: DEBUG: AuthBy SAFEWORD result: ACCEPT,
Thu May 8 14:24:45 2008: DEBUG: Access accepted for student
Thu May 8 14:24:45 2008: DEBUG: Packet dump:
*** Sending to 192.168.0.209 port 1043 ....
Packet length = 20
02 0a 00 14 ee 7f 92 2b 53 86 b3 df fb be 20 f8
17 f7 cb 06
Code: Access-Accept
Identifier: 10
Authentic: 1210242284
Attributes:
####End Trace 5 debug ###
Hugh Irvine wrote:
>
> Hello Johan -
>
> Thanks for your mail.
>
> In answer to your question, you would use cascaded AuthBy clauses for
> this - the first to do the authentication, and the second to apply the
> group attributes.
>
> The exact details of how to do this depend on how you are contacting
> the Safeword server, and what attributes come back in the reply.
>
> If you could send me a copy of the Radiator configuration file that
> you have been testing with together with a trace 4 debug showing what
> is happening I will take a look.
>
> regards
>
> Hugh
>
>
> On 7 May 2008, at 22:54, Johan Frid wrote:
>
>> Hello there Johan Frid TeliaSonera Sweden here.
>>
>> We would like to replace our freeradius installation with Radiator
>> Radius
>>
>> Today we use Secure Computings Premier Access 3.1.1 together with
>> freeradius since we need to be able to use wildcards in the clients
>> file.
>>
>> We also use multiple roles in our radius configuration so some users
>> have RO=Read Only access and some have RW=Read Write access.
>>
>> Here is what we would like to do.
>>
>> We would like to authenticate against the safeword server with tokens
>> and get a role from the safeword server back to the radius server.
>> Depending on the role you get back from safeword we would like to
>> send different attributes to the equipment that you tried to login to.
>>
>> Example.
>>
>> The user jorgoh tries to login to a router that have radius
>> authentication.
>>
>> telnet 192.168.1.10
>>
>> username : jorgoh
>> password : 6314h1
>>
>> Since the router asks radius for authentication it look in the
>> safeword.cfg file and sees that it should ask the safeword server for
>> authentication.
>>
>> So now it sends jorgoh and password to 6314h1 to safeword. Safeword
>> answers back that its ok and returns the role group=RW since jorgoh
>> has read write rights.
>>
>> So now it goes back to the users file for radius and looks for the RW
>> group
>>
>> DEFAULT Auth-Type := safeword
>> Fall-Through = 1
>>
>> DEFAULT group == RO
>> Service-Type = Administrative-User,
>> cisco-avpair = "shell:priv-lvl=1",
>> Juniper-Local-User-Name = "remote2",
>> TTY-level-start = 5,
>> TTY-level-max = 5,
>> Unisphere-Init-CLI-Access-Level = 1,
>> Unisphere-Alt-CLI-Access-Level = 5
>>
>> DEFAULT group == RW
>> Service-Type = Administrative-User,
>> cisco-avpair = "shell:priv-lvl=15",
>> Juniper-Local-User-Name = "remote1",
>> TTY-level-start = 15,
>> TTY-level-max = 15,
>> Unisphere-Init-CLI-Access-Level = 1,
>> Unisphere-Alt-CLI-Access-Level = 10
>>
>>
>> So now it sends the attributes that is listed under the
>>
>> DEFAULT group == RW to the router.
>>
>> Since it has cisco-avpair = "shell:priv-lvl=15" it will give me admin
>> rights in the router.
>>
>> So the question is how do we do the same thing with radiator radius?
>>
>> We have figured out how to get radiator radius to ask safeword for
>> authentication but not how to passback different user right
>> depending on the group that safeword returns.
>>
>>
>>
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
--
Mounting is used for three things: climbing on a horse, linking in a hard disk unit in data systems, and, well, mounting during sex.
-- Christa Keil
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list