(RADIATOR) safeword multiple roles

Mike McCauley mikem at open.com.au
Thu May 8 18:21:17 CDT 2008 

Hello Johan,

thanks for your trace.
We have now added support for a new parameter in AuthBy SAFEWORD that maps 
ActionData group names into reply attributes.

For example:
		# You can make different types of reply depending on the group
		# of the authenticated user, if there are ActionData groups 
		# sent back by SafeWord server
		GroupReply RO,Service-Type = Administrative-User,\
		    cisco-avpair = "shell:priv-lvl=1"
		GroupReply RW,Service-Type = Administrative-User,\
		    cisco-avpair = "shell:priv-lvl=15"

We hope this helps.
The new support is nw in the latest patch set.
Please let me know if there are any problems with this.

Cheers.

On Thursday 08 May 2008 21:59, Johan Frid wrote:
> Hello hers is the copy off the config file and trace 5 debug, it's the
> <ActionData><![CDATA[group=RO]]></ActionData> I'm want to use
>
>
> /Johan Frid
>
>
> ###safeword.cfg###
>
> Foreground
> LogStdout
> LogDir        .
> DbDir        .
> # User a lower trace level in production systems:
> Trace         5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
>     Secret    mysecret
>     DupInterval 0
> </Client>
>
> <Realm DEFAULT>
>
>     <AuthBy SAFEWORD>
>         # The name or address of the host where the SafeWord
>         # PremierAccess server runs
>         # Defaults to localhost.
>         # Set this to the address of the SafeWord PremierAccess server
>         #Host localhost
>         Host 192.168.0.205
>
>         # Port to connet to on Host.
>         # Defaults to 5031, the default SafeWord EASSP2 port
>         Port 5031
>
>         # You can specify which EAP types can be used
>         # One-Time-Password and Generic-Token are supported
>         EAPType One-Time-Password,Generic-Token
>
>
>         AgentName secore
>     </AuthBy>
>
> </Realm>
>
> ###END safeword.cfg###
>
>
>
> ####Trace 5 debug ###
> Thu May  8 14:24:44 2008: DEBUG: Packet dump:
> *** Received from 192.168.0.209 port 1043 ....
>
> Packet length = 47
> 01 0a 00 2f 20 20 20 20 20 20 31 32 31 30 32 34
> 32 32 38 34 01 09 73 74 75 64 65 6e 74 02 12 6f
> de 51 6a 63 15 a5 f0 82 0a 93 6f ef a9 57 92
> Code:       Access-Request
> Identifier: 10
> Authentic:        1210242284
> Attributes:
>         User-Name = "student"
>         User-Password =
> o<222>Qjc<21><165><240><130><10><147>o<239><169>W<146>
>
> Thu May  8 14:24:44 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu May  8 14:24:44 2008: DEBUG:  Deleting session for student,
> 192.168.0.209,
> Thu May  8 14:24:44 2008: DEBUG: Handling with Radius::AuthSAFEWORD:
> Thu May  8 14:24:44 2008: DEBUG: Radius::AuthSAFEWORD looks for match
> with student [student]
> Thu May  8 14:24:44 2008: DEBUG: Sending request to SafeWord:
> Content-length: 297
> Task-id: 3
> Content-type: AUTH_MSG
>
> <?xml version='1.0' encoding="UTF-8"?>
>
> <AuthenRequestMsg>
> <Protocol version="201"/>
> <ID type="name"><![CDATA[student]]></ID>
> <SafeWordSystem name="STANDARD"/>
> <Agent name="secore" type="RADIUS"/>
> <AgentComment><![CDATA[Radiator Radius Server AuthBy
> SAFEWORD]]></AgentComment>
> </AuthenRequestMsg>
>
> Thu May  8 14:24:45 2008: DEBUG: Got reply from SafeWord:
> Content-type:AUTH_MSG
> Task-id:3
> Content-length:251
>
> <?xml version="1.0" encoding="UTF-8"?>
> <AuthenChallengeMsg>
> <Protocol version="201"/>
> <ID type="name"><![CDATA[student]]></ID>
> <Challenges>
> <DynamicPwdChallenge authenName="SafeWord" authenNumber="1" echo="false"/>
> </Challenges>
> </AuthenChallengeMsg>
>
> Thu May  8 14:24:45 2008: DEBUG: Sending request to SafeWord:
> Content-length: 375
> Task-id: 4
> Content-type: AUTH_MSG
>
> <?xml version='1.0' encoding="UTF-8"?>
> <AuthenResponseMsg>
> <Protocol version="201"/>
> <SafeWordSystem name="STANDARD"/>
> <ID type="name"><![CDATA[student]]></ID>
> <Responses>
> <DynamicPwdResponse authenNumber="1" pwd="219647"/>
> </Responses>
> <Agent name="secore" type="RADIUS"/>
> <AgentComment><![CDATA[Radiator Radius Server AuthBy
> SAFEWORD]]></AgentComment>
> </AuthenResponseMsg>
>
> Thu May  8 14:24:45 2008: DEBUG: Got reply from SafeWord:
> Content-type:AUTH_MSG
> Task-id:4
> Content-length:295
>
> <?xml version="1.0" encoding="UTF-8"?>
> <AuthenResultMsg>
> <Protocol version="201"/>
> <ID type="name"><![CDATA[student]]></ID>
> <AuthenResult result="passed" resultCode="1"/>
> <Authorizations>
> <ActionData><![CDATA[group=RO]]></ActionData>
> </Authorizations>
> <StatusMsg></StatusMsg>
> </AuthenResultMsg>
>
> Thu May  8 14:24:45 2008: DEBUG: Radius::AuthSAFEWORD ACCEPT: : student
> [student]
> Thu May  8 14:24:45 2008: DEBUG: AuthBy SAFEWORD result: ACCEPT,
> Thu May  8 14:24:45 2008: DEBUG: Access accepted for student
> Thu May  8 14:24:45 2008: DEBUG: Packet dump:
> *** Sending to 192.168.0.209 port 1043 ....
>
> Packet length = 20
> 02 0a 00 14 ee 7f 92 2b 53 86 b3 df fb be 20 f8
> 17 f7 cb 06
> Code:       Access-Accept
> Identifier: 10
> Authentic:        1210242284
> Attributes:
>
> ####End Trace 5 debug ###
>
> Hugh Irvine wrote:
> > Hello Johan -
> >
> > Thanks for your mail.
> >
> > In answer to your question, you would use cascaded AuthBy clauses for
> > this - the first to do the authentication, and the second to apply the
> > group attributes.
> >
> > The exact details of how to do this depend on how you are contacting
> > the Safeword server, and what attributes come back in the reply.
> >
> > If you could send me a copy of the Radiator configuration file that
> > you have been testing with together with a trace 4 debug showing what
> > is happening I will take a look.
> >
> > regards
> >
> > Hugh
> >
> > On 7 May 2008, at 22:54, Johan Frid wrote:
> >> Hello there Johan Frid TeliaSonera Sweden here.
> >>
> >> We would like to replace our freeradius installation with Radiator
> >> Radius
> >>
> >> Today we use Secure Computings Premier Access 3.1.1 together with
> >> freeradius since we need to be able to use wildcards in the clients
> >> file.
> >>
> >> We also use multiple roles in our radius configuration so some users
> >> have RO=Read Only access and some have RW=Read Write access.
> >>
> >> Here is what we would like to do.
> >>
> >> We would like to authenticate against the safeword server with tokens
> >> and get a role from the safeword server back to the radius server.
> >> Depending on the role you get back from safeword we would like to
> >> send different attributes to the equipment that you tried to login to.
> >>
> >> Example.
> >>
> >> The user jorgoh tries to login to a router that have radius
> >> authentication.
> >>
> >> telnet 192.168.1.10
> >>
> >> username : jorgoh
> >> password : 6314h1
> >>
> >> Since the router asks radius for authentication it look in the
> >> safeword.cfg file and sees that it should ask the safeword server for
> >> authentication.
> >>
> >> So now it sends jorgoh and password to 6314h1 to safeword. Safeword
> >> answers back that its ok and returns the role group=RW since jorgoh
> >> has read write rights.
> >>
> >> So now it goes back to the users file for radius and looks for the RW
> >> group
> >>
> >> DEFAULT Auth-Type := safeword
> >>        Fall-Through = 1
> >>
> >> DEFAULT group == RO
> >>       Service-Type = Administrative-User,
> >>       cisco-avpair = "shell:priv-lvl=1",
> >>       Juniper-Local-User-Name = "remote2",
> >>       TTY-level-start = 5,
> >>       TTY-level-max = 5,
> >>       Unisphere-Init-CLI-Access-Level = 1,
> >>       Unisphere-Alt-CLI-Access-Level = 5
> >>
> >> DEFAULT group == RW
> >>       Service-Type = Administrative-User,
> >>       cisco-avpair = "shell:priv-lvl=15",
> >>       Juniper-Local-User-Name = "remote1",
> >>       TTY-level-start = 15,
> >>       TTY-level-max = 15,
> >>       Unisphere-Init-CLI-Access-Level = 1,
> >>       Unisphere-Alt-CLI-Access-Level = 10
> >>
> >>
> >> So now it sends the attributes that is listed under the
> >>
> >> DEFAULT group == RW  to the router.
> >>
> >> Since it has cisco-avpair = "shell:priv-lvl=15" it will give me admin
> >> rights in the router.
> >>
> >> So the question is how do we do the same thing with radiator radius?
> >>
> >> We have figured out how to get radiator radius to ask safeword for
> >> authentication but not how to passback different user right
> >> depending  on the group that safeword returns.
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> > Have you checked the RadiusExpert wiki:
> > http://www.open.com.au/wiki/index.php/Main_Page

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list