[RADIATOR] AuthByLDAP2 + AuthAttrDef and AuthByFILE

Heikki Vatiainen hvn at open.com.au
Fri Jan 20 07:22:02 CST 2012 

On 01/20/2012 02:48 PM, Kurt Bauer wrote:

Hello Kurt,

> I wanted to use LDAP Attributes for further authentication according to
> Section 5.38.16 Example 3 in the Radiator Reference manual (4.9).
> Unfortunatly it doesn't seem to work and the variable is not checked as
> expected if at all. It even seems to me the check item is evaluated
> against the variable name and not the value.

You are correct, % substitution is not done by default for check or
reply items. You need to explicitly enable it for the items that require
it. Please see below for what to add.

About checking NAS-IP-Address, why not to check it in AuthBy LDAP2 like
below?

> Following the cfg snippets and debug outputs with comments:
> 
> radius.cfg:
> <AuthBy LDAP2>
>     include         /etc/radiator/ldap.cfg
>     Identifier      LDAP_local
>     SearchFilter    (&(aconetService=radius)(uid=%1))
>     AuthAttrDef     radiusGroupName,LDAPgroup,request
>     AuthAttrDef     ipHostNumber, LDAPipHost, request

      AuthAttrDef     ipHostNumber,NAS-IP-Address,check

> </AuthBy>
> 
> <AuthBy FILE>
>     Identifier      FILE_IP_check
>     Filename        /etc/radiator/IP_check.cfg

      # Allow % substitutions for NAS-IP-Address check item
      DynamicCheck NAS-IP-Address

> </AuthBy>
> 
> ### Ende AuthBy Definitionen ###
> 
> ### Beginn Authentication Handler ###
> 
> <Handler Client-Identifier=radius21>
>     <AuthBy GROUP>
>         AuthByPolicy ContinueWhileAccept
>         AuthBy       LDAP_local
>         AuthBy       FILE_IP_check
>     </AuthBy>
>     <AuthLog FILE>
>         Filename /var/log/radiator/radius21.log
>         FailureFormat         %l: Access-Reject for %u (allowed
> LDAPipHost=%{LDAPipHost}, incoming request from %{NAS-IP-Address})
>         SuccessFormat         %l: Access-Accept for %u (allowed
> LDAPipHost=%{LDAPipHost}, incoming request from %{NAS-IP-Address})
>         LogSuccess            1
>         LogFailure            1
>     </AuthLog>
> </Handler>
> 
> IP_check.cfg:
> DEFAULT         NAS-IP-Address = %{LDAPipHost}
>                 Reply-Message = "var IP OK"
> 
> DEFAULT         NAS-IP-Address=193.171.16.223
>                 Reply-Message = "explicit IP OK"
> 
> 
> DEFAULT         Auth-Type = Reject
>                 Reply-Message = "Please call the helpdesk."
> 
> AuthN-Req. with completely wrong NAS-IP:
> radpwtst -s radius21.aco.net -secret xxx -dictionary
> /var/local/raddb/dictionary -auth_port 1812 -noacct -user ctac -password xxx
> 
> and according debug output:
> Fri Jan 20 12:32:48 2012: DEBUG: Packet dump:
> *** Received from 78.104.134.125 port 56934 ....
> Code:       Access-Request
> Identifier: 183
> Authentic:  s<137><150><161>z<199><246>}rr"<145><233><228><190><136>
> Attributes:
> 	User-Name = "ctac"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 203.63.154.1
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	User-Password = ;<175><133><195>b~<173>h<27><142>Ch<20><203><169><10>
> 
> Fri Jan 20 12:32:48 2012: DEBUG: Handling request with Handler
> 'Client-Identifier=radius21', Identifier ''
> Fri Jan 20 12:32:48 2012: DEBUG:  Deleting session for ctac,
> 203.63.154.1, 1234
> Fri Jan 20 12:32:48 2012: DEBUG: Handling with Radius::AuthGROUP:
> Fri Jan 20 12:32:48 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP_local
> Fri Jan 20 12:32:48 2012: INFO: Connecting to ldap1.aco.net:389
> Fri Jan 20 12:32:48 2012: INFO: Attempting to bind to LDAP server
> ldap1.aco.net:389
> Fri Jan 20 12:32:48 2012: DEBUG: LDAP got result for
> cn=ctac,ou=aconet,ou=user,dc=aco,dc=net
> Fri Jan 20 12:32:48 2012: DEBUG: LDAP got radiusGroupName: disabled
> Fri Jan 20 12:32:48 2012: DEBUG: LDAP got ipHostNumber: 193.171.16.222
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> ctac [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : ctac [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthGROUP: LDAP_local result:
> ACCEPT,
> Fri Jan 20 12:32:48 2012: DEBUG: Handling with Radius::AuthFILE:
> FILE_IP_check
> Fri Jan 20 12:32:48 2012: DEBUG: Reading users file
> /etc/radiator/IP_check.cfg
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
> ctac [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
> ctac [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT: Check item
> NAS-IP-Address expression '%{LDAPipHost}' does not match '203.63.154.1'
> in request: DEFAULT [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT1 [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT: Check item
> NAS-IP-Address expression '193.171.16.223' does not match '203.63.154.1'
> in request: DEFAULT1 [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT2 [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject: DEFAULT2 [ctac]
> Fri Jan 20 12:32:48 2012: DEBUG: Radius::AuthGROUP: FILE_IP_check
> result: REJECT_IMMEDIATE, Rejected explicitly by Auth-Type=Reject
> Fri Jan 20 12:32:48 2012: DEBUG: AuthBy GROUP result: REJECT_IMMEDIATE,
> Rejected explicitly by Auth-Type=Reject
> Fri Jan 20 12:32:48 2012: INFO: Access rejected for ctac: Rejected
> explicitly by Auth-Type=Reject
> Fri Jan 20 12:32:48 2012: DEBUG: Packet dump:
> *** Sending to 78.104.134.125 port 56934 ....
> Code:       Access-Reject
> Identifier: 183
> Authentic:  <155><17>^6<22>p<225><179>b<19>]C<153><237>;<12>
> Attributes:
> 	Reply-Message = "Request Denied"
> 
> plus logline:
> Fri Jan 20 12:32:48 2012: Access-Reject for ctac (allowed
> LDAPipHost=193.171.16.222, incoming request from 203.63.154.1)
> 
> 
> 
> AuthN request with NAS-IP which should match the variable (value derived
> from LDAP):
> radpwtst -s radius21.aco.net -secret xxx -dictionary
> /var/local/raddb/dictionary -auth_port 1812 -noacct -nas_ip_address
> 193.171.16.222 -user ctac -password
> 
> and according debug output:
> Fri Jan 20 12:32:59 2012: DEBUG: Packet dump:
> *** Received from 78.104.134.125 port 35138 ....
> Code:       Access-Request
> Identifier: 194
> Authentic:  yN)\<133><239><190>7=<150>i#9<13>Ts
> Attributes:
> 	User-Name = "ctac"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 193.171.16.222
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	User-Password =
> <132><152><184><129><222><207><10>o<24><152><210>^<178><23><157><157>
> 
> Fri Jan 20 12:32:59 2012: DEBUG: Handling request with Handler
> 'Client-Identifier=radius21', Identifier ''
> Fri Jan 20 12:32:59 2012: DEBUG:  Deleting session for ctac,
> 193.171.16.222, 1234
> Fri Jan 20 12:32:59 2012: DEBUG: Handling with Radius::AuthGROUP:
> Fri Jan 20 12:32:59 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP_local
> Fri Jan 20 12:32:59 2012: INFO: Connecting to ldap1.aco.net:389
> Fri Jan 20 12:32:59 2012: INFO: Attempting to bind to LDAP server
> ldap1.aco.net:389
> Fri Jan 20 12:32:59 2012: DEBUG: LDAP got result for
> cn=ctac,ou=aconet,ou=user,dc=aco,dc=net
> Fri Jan 20 12:32:59 2012: DEBUG: LDAP got radiusGroupName: disabled
> Fri Jan 20 12:32:59 2012: DEBUG: LDAP got ipHostNumber: 193.171.16.222
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> ctac [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : ctac [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthGROUP: LDAP_local result:
> ACCEPT,
> Fri Jan 20 12:32:59 2012: DEBUG: Handling with Radius::AuthFILE:
> FILE_IP_check
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
> ctac [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
> ctac [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT: Check item
> NAS-IP-Address expression '%{LDAPipHost}' does not match
> '193.171.16.222' in request: DEFAULT [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT1 [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT: Check item
> NAS-IP-Address expression '193.171.16.223' does not match
> '193.171.16.222' in request: DEFAULT1 [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT2 [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthFILE REJECT_IMMEDIATE:
> Rejected explicitly by Auth-Type=Reject: DEFAULT2 [ctac]
> Fri Jan 20 12:32:59 2012: DEBUG: Radius::AuthGROUP: FILE_IP_check
> result: REJECT_IMMEDIATE, Rejected explicitly by Auth-Type=Reject
> Fri Jan 20 12:32:59 2012: DEBUG: AuthBy GROUP result: REJECT_IMMEDIATE,
> Rejected explicitly by Auth-Type=Reject
> Fri Jan 20 12:32:59 2012: INFO: Access rejected for ctac: Rejected
> explicitly by Auth-Type=Reject
> Fri Jan 20 12:32:59 2012: DEBUG: Packet dump:
> *** Sending to 78.104.134.125 port 35138 ....
> Code:       Access-Reject
> Identifier: 194
> Authentic:  <242>!<185><9>;<5><246> <166><178><15>>r:<15><146>
> Attributes:
> 	Reply-Message = "Request Denied"
> 
> plus logline:
> Fri Jan 20 12:32:59 2012: Access-Reject for ctac (allowed
> LDAPipHost=193.171.16.222, incoming request from 193.171.16.222)
> 
> AuthN request to prove the rest of the setup works as the check value is
> 'hardcoded' in the file:
> radpwtst -s radius21.aco.net -secret xxx -dictionary
> /var/local/raddb/dictionary -auth_port 1812 -noacct -nas_ip_address
> 193.171.16.223 -user ctac -password xxx
> 
> and according debug output:
> Fri Jan 20 12:33:05 2012: DEBUG: Packet dump:
> *** Received from 78.104.134.125 port 41866 ....
> Code:       Access-Request
> Identifier: 200
> Authentic:  <143><252><230><153><29><26><154><246><170><199>)<21>^uZN
> Attributes:
> 	User-Name = "ctac"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 193.171.16.223
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	User-Password = =<208><157><135>1b at X~B<234>U<3><131><130><26>
> 
> Fri Jan 20 12:33:05 2012: DEBUG: Handling request with Handler
> 'Client-Identifier=radius21', Identifier ''
> Fri Jan 20 12:33:05 2012: DEBUG:  Deleting session for ctac,
> 193.171.16.223, 1234
> Fri Jan 20 12:33:05 2012: DEBUG: Handling with Radius::AuthGROUP:
> Fri Jan 20 12:33:05 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP_local
> Fri Jan 20 12:33:05 2012: INFO: Connecting to ldap1.aco.net:389
> Fri Jan 20 12:33:05 2012: INFO: Attempting to bind to LDAP server
> ldap1.aco.net:389
> Fri Jan 20 12:33:05 2012: DEBUG: LDAP got result for
> cn=ctac,ou=aconet,ou=user,dc=aco,dc=net
> Fri Jan 20 12:33:05 2012: DEBUG: LDAP got radiusGroupName: disabled
> Fri Jan 20 12:33:05 2012: DEBUG: LDAP got ipHostNumber: 193.171.16.222
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthLDAP2 looks for match with
> ctac [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : ctac [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthGROUP: LDAP_local result:
> ACCEPT,
> Fri Jan 20 12:33:05 2012: DEBUG: Handling with Radius::AuthFILE:
> FILE_IP_check
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE looks for match with
> ctac [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
> ctac [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE REJECT: Check item
> NAS-IP-Address expression '%{LDAPipHost}' does not match
> '193.171.16.223' in request: DEFAULT [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT1 [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT1 [ctac]
> Fri Jan 20 12:33:05 2012: DEBUG: Radius::AuthGROUP: FILE_IP_check
> result: ACCEPT,
> Fri Jan 20 12:33:05 2012: DEBUG: AuthBy GROUP result: ACCEPT,
> Fri Jan 20 12:33:05 2012: DEBUG: Access accepted for ctac
> Fri Jan 20 12:33:05 2012: DEBUG: Packet dump:
> *** Sending to 78.104.134.125 port 41866 ....
> Code:       Access-Accept
> Identifier: 200
> Authentic:  D<222>="w<162><14><186><248><214><222>r<190><189>&<219>
> Attributes:
> 	Reply-Message = "explicit IP OK"
> 
> plus logline:
> Fri Jan 20 12:33:05 2012: Access-Accept for ctac (allowed
> LDAPipHost=193.171.16.222, incoming request from 193.171.16.223)
> 
> 
> I tried various things, even GlobalVar, but the check just doesnt' seem
> to be performed right by AuthByFILE. Is this a documentation bug and it
> isn't intended to work that way or am I missing smth. in my configuration?
> 
> Thanks a lot for your help,
> best regards,
> Kurt
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list