[RADIATOR] Use AD group membership for SQL lookups?

Martin Burman martin.burman at gu.se
Mon Apr 14 09:56:37 CDT 2014 

Hi there.

I'm a n00b in RADIUS so please bear with me.
I've read a couple of links found via Google and either I can't define my question correctly or I'm rather alone in what I'm trying to do?

I have Radiator on Red Hat Linux authenticating via Winbind/NTLM to an Active Directory server, probably a Server 2008.
I have two LDAP2 sections checking group memberships and so far all is working.
The goal is to send attributes to a Cisco ASA that contain access-lists, which group policy to use and so on and all data for this is tested and working.
Steps from what I understand is
1: check username/password combo. - OK
2: Search from a set of AD groups until a match EVENTUALLY is found. -OK
3: query MySQL for attributes/values based on username. - OK
4: query MySQL for the attributes and values based on group name. - Problem here
5: If no group matches: select a default set of attributes from MySQL - problem here. Could get away whith an Access-Rejected also.

The closest I've get seems to be this one, suggesting PostAuthHooks:  http://www.open.com.au/pipermail/radiator/2014-February/019667.html
I've just begun reading about this but I'm a lousy programmer so I decided to ask here for a simpler solution if possible.

Below is my cleaned up config, trace 5 debug and the SQL data. For now the SQL query for groups is static, I made it that way for sanity check.
(BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in Freeradius this is accomplished with different assignment operators (':=' instead of '=' if I remember it right).
How is this implemented in Radiator?)

Or am I doomed to use hooks?

Best regards and thanks in advance, sorry for poor English and n00b skillZ.
Martin Burman

-----------------------------------------------------------------------------
<Client 1.2.8.247>
Secret testing123
Identifier justanidentifier
</Client>

<AuthBy NTLM>
Domain DOM.AIN.SE
DefaultDomain DOM.AIN.SE
UsernameMatchesWithoutRealm
Identifier pfntlm
UsernameFormat %U
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 EAPType MSCHAP-V2, PAP </AuthBy>

<AuthBy LDAP2>
Identifier pfldapFWVPN-Test
Host 1.2.3.11
Port 3268
AuthDN CN=...
AuthPassword UltraSecret
BaseDN  DC=DOM,DC=AIN,DC=SE
UsernameAttr sAMAccountName
NoCheckPassword
SearchFilter (&(%0=%U)(memberOf=CN=FWVPN-Test,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE))
NoDefault
NoDefaultIfFound
Debug 15
</AuthBy>

<AuthBy LDAP2>
### supposed to fail, used to check if Radiator continues as expected
Identifier pfldapNonExistent
Host 1.2.3.11
Port 3268
AuthDN CN=...
AuthPassword UtraSecret
BaseDN  DC=DOM,DC=AIN,DC=SE
UsernameAttr sAMAccountName
NoCheckPassword
SearchFilter (&(%0=%U)(memberOf=CN=NonExistentGroup,OU=Groups,OU=AppApp,DC=DOM,DC=AIN,DC=SE))
NoDefault
NoDefaultIfFound
Debug 15
</AuthBy>

<AuthBy SQL>
### Works
Identifier SQLAccounting
DBSource        dbi:mysql:radius:localhost:3306
DBUsername      rad
AuthSelect select PASSWORD,REPLYATTR from SUBSCRIBERS where USERNAME=%0
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, reply
</AuthBy>

<AuthBy SQL>
### Stuck here
Identifier SQLgroupcheck
DBSource        dbi:mysql:radius:localhost:3306
DBUsername      rad
### A variable with group name would be great, static SQL as mentioned above
AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME='FWVPN-Test'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, reply
</AuthBy>

<Handler User-Name=mytestuser>
    Identifier tjosan
    AuthByPolicy ContinueWhileAccept
    AuthBy pfntlm
    <AuthBy GROUP>
        AuthByPolicy ContinueUntilAccept
        AuthBy pfldapNonExistent
        AuthBy pfldapFWVPN-Test
        </AuthBy>
    AuthBy SQLAccounting
    AuthBy SQLgroupcheck
</Handler>
___________________________________________________________________
Mon Apr 14 11:53:06 2014: DEBUG: Packet dump:
*** Received from 1.2.8.247 port 60086 ....

Packet length = 76
01 98 00 4c 4c 35 96 77 df d8 1c e1 8d eb 9b 27
....
c9 64 37 ba 3e 30 4f 4d 8d e9 88 37
Code:       Access-Request
Identifier: 152
Authentic:  L5...
Attributes:
    User-Name = "mytestuser"
    User-Password = sqrubbed
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Message-Authenticator = <196>...

Mon Apr 14 11:53:06 2014: DEBUG: Handling request with Handler 'User-Name=mytestuser', Identifier 'tjosan'
Mon Apr 14 11:53:06 2014: DEBUG:  Deleting session for mytestuser, 127.0.0.1, 0
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthNTLM: pfntlm
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM looks for match with mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: INFO: Starting NtlmAuthProg: /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Password:: XXXX==
Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute NT-Domain:: x
Mon Apr 14 11:53:06 2014: DEBUG: Passing attribute Username:: x
Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: Authenticated: Yes
Mon Apr 14 11:53:06 2014: DEBUG: Received attribute: .
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthNTLM ACCEPT: : mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: AuthBy NTLM result: ACCEPT, 
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthGROUP: 
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthLDAP2: pfldapNonExistent
Mon Apr 14 11:53:06 2014: INFO: Connecting to 1.2.3.11:3268
Mon Apr 14 11:53:06 2014: INFO: Attempting to bind to LDAP server 1.2.3.11:3268
Mon Apr 14 11:53:06 2014: DEBUG: No entries for mytestuser found in LDAP database    <--- EXPECTED
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 looks for match with mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 REJECT: No such user: mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthGROUP: pfldapNonExistent result: REJECT, No such user
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthLDAP2: pfldapFWVPN-Test
Mon Apr 14 11:53:06 2014: INFO: Connecting to 1.2.3.11:3268
Mon Apr 14 11:53:06 2014: INFO: Attempting to bind to LDAP server 1.2.3.11:3268
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got result for CN=mytestuser,OU=x
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectClass: top person organizationalPerson user
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got cn: mytestuser
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got sn: x
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got description: xx
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got postOfficeBox: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got givenName: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got distinguishedName: CN=mytestuser,...
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got instanceType: 4
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got whenCreated: 20110212155531.0Z
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got whenChanged: 20140411194112.0Z
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got displayName: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got uSNCreated: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got memberOf: CN=FLD-..... CN=FWVPN-Test,OU=Groups,OU=AppApp,DC=.....
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got uSNChanged: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got department:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got company: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got proxyAddresses: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got name: mytestuser
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectGUID: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got userAccountControl: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got pwdLastSet: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got primaryGroupID: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectSid:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got sAMAccountName: mytestuser
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got sAMAccountType: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got showInAddressBook: CN=All Mail Users....
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got userPrincipalName: mytestuser at dom.ain.se
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got objectCategory: CN=Person,CN=Schema,CN=...
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got dSCorePropagationData: .
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got lastLogonTimestamp: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got mail: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got mobile: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got extensionAttribute1: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got mailNickname: mytestuser
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchELCMailboxFlags:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchPoliciesExcluded:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchRecipientDisplayType: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchSafeRecipientsHash:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchVersion: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchHideFromAddressLists:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchUMDtmfMap: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got internetEncoding: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchMailboxGuid: 
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchSafeSendersHash:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got targetAddress: SMTP:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchRecipientTypeDetails:
Mon Apr 14 11:53:06 2014: DEBUG: LDAP got msExchUserCulture:
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 looks for match with mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthLDAP2 ACCEPT: : mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthGROUP: pfldapFWVPN-Test result: ACCEPT, 
Mon Apr 14 11:53:06 2014: DEBUG: AuthBy GROUP result: ACCEPT, 
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLAccounting
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLAccounting
Mon Apr 14 11:53:06 2014: DEBUG: Connecting to 'dbi:mysql:radius:localhost:3306'

Mon Apr 14 11:53:06 2014: DEBUG: Query to 'dbi:mysql:radius:localhost:3306': 'select PASSWORD,REPLYATTR from SUBSCRIBERS where USERNAME='mytestuser'': 
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL looks for match with mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL ACCEPT: : mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: AuthBy SQL result: ACCEPT, 
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLgroupcheck
Mon Apr 14 11:53:06 2014: DEBUG: Handling with Radius::AuthSQL: SQLgroupcheck
Mon Apr 14 11:53:06 2014: DEBUG: Query to 'dbi:mysql:radius:localhost:3306': 'select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME='FWVPN-Test'': 
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL looks for match with mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: Radius::AuthSQL ACCEPT: : mytestuser [mytestuser]
Mon Apr 14 11:53:06 2014: DEBUG: AuthBy SQL result: ACCEPT, 
Mon Apr 14 11:53:06 2014: DEBUG: Access accepted for mytestuser
Mon Apr 14 11:53:06 2014: DEBUG: Packet dump:
*** Sending to 1.2.8.247 port 60086 ....

Packet length = 32
02 98 00 20 f8 5d c0 9a 7e b2 8d 5a e1 6a 50 22
13 60 39 be 08 06 c0 a8 2d 43 07 06 00 00 00 01
Code:       Access-Accept
Identifier: 152
Authentic:  <248>]...
Attributes:
    Framed-IP-Address = 192.168.45.67
    Framed-Protocol = PPP


mysql> select * from GROUPSCRIBERS;
+-------------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+
| GROUPNAME   | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR                  | REPLYATTR                                                                                | TIMELEFT |
+-------------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+
| mikem       | fred     | 1xMKc0GIVUNbE     | Service-Type = Framed-User | Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,cisco-avpair = "testing testing" |      100 |
| FWVPN-Test | NULL     | NULL              | NULL                       | Framed-Protocol = PPP                                                                    |     NULL |
+-------------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+
2 rows in set (0.00 sec)

mysql> select * from SUBSCRIBERS;
+----------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+
| USERNAME | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR                  | REPLYATTR                                                                                | TIMELEFT |
+----------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+
| mikem    | fred     | 1xMKc0GIVUNbE     | Service-Type = Framed-User | Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,cisco-avpair = "testing testing" |      100 |
| mytestuser   | NULL     | NULL              | NULL                       | Framed-IP-Address = 192.168.45.67                                                        |     NULL |
+----------+----------+-------------------+----------------------------+------------------------------------------------------------------------------------------+----------+
2 rows in set (0.01 sec)

More information about the radiator mailing list