freeradius (MySQL config) 添加自定义属性到回复项
freeradius (MySQL config) adding custom attributes to the reply-item
我 运行 在尝试将自定义属性设置为回复项时陷入了死胡同(我想将自定义信息添加到 "access accept" 数据包)。
在尝试实现这一目标时,我遇到了这个条目:
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
所以我明白了通常的做法应该是怎样的。
但是我的基础设施是分阶段设置的,并且有问题的 radius 服务器已经放在 "inside" 上,所以我不明白为什么我不应该能够设置或覆盖未使用的属性第二个内部身份验证步骤的两端。
Google 我发现了几个关于如何在 1.x 版本的 Freeradius 上使用基于用户文件的方法来设置此类事物的线程,对于任何较新的版本都没有那么多。
我提出的建议在 freeradius-server-3.0.10 上仍然可行吗?
如果是这样,我应该如何实施呢?
当前状态:
我已将我的属性 "faculty" 添加到字典(将数据库中的集合整数映射到目录中的字符串集,即 Ei & MECH)和相应的数据库,导致 radius 服务器查找和评估属性集在 "radreply"(此处::= MECH)和 "radgroupreply"(此处 += EI)中。
...
rlm_sql (sql1): Reserved connection (5)
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND active > '0' AND active < '3' ORDER BY id(1) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3'ORDER BY id
(1) sql1: User found in radcheck table
(1) sql1: Conditional check items matched, merging assignment check items
(1) sql1: Cleartext-Password := "*password*"
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: User found in radreply table, merging reply items
(1) sql1: faculty := MECH
(1) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql1: --> SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: User found in the group table
(1) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Conditional check items matched
(1) sql1: Group "vid100": Merging assignment check items
(1) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Merging reply items
(1) sql1: Tunnel-Type = VLAN
(1) sql1: Tunnel-Medium-Type = IEEE-802
(1) sql1: Tunnel-Private-Group-Id = "100"
(1) sql1: faculty += EI
rlm_sql (sql1): Released connection (5)
...
敏锐的观察者也会注意到 "radcheck" 查询的一些变化,但这种变化与手头的主题无关。
所以服务器获取了信息,但是我还没有找到将它包含在回复中的方法。
(1) Sent Access-Accept Id 81 from **IP-Radius-server**:*port* to **IP-supplicant**:*port* length 0
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "100"
(1) Finished request
任何帮助或指点将不胜感激:)
菲利克斯
您需要将自定义属性定义为 VSA(供应商特定属性)。标准 RADIUS 字典中超过 255 的属性将不会在代理请求或回复中进行编码,这是因为属性字段只有 1 个字节宽。
如果你想正确地做到这一点,你需要申请一个 IANA PEN(私人企业编号)http://pen.iana.org/pen/PenApplication.page for your organisation (after checking there isn't already one assigned http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers)。
然后您可以定义自己的供应商字典,并添加您自己的属性,数字介于 1-255 之间。
这里有一个很好的简短例子:https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/share/dictionary.bt
您的供应商词典不需要单独的文件,您只需将相关行复制到 raddb/dictionary。
如果您不关心如何正确执行此操作,请查看 PEN 分配以找到一家已倒闭的公司并使用他们的 PEN。
任何有类似问题的人。
我想出了一个适合我的解决方法。
如上所述,构建自定义属性确实很麻烦。
不过,您可以使用属性 18(回复消息)来传达信息。
我通过在 "post-auth" 部分添加到:.../raddb/sites-available/default 来解决这个问题。
if (&reply:faculty && &request:NAS-IP-Address == *IP-WEBSERVER*) {
update reply {
Reply-Message += "Faculty: %{reply:faculty}"
}
}
添加 "faculty" 信息,如果它可以在 radreply 或 radgroupreply 中找到,当且仅当请求来自特定的 "webserver"。使用 freeradius 运算符算法,您还可以对回复进行加权(对我来说:radreply := radgroupreply +=)。
这适用于 freeradius3.0.10。
我认为此帖已关闭 - Felix
我 运行 在尝试将自定义属性设置为回复项时陷入了死胡同(我想将自定义信息添加到 "access accept" 数据包)。 在尝试实现这一目标时,我遇到了这个条目:
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
所以我明白了通常的做法应该是怎样的。
但是我的基础设施是分阶段设置的,并且有问题的 radius 服务器已经放在 "inside" 上,所以我不明白为什么我不应该能够设置或覆盖未使用的属性第二个内部身份验证步骤的两端。
Google 我发现了几个关于如何在 1.x 版本的 Freeradius 上使用基于用户文件的方法来设置此类事物的线程,对于任何较新的版本都没有那么多。
我提出的建议在 freeradius-server-3.0.10 上仍然可行吗? 如果是这样,我应该如何实施呢?
当前状态: 我已将我的属性 "faculty" 添加到字典(将数据库中的集合整数映射到目录中的字符串集,即 Ei & MECH)和相应的数据库,导致 radius 服务器查找和评估属性集在 "radreply"(此处::= MECH)和 "radgroupreply"(此处 += EI)中。
...
rlm_sql (sql1): Reserved connection (5)
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND active > '0' AND active < '3' ORDER BY id(1) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3'ORDER BY id
(1) sql1: User found in radcheck table
(1) sql1: Conditional check items matched, merging assignment check items
(1) sql1: Cleartext-Password := "*password*"
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: User found in radreply table, merging reply items
(1) sql1: faculty := MECH
(1) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql1: --> SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: User found in the group table
(1) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Conditional check items matched
(1) sql1: Group "vid100": Merging assignment check items
(1) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Merging reply items
(1) sql1: Tunnel-Type = VLAN
(1) sql1: Tunnel-Medium-Type = IEEE-802
(1) sql1: Tunnel-Private-Group-Id = "100"
(1) sql1: faculty += EI
rlm_sql (sql1): Released connection (5)
...
敏锐的观察者也会注意到 "radcheck" 查询的一些变化,但这种变化与手头的主题无关。 所以服务器获取了信息,但是我还没有找到将它包含在回复中的方法。
(1) Sent Access-Accept Id 81 from **IP-Radius-server**:*port* to **IP-supplicant**:*port* length 0
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "100"
(1) Finished request
任何帮助或指点将不胜感激:) 菲利克斯
您需要将自定义属性定义为 VSA(供应商特定属性)。标准 RADIUS 字典中超过 255 的属性将不会在代理请求或回复中进行编码,这是因为属性字段只有 1 个字节宽。
如果你想正确地做到这一点,你需要申请一个 IANA PEN(私人企业编号)http://pen.iana.org/pen/PenApplication.page for your organisation (after checking there isn't already one assigned http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers)。
然后您可以定义自己的供应商字典,并添加您自己的属性,数字介于 1-255 之间。
这里有一个很好的简短例子:https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/share/dictionary.bt
您的供应商词典不需要单独的文件,您只需将相关行复制到 raddb/dictionary。
如果您不关心如何正确执行此操作,请查看 PEN 分配以找到一家已倒闭的公司并使用他们的 PEN。
任何有类似问题的人。 我想出了一个适合我的解决方法。
如上所述,构建自定义属性确实很麻烦。 不过,您可以使用属性 18(回复消息)来传达信息。
我通过在 "post-auth" 部分添加到:.../raddb/sites-available/default 来解决这个问题。
if (&reply:faculty && &request:NAS-IP-Address == *IP-WEBSERVER*) {
update reply {
Reply-Message += "Faculty: %{reply:faculty}"
}
}
添加 "faculty" 信息,如果它可以在 radreply 或 radgroupreply 中找到,当且仅当请求来自特定的 "webserver"。使用 freeradius 运算符算法,您还可以对回复进行加权(对我来说:radreply := radgroupreply +=)。
这适用于 freeradius3.0.10。
我认为此帖已关闭 - Felix