Freeradius. Support for different types of user authentication simultaneously
In this article I would like to share my experience in setting up freeradius in terms of supporting various types of user authentication.
Unfortunately, faced with this problem, I could not find a ready-made solution in the open spaces of Google and other Yandex, and therefore I smoked mana on my own.
So, the problem and its solution:
1) Server running CentOS 6.6 with the freeradius package installed (version 2.1.12).
2) SAS Server (Safenet Authentication Service) to provide two-factor user authentication for radius.
3) User accounts are stored on the SAS server and in the MySQL database deployed on the radius server.
4) The integration of freeradius and SAS has already been completed according to the instructions and is working successfully, I will not write about this in the article.
5) The integration of freeradius with MySQL is also configured .
')
When the SAS authentication module is enabled, radius stops authenticating users whose accounts are stored in MySQL (RADIUS itself).
For the integration of freeradius and SAS, an additional module challAvecAuth is used, which is written in the authorize and authenticate section of the / etc / raddb / sites-enabled / default file. And although all the instructions on freeradius state that reading the authorize section the radius tries to authenticate the user with all the listed modules in turn, in practice he encountered the fact that the challAvecAuth module appears in the authorize section regardless of its location (at the beginning, at the end, in the middle), he “forces” freeradius to use only himself. ALL other modules do not work.
Configure user1 and user2 user authentication via SAS, and user3 and user4 user authentication via radius.
To solve this problem, the unlang language built into freeradius was used. Using it, the condition was described according to which users user1 and user2 in the operators group are authenticated through SAS, and users user3 and user4 in the admins group are authenticated through radius itself. Information about the belonging of users to groups is stored in the MySQL database as well as the login - the password of the user3 and user4 pair of users.
MySQL table structure:
In the / etc / raddb / sites-enabled / default file in the authorize section, we make changes:
1) Uncomment the sql module (if not yet uncommented)
2) AFTER the sql module, add the following check condition:
3) And comment out a separate line
pap
As a result, the authorize section looks like this:
The condition here is the simplest: if the user is in the admins group, then the pap module authenticates it; if in any other group, then challAvecAuth (ie, SAS). What write conditions depend only on the task and your imagination.
4) Restart the radius and get the PROFIT!
Unfortunately, faced with this problem, I could not find a ready-made solution in the open spaces of Google and other Yandex, and therefore I smoked mana on my own.
So, the problem and its solution:
DANO:
1) Server running CentOS 6.6 with the freeradius package installed (version 2.1.12).
2) SAS Server (Safenet Authentication Service) to provide two-factor user authentication for radius.
3) User accounts are stored on the SAS server and in the MySQL database deployed on the radius server.
4) The integration of freeradius and SAS has already been completed according to the instructions and is working successfully, I will not write about this in the article.
5) The integration of freeradius with MySQL is also configured .
')
PROBLEM:
When the SAS authentication module is enabled, radius stops authenticating users whose accounts are stored in MySQL (RADIUS itself).
For the integration of freeradius and SAS, an additional module challAvecAuth is used, which is written in the authorize and authenticate section of the / etc / raddb / sites-enabled / default file. And although all the instructions on freeradius state that reading the authorize section the radius tries to authenticate the user with all the listed modules in turn, in practice he encountered the fact that the challAvecAuth module appears in the authorize section regardless of its location (at the beginning, at the end, in the middle), he “forces” freeradius to use only himself. ALL other modules do not work.
TASK:
Configure user1 and user2 user authentication via SAS, and user3 and user4 user authentication via radius.
DECISION:
To solve this problem, the unlang language built into freeradius was used. Using it, the condition was described according to which users user1 and user2 in the operators group are authenticated through SAS, and users user3 and user4 in the admins group are authenticated through radius itself. Information about the belonging of users to groups is stored in the MySQL database as well as the login - the password of the user3 and user4 pair of users.
MySQL table structure:
select * from radusergroup; username groupname priority user1 operators 0 user2 operators 0 user3 admins 0 user4 admins 0
Select * from radcheck; Id username attribute op Value 1 user3 Cleartext-Password: = User3pwd 2 user4 Cleartext-Password: = User4pwd
In the / etc / raddb / sites-enabled / default file in the authorize section, we make changes:
1) Uncomment the sql module (if not yet uncommented)
2) AFTER the sql module, add the following check condition:
if (Sql-Group == admins) { pap } else { challAvecAuth } 3) And comment out a separate line
pap
As a result, the authorize section looks like this:
authorize { preprocess chap mschap digest suffix eap { ok = return } sql expiration logintime if (Sql-Group == admins) { pap } else { challAvecAuth } } The condition here is the simplest: if the user is in the admins group, then the pap module authenticates it; if in any other group, then challAvecAuth (ie, SAS). What write conditions depend only on the task and your imagination.
4) Restart the radius and get the PROFIT!
Source: https://habr.com/ru/post/270631/
All Articles