我尝试将自定义属性设置为回复项时遇到了死胡同(我想将自定义信息添加到“访问接受”数据包中)。 在尝试实现这一目标时,我遇到了这个条目:
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
所以我理解通常的做法应该如何。
但是我的基础架构是分阶段设置的,并且有问题的radius服务器已经放在“inside”上了,所以我不明白为什么我不能设置或覆盖这两端的未使用的属性第二个内部认证步骤。
围绕我发现了几个关于如何使用基于用户文件的方法在Freeradius的1.x版本上设置此类事物的线程,而不是任何新版本。我建议使用freeradius-server-3.0.10仍然可以吗? 如果是这样,我该如何实施呢?
现状: 我已将我的属性“faculty”添加到字典中(将DB中的集合整数映射到目录中设置的字符串,即Ei& MECH)和相应的DB,从而使radius服务器查找并评估属性集“radreply”(此处:: = MECH)和“radgroupreply”(此处+ = EI)。
...
rlm_sql (sql1): Reserved connection (5)
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND active > '0' AND active < '3' ORDER BY id(1) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3'ORDER BY id
(1) sql1: User found in radcheck table
(1) sql1: Conditional check items matched, merging assignment check items
(1) sql1: Cleartext-Password := "*password*"
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: User found in radreply table, merging reply items
(1) sql1: faculty := MECH
(1) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql1: --> SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: User found in the group table
(1) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Conditional check items matched
(1) sql1: Group "vid100": Merging assignment check items
(1) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Merging reply items
(1) sql1: Tunnel-Type = VLAN
(1) sql1: Tunnel-Medium-Type = IEEE-802
(1) sql1: Tunnel-Private-Group-Id = "100"
(1) sql1: faculty += EI
rlm_sql (sql1): Released connection (5)
...
敏锐的观察者也会注意到“radcheck”查询的一些更改,但此更改与手头的主题无关。 所以服务器获取信息,但我还没有找到将其包含在回复中的方法。
(1) Sent Access-Accept Id 81 from **IP-Radius-server**:*port* to **IP-supplicant**:*port* length 0
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "100"
(1) Finished request
任何帮助或指示将不胜感激:) 菲利克斯
答案 0 :(得分:5)
对任何有类似问题的人。 我想出了一个对我有用的解决方法。
如上所述,构建自定义属性真的很麻烦。 但是你可以使用的是属性18(回复消息)来传达信息。
我通过在“post-auth”部分添加:... / raddb / sites-available / default来解决这个问题。
if (&reply:faculty && &request:NAS-IP-Address == *IP-WEBSERVER*) {
update reply {
Reply-Message += "Faculty: %{reply:faculty}"
}
}
如果可以在radreply或radgroupreply中找到“教师”信息,当且仅当恳求来自分离的“webserver”时,才会添加“教师”信息。使用freeradius算子运算你也可以加权回复(对我来说:radreply:= radgroupreply + =)。
这适用于freeradius3.0.10。
我认为这个线程已关闭 - Felix
答案 1 :(得分:2)
您需要将自定义属性定义为VSA(特定于供应商的属性)。标准RADIUS字典中255以上的属性不会在代理请求或回复中进行编码,因为属性字段只有1个字节宽。
如果您想要正确地执行此操作,您需要为您的组织申请IANA PEN(私人企业号码)http://pen.iana.org/pen/PenApplication.page(在检查后尚未分配http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers)。< / p>
然后,您可以定义自己的供应商字典,并使用1-255之间的数字添加您自己的属性。
这是一个很好的短片,你可以用它作为例子:https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/share/dictionary.bt
您的供应商词典不需要单独的文件,只需将相关行复制到raddb/dictionary。
如果您不关心正确执行此操作,请查看PEN分配以找到已解散的公司并使用他们的笔。