Matching entries in the users file
Goal: To configure multiple entries for a user in the "users" file and to validate the server’s configuration by sending test packets to exercise the new entries.
Time: 30-45 minutes.
Now that we have verified that we can add a simple entry to the file, we will try more complex configurations.
In this exercise, we will add three configuration entries for a user named "bob" with clear-text password "hello". The three entries are related as follows:
-
The first will configure user "bob" with password "hello". It will configure a reply message in an appropriate attribute. This configuration entry will cause the server to continue processing the file.
-
The second entry will configure user "bob" and will match only when "bob" is asking to use PPP. The configuration entry should add the appropriate attributes to the reply, to allow "bob" to use PPP and to assign him the IP address 192.168.10.12. This entry should also cause the server to continue processing the file.
-
The last entry will configure any user asking for "framed" service, and will assign them a default route of 192.168.10.1 with netmask of 255.255.255.0.
We suggest that you approach the problem by configuring each of the three entries in isolation. That is, add one entry, then create and send test packets until the server responds with the attributes you expect. Then, comment out the first entry and repeat the process for the second entry. Do the same for the third entry. Once all entries work in isolation, uncomment the first two and verify that the combination of entries behaves as expected.
Exercise 1: Basic Configuration (Entry 1)
The first step is to configure user "bob" with password "hello". It will configure a reply message in an appropriate attribute. This configuration entry will cause the server to continue processing the file.
Add the following configuration to mods-config/files/authorize:
# Entry 1: Basic "bob" with password and reply message, continue processing
bob Password.Cleartext := "hello"
Reply-Message = "Hello, bob! Basic access granted.",
Fall-Through = YesExecute the following command to test this configuration:
echo -e 'User-Name = "bob", User-Password = "hello"' | radclient -x 127.0.0.1 auth testing123The debug log should show the server matching the entry and preparing the reply attributes:
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Reply-Message = Hello, bob! Basic access granted.
(0) files (ok)The client should receive an Access-Accept packet with the expected Reply-Message:
Sent Access-Request Id 50 from 0.0.0.0:55490 to 127.0.0.1:1812 length 61
Message-Authenticator = 0x
User-Name = "bob"
User-Password = "hello"
Received Access-Accept Id 50 from 127.0.0.1:1812 to 0.0.0.0:55490 via lo length 78
Message-Authenticator = 0xeb6112615d97252ff1dae0d4f6eaa437
Reply-Message = "Hello, bob! Basic access granted."
User-Name = "bob"Exercise 2: PPP Configuration (Entry 2)
The second entry will configure user "bob" and will match only when "bob" is asking to use PPP. The configuration entry should add the appropriate attributes to the reply, to allow "bob" to use PPP and to assign him the IP address 192.168.10.12. This entry should also cause the server to continue processing the file.
Update mods-config/files/authorize with this additional entry:
# Entry 2: "bob" for PPP only, assign IP, continue processing
bob Password.Cleartext := "hello"
Framed-Protocol := ::PPP,
Service-Type := ::Framed-User,
Framed-IP-Address := 192.168.10.12Test this specific match by sending a request including Framed-Protocol = PPP:
echo -e 'User-Name = "bob", User-Password = "hello", Framed-Protocol = PPP' | radclient -x 127.0.0.1 auth testing123The debug output will confirm the match on the specific line and the assignment of attributes:
(0) files - files - Looking for key "bob"
(0) files - files - Found match "bob" on line 7 /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Framed-Protocol := ::PPP
(0) files - Service-Type := ::Framed-User
(0) files - Framed-IP-Address := 192.168.10.12
(0) files (ok)The received packet will contain the PPP-related attributes:
Sent Access-Request Id 152 from 0.0.0.0:38996 to 127.0.0.1:1812 length 67
Message-Authenticator = 0x
User-Name = "bob"
User-Password = "hello"
Framed-Protocol = ::PPP
Received Access-Accept Id 152 from 127.0.0.1:1812 to 0.0.0.0:38996 via lo length 61
Message-Authenticator = 0x9bb3b6295aff4ed43c8447d004cce0df
Framed-Protocol = ::PPP
Service-Type = ::Framed-User
Framed-IP-Address = 192.168.10.12
User-Name = "bob"Exercise 3: Default Framed User (Entry 3)
The last entry will configure any user asking for "framed" service, and will assign them a default route of 192.168.10.1 with netmask of 255.255.255.0.
Add this final entry to mods-config/files/authorize:
# Entry 3: Any framed user, assign netmask and default route
DEFAULT Service-Type == ::Framed-User
Framed-IP-Netmask = 255.255.255.0,
Framed-Route = "192.168.10.0/24 192.168.10.1 1"Verify this entry in isolation by requesting Service-Type = Framed-User:
echo -e 'User-Name = "bob", User-Password = "hello", Service-Type = Framed-User' | radclient -x 127.0.0.1 auth testing123The server logs will show matches for both "bob" (Entry 1) and "DEFAULT" (Entry 3) due to fall-through:
(0) files - files - Looking for key "bob"
(0) files - files - Found match "bob" on line 2 of /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Reply-Message = Hello, bob! Basic access granted.
(0) files - files - Found match "DEFAULT" on line 14 of /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Framed-IP-Netmask = 255.255.255.0
(0) files - Framed-Route = 192.168.10.0/24 192.168.10.1 1
(0) files (ok)
...
(0) pap - User authenticated successfully
(0) pap (ok)The response will verify that the routing information is included:
Sent Access-Request Id 87 from 0.0.0.0:38270 to 127.0.0.1:1812 length 67
Message-Authenticator = 0x
User-Name = "bob"
User-Password = "hello"
Service-Type = ::Framed-User
Received Access-Accept Id 87 from 127.0.0.1:1812 to 0.0.0.0:38270 via lo length 116
Message-Authenticator = 0xf402e23d4f51124a521b7dac1b374367
Reply-Message = "Hello, bob! Basic access granted."
Framed-IP-Netmask = 255.255.255.0
Framed-Route = "192.168.10.0/24 192.168.10.1 1"
User-Name = "bob"Combined Tests
Perform other authentication tests, adding the appropriate attributes to the request sent by the RADIUS client. Continue until you have packets that will match:
-
entries 1 and 2, but not 3.
-
entries 1, 2, and 3.
Testing Entries 1 and 2
To test matches for Entries 1 and 2 (while excluding Entry 3), send a
request with Framed-Protocol = PPP but without explicitly requesting
Service-Type = Framed-user.
echo -e 'User-Name = "bob", User-Password = "hello", Framed-Protocol = PPP' | radclient -x 127.0.0.1 auth testing123Debug Output:
(0) files - files - Looking for key "bob"
(0) files - files - Found match "bob" on line 2 of /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Reply-Message = Hello, bob! Basic access granted.
(0) files - files - Found match "bob" on line 8 of /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Framed-Protocol := ::PPP
(0) files - Service-Type := ::Framed-User
(0) files - Framed-IP-Address := 192.168.10.12
(0) files (ok)
...
(0) pap - User authenticated successfully
(0) pap (ok)Response:
Sent Access-Request Id 245 from 0.0.0.0:34406 to 127.0.0.1:1812 length 67
Message-Authenticator = 0x
User-Name = "bob"
User-Password = "hello"
Framed-Protocol = ::PPP
Received Access-Accept Id 245 from 127.0.0.1:1812 to 0.0.0.0:34406 via lo length 96
Message-Authenticator = 0x4fa7862a8a360b31afcd635db61126cf
Reply-Message = "Hello, bob! Basic access granted."
Framed-Protocol = ::PPP
Service-Type = ::Framed-User
Framed-IP-Address = 192.168.10.12
User-Name = "bob"Testing Entries 1, 2, and 3
To trigger all three entries, send a request with both Service-Type =
Framed-User and Framed-Protocol = PPP.
echo -e 'User-Name = "bob", User-Password = "hello", Service-Type = Framed-User, Framed-Protocol = PPP' | radclient -x 127.0.0.1 auth testing123Debug Output:
(0) files - files - Looking for key "bob"
(0) files - files - Found match "bob" on line 2 of /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Reply-Message = Hello, bob! Basic access granted.
(0) files - files - Found match "bob" on line 8 of /etc/raddb/mods-config/files/authorize
(0) files - files - Preparing attribute updates:
(0) files - Password.Cleartext := hello
(0) files - Framed-Protocol := ::PPP
(0) files - Service-Type := ::Framed-User
(0) files - Framed-IP-Address := 192.168.10.12
(0) files (ok)
...
(0) pap - User authenticated successfully
(0) pap (ok)Response:
Sent Access-Request Id 184 from 0.0.0.0:54989 to 127.0.0.1:1812 length 73
Message-Authenticator = 0x
User-Name = "bob"
User-Password = "hello"
Service-Type = ::Framed-User
Framed-Protocol = ::PPP
Received Access-Accept Id 184 from 127.0.0.1:1812 to 0.0.0.0:54989 via lo length 96
Message-Authenticator = 0x07c837908f7d3871d37456bbd924ea90
Reply-Message = "Hello, bob! Basic access granted."
Framed-Protocol = ::PPP
Service-Type = ::Framed-User
Framed-IP-Address = 192.168.10.12
User-Name = "bob"Questions
-
What is the difference between the Framed-Route and Framed-Routing Attributes?
-
What is the Framed-IP-Netmask attribute used for?
-
What are potential pitfalls with the entry 2? That is, the entry meets the requirements, but do the requirements fit the needs of the network?
-
How does this kind of simple configuration scale to many users?