我在尝试将自定义属性设置为回复项时遇到了死胡同(我希望将自定义信息添加到"访问接受"数据包中)。在尝试实现这一目标时,我遇到了这个条目:
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
所以我理解通常的方法应该如何。
但是,我的基础设施是分阶段设置的,并且有问题的半径服务器已经放置在"内部",所以我不明白为什么我不应该在第二个内部身份验证步骤的两端设置或覆盖未使用的属性。
谷歌搜索我发现了几个关于如何在 Freeradius 的 1.x 版本上使用基于用户文件的方法设置此类事情的线程,对于任何较新的版本来说都不是那么多。
我的建议在 freeradius-server-3.0.10 中仍然可行吗?如果是这样,我应该如何实施?
当前状态:我已经将我的属性"faculty"添加到字典中(将设置的整数从数据库映射到目录中的字符串集,即。Ei & MECH)和相应的数据库,导致半径服务器查找并评估在"radreply"(此处::= MECH)和"radgroupreply"(此处+= EI)中设置的属性。
...
rlm_sql (sql1): Reserved connection (5)
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' AND active > '0' AND active < '3' ORDER BY id(1) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '*username*' AND active > '0' AND active < '3'ORDER BY id
(1) sql1: User found in radcheck table
(1) sql1: Conditional check items matched, merging assignment check items
(1) sql1: Cleartext-Password := "*password*"
(1) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '*username*' ORDER BY id
(1) sql1: User found in radreply table, merging reply items
(1) sql1: faculty := MECH
(1) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql1: --> SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = '*username*' ORDER BY priority
(1) sql1: User found in the group table
(1) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Conditional check items matched
(1) sql1: Group "vid100": Merging assignment check items
(1) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(1) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vid100' ORDER BY id
(1) sql1: Group "vid100": Merging reply items
(1) sql1: Tunnel-Type = VLAN
(1) sql1: Tunnel-Medium-Type = IEEE-802
(1) sql1: Tunnel-Private-Group-Id = "100"
(1) sql1: faculty += EI
rlm_sql (sql1): Released connection (5)
...
敏锐的观察者也会注意到"radcheck"查询的一些变化,但这种变化与手头的主题无关。所以服务器会获取信息,但是我还没有找到将其包含在回复中的方法。
(1) Sent Access-Accept Id 81 from **IP-Radius-server**:*port* to **IP-supplicant**:*port* length 0
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "100"
(1) Finished request
任何帮助或指示将不胜感激:)费利克斯
给任何有类似问题的人。我想出了一个适合我的解决方法。
如上所述,构建自定义属性确实很麻烦。不过,您可以使用属性 18(回复消息)来传达信息。
我通过在"后身份验证"部分添加:.../raddb/sites-available/default来解决这个问题。
if (&reply:faculty && &request:NAS-IP-Address == *IP-WEBSERVER*) {
update reply {
Reply-Message += "Faculty: %{reply:faculty}"
}
}
如果可以在radrep或radgrouprepre中找到"教师"信息,则添加"教师"信息,当且仅当请求来自分离的"网络服务器"。使用 freeradius 运算符算术,您还可以对回复进行加权(对我来说:radreply := radgroupreply +=)。
这适用于自由半径3.0.10。
我认为这个线程关闭了 - 菲利克斯
将自定义属性定义为 VSA(供应商特定属性)。 标准 RADIUS 字典中高于 255 的属性将不会在代理请求或回复中编码,这是因为属性字段只有 1 个字节宽。
如果您想正确执行此操作,则需要为您的组织申请 IANA PEN(私人企业编号)http://pen.iana.org/pen/PenApplication.page(在检查还没有分配 http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers 后)。
然后,您可以定义自己的供应商字典,并使用介于 1-255 之间的数字添加您自己的属性。
这里有一个很好的简短示例:https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/share/dictionary.bt
您的供应商字典不需要单独的文件,您只需要将相关行复制到raddb/dictionary
中即可。
如果您不关心正确完成,请查看笔会作业以找到一家已倒闭的公司并使用他们的笔。