Setting realm based on incoming RADIUS attribute

jua · April 20, 2019, 8:10pm

Hi, I’m looking for a way to select a realm based on RADIUS attributes in the request. From debug logs I can see that everything I send gets sent to perl module also:

(6) perl: $RAD_REQUEST{‘Callback-Id’} = &request:Callback-Id -> ‘labrealm’

Is it possible to map this value to the actual realm in PrivacyIdea?

Similar question was asked here: 782 however in our case requests are coming from the same device so we can’t differentiate users using authorization policy and setrealm.

It’s not a show stopper, I could probably have all the users in one default realm too. It would be nice however for the future to have different realms so we could set different policies per realm if needed

Thanks!

cornelinux · April 21, 2019, 12:30pm

This is indeed not possible.
But it could be added easily at this point:

github.com

privacyidea/FreeRADIUS/blob/master/privacyidea_radius.pm#L395


if ( exists( $RAD_REQUEST{'NAS-IP-Address'} ) ) {
    $params{"client"} = $RAD_REQUEST{'NAS-IP-Address'};
}
if (exists ( $Config->{CLIENTATTRIBUTE} ) ) {
    if ( exists( $RAD_REQUEST{$Config->{CLIENTATTRIBUTE}} ) ) {
        $params{"client"} = $RAD_REQUEST{$Config->{CLIENTATTRIBUTE}};
    }
}
if ( length($REALM) > 0 ) {
    $params{"realm"} = $REALM;
} elsif ( length($RAD_REQUEST{'Realm'}) > 0 ) {
    $params{"realm"} = $RAD_REQUEST{'Realm'};
}
if ( length($RESCONF) > 0 ) {
    $params{"resConf"} = $RESCONF;
}


&radiusd::radlog( Info, "Auth-Type: $auth_type" );
&radiusd::radlog( Info, "url: $URL" );
&radiusd::radlog( Info, "user sent to privacyidea: $params{'user'}" );
&radiusd::radlog( Info, "realm sent to privacyidea: $params{'realm'}" );

Currenty, if the RADIUS request contains an attribute, that is called “Realm”, this will be added as realm.

The configuration file however could contain a config value like

 realmAttribute = "Callback-Id"

and then could read the callback-id and pass it as realm.

We are always glad to receive feature requests or even pull requests at github.

jua · April 21, 2019, 2:13pm

I think this would be a useful feature to have. For example in our case we use Clearpass as our centralized RADIUS server and all the requests come from there, so the requests have same IP addresses etc.

Other option would be do some sort of pre processing with FreeRADIUS to set Realm attribute to value in Callback-Id. Realm seems to be internal to FreeRADIUS and not part of any standard dictionaries so I can’t set it in Clearpass.

Dirty workaround for this is also to edit /etc/raddb/dictionary and just change Callback-Id to Realm… I tried it and seems to work

jua · April 21, 2019, 2:29pm

Figured out the second option:

In /etc/raddb/sites-available/privacyidea I added this under authorize:

update request {
Realm := &Callback-Id
}