Select realm automatically

[tonny.a...@evry.com]

I would like to be able so select realm automatically at logon based on either radius client IP or NAS ID or something similar.

For example users logging in from radius client x would authenticate against realm x and all users logging in from radius client y should authenticate against realm y.

This is so the users never should need to submit what realm they are logging in to.

Is this possible, else I would liek to make this a feature request?

[Mirko Ahnert]

Hi Tonny,

this is a long existing feature. Policies can be configured according to the clients. If you are using RADIUS make sure to allow to hand on the client's IP addresses - go to /manage -> "LinOTP Config" -> "System Config" -> "Override authentication client:" and enter the IP of the RADIUS server here (e.g. "127.0.0.1" if FreeRADIUS is running on the LinOTP server).

Here you find details about the usage of clients in policies:

https://www.linotp.org/doc/latest/part-management/policy/clients-in-policies.html

Here the policy to set the realm:

https://www.linotp.org/doc/latest/part-management/policy/authorization.html#setting-realms

Best Regards,

Mirko

[tonny.a...@evry.com]

Thanks Mirko!

[tonny.a...@evry.com]

I have now configured this and it seems to work, but there is one thing that confuses me. The Client IP that is seen by LinOTP is not the same as the Radius Client IP. When I configure a policy to apply to an IP, the IP that needs to be specified is the "Client IP", and not the Radius Client IP.

Is there a way to get the policy to be triggered by the Radius Client IP?

[Mirko Ahnert]

Hi Tonny,

this is something to be configured in FreeRADIUS. The LinOTP module of the appliance understands "prefer_nas_identifier = yes" in /etc/freeradius/modules/linotp (which confusingly means that the client IP will be forwarded to LinOTP instead the one of the RADIUS server). I am not sure about the perl module. Maybe the same function is already included by default, maybe someone added it and can share the code.

Best Regards,

Mirko

[tonny.a...@evry.com]

Thanks for your quick reply, Mirko!

My setup is using LinOTP on a Debian distribution with the perl module.
The perl module is pointing to:

/usr/lib/linotp/radius_linotp.pm

and there I find:

my $useNasIdentifier = true;
if ( $Config->{PREFER_NAS_IDENTIFIER} =~ /^\s*false\s*$/i ) {
$useNasIdentifier = false;
}

Is this perhaps the correct place to edit to get the wanted behaviour..?

[Mirko Ahnert]

Hi,

ah sorry - I misunderstood your setup. If you would like to configure policies just depending on the IPs of the RADIUS server authenticating against the LinOTP API the default configuration should suffice. So no need to change "Override authentication client:" - this allows the RADIUS server to hand on the client IPs as you see in your current environment.

Best Regards,

Mirko

[tonny.a...@evry.com]

Hi,

I think you misunderstood now.

It's not the Radius Server, it's the radius client IP (the same IP's specified in /etc/freeradius/clients.conf) that I want to configure policys depending on.

When I empty the "Override authentication client" the LinOTP servers (same server as FreeRadius, IP is shown as client IP, and not the Radius client.

[Mirko Ahnert]

Hi,

the perl module seems to behave differently in this regard. I will try to build up a test setup and have a look at it within the next days.

Best Regards,

Mirko

[tonny.a...@evry.com]

Hi,

I really appreciate your effort in this. I look forward to hear the results from your testing.

[tonny.a...@evry.com]

Hi,

Did you have a chance to test this?

[Mirko Ahnert]

Hi Tonny,

I am sorry - we were very busy in releasing LinOTP 2.9.1 :). I hope I will come next week to this. If you would like to try yourself: It should be possible in freeRADIUS configuration to manipulate the involved variable as required.

Best Regards,

Mirko

[tonny.a...@evry.com]

I don't think I would know exactly where to attack this...

[mirko....@gmail.com]

Hi Tonny,

finally :)

A quick work around:

* Allow to hand on the client's IP addresses - go to /manage -> "LinOTP Config" -> "System Config" -> "Override authentication client:" and enter the IP of the RADIUS server here (e.g. "127.0.0.1" if FreeRADIUS is running on the LinOTP server)

* Activate the processing of the NAS-IP-ADDRESS attribute in /etc/linotp2/rlm_perl.ini

PREFER_NAS_IDENTIFIER=True

* Add to the authorize section in /etc/freeradius/sites-enabled/linotp

update request{
NAS-IP-ADDRESS := "%{CLIENT-IP-ADDRESS}"
}

It is possible to make the update conditional (e.g. only for some CLIENT-IP-ADDRESS values).

An alternative to the last step would be to configure the RADIUS client to submit a NAS-IP-ADDRESS attribute containing the correct IP.

Best Regards,

Mirko

[tonny.a...@evry.com]

I have only been able to make a quick test, but so far it looks promising! :)
I will test this out also in a multi domain setup during next week, and provide you some feedback.

Many thanks, Mirko!