Hi ,Marc and Alan Thanx for the reply . What I exactly mean by authorization is Management-Privilege-Level which is defined in RFC 5607, I want to give restricted access to certain resources on my NE to the user accounts. basically I want to authorize user accounts based on groups and privileges. If a user belongs to certain group and have the previlege level (security admin or administrator) then only he can execute certain commands on the NE.right now PAM module is doing this in my NE. I want it to be done by Radius server. Now pam_radius_auth module sends "authentication only" in request message so, the server is not doing authorization it seems. How can I ask Server to do authorization and when server sends the authorization attributes AVPs in the access-Accept message how to process those values? or PAM module will take care of this thing.? I am really not getting how to support this "management-privilege-level" feature using pam-radius-auth. On Fri, 25 Feb 2011 20:11:32 , freeradius-users-requ...@lists.freeradius.org wrote Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: store and proxy accounting packets (Waqas Toor) 2. Re: store and proxy accounting packets (Alan DeKok) 3. Re: pam_radius_auth query (Marc Phillips) 4. Re: store and proxy accounting packets (Waqas Toor) 5. Re: store and proxy accounting packets (Alan DeKok) 6. Re: store and proxy accounting packets (Waqas Toor) 7. Re: store and proxy accounting packets (Alan DeKok) ---------------------------------------------------------------------- Message: 1 Date: Fri, 25 Feb 2011 16:01:06 +0500 From: Waqas Toor <waqasnasirt...@gmail.com> Subject: Re: store and proxy accounting packets To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Alan DeKok <al...@deployingradius.com> Message-ID: <AANLkTinpZ94e6NpNMJo+fLgSbkreryZvio6=fbpcu...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hi, On Thu, Feb 24, 2011 at 11:33 AM, Alan DeKok <al...@deployingradius.com> wrote: > Waqas Toor wrote: >> but what to do to get accounting to other client, Also if that fails >> is it going to create detail files ? > > ?Did you bother *reading* the "robust-proxy-accounting" file? > I have configured the robust-proxy-accounting below is the file ==================================== home_server home1.example.com { type = acct ipaddr = 10.1.67.41 port = 1813 secret = freerad status_check = request username = "test_user_status_check" response_window = 6 } home_server home2.example.com { type = acct ipaddr = 10.1.67.42 port = 1813 secret = freerad response_window = 6 } home_server acct_detail.example.com { virtual_server = acct_detail.example.com } home_server_pool acct_pool.example.com { home_server = home1.example.com home_server = home2.example.com fallback = acct_detail.example.com virtual_server = home.example.com } realm acct_realm.example.com { acct_pool = acct_pool.example.com } server acct_detail.example.com { accounting { detail.example.com } } server home.example.com { pre-proxy { # Insert pre-proxy rules here } post-proxy { Post-Proxy-Type Fail { detail.example.com } } listen { type = detail filename = "${radacctdir}/detail.example.com/detail-*:*" load_factor = 10 } accounting { # You may want accounting policies here... update control { Proxy-To-Realm := "acct_realm.example.com" } } } ==================================== but it is not working neither its creating any file here is the debug last lines =================================== } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" mode = "rw" } } listen { type = "detail" listen { filename = "/usr/local/var/log/radius/radacct/detail.example.com/detail-*:*" load_factor = 10 poll_interval = 1 retry_interval = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* as server home.example.com Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.000000 sec Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.134651 sec Waking up in 1.1 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.011006 sec Waking up in 1.0 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.113558 sec Waking up in 1.1 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 0.903584 sec Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.185763 sec Waking up in 1.1 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 0.916197 sec Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 0.925224 sec Waking up in 0.9 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.160946 sec Waking up in 1.1 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 0.817426 sec Waking up in 0.8 seconds. ================== I am missing something but could not figure it out what regards. Waqas ------------------------------ Message: 2 Date: Fri, 25 Feb 2011 14:02:33 +0100 From: Alan DeKok <al...@deployingradius.com> Subject: Re: store and proxy accounting packets To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4d67a869.7050...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Waqas Toor wrote: >> Did you bother *reading* the "robust-proxy-accounting" file? >> > I have configured the robust-proxy-accounting That doesn't answer the question. The comments in that file describe how it works. This includes answering your original question. > I am missing something but could not figure it out what The debug log doesn't show it receiving packets. What do you *expect* to happen when it doesn't received packets? The answer should be obvious: it's documented in the comments in the "robust-proxy-accounting" file. Go read it. Alan DeKok. ------------------------------ Message: 3 Date: Fri, 25 Feb 2011 07:09:14 -0600 From: Marc Phillips <rm...@copacetic.net> Subject: Re: pam_radius_auth query To: vijay s sheelavantar <s_vija...@rediffmail.com> Cc: freeradius-users <freeradius-users@lists.freeradius.org> Message-ID: <20110225130914.gb12...@archwayconcepts.com> Content-Type: text/plain; charset=us-ascii vijay s sheelavantar <s_vija...@rediffmail.com> wrote: > Hi, > Please clarify my doubts. > > 1. does pam_radius_auth.so support authorization of user accounts? the pam module just sends the user info to the radius server. The radius server does authorization and authentication. It first authorizes via your authorization rules you defined. If it passes that, it moves on to the authentication rules. There's nothing special you have to do on the pam module side. R. Marc ------------------------------ Message: 4 Date: Fri, 25 Feb 2011 18:48:40 +0500 From: Waqas Toor <waqasnasirt...@gmail.com> Subject: Re: store and proxy accounting packets To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Alan DeKok <al...@deployingradius.com> Message-ID: <aanlktikncwctes+ofcb8btnjpir9+zfx9hgywwbz6...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Thank you Alan for you help, But please can you point out where I am wrong or a line may be which is a bad config, I am having trouble understanding why the packets are not being forwarded while being in site-enabled directory. I read the file I am still struggling to understand FreeRadius proxy and virtual servers, treat me as a noob Waqas On Fri, Feb 25, 2011 at 6:02 PM, Alan DeKok <al...@deployingradius.com> wrote: > Waqas Toor wrote: >>> ?Did you bother *reading* the "robust-proxy-accounting" file? >>> >> I have configured the robust-proxy-accounting > > ?That doesn't answer the question. ?The comments in that file describe > how it works. ?This includes answering your original question. > >> I am missing something but could not figure it out what > > ?The debug log doesn't show it receiving packets. > > ?What do you *expect* to happen when it doesn't received packets? > > ?The answer should be obvious: it's documented in the comments in the > "robust-proxy-accounting" file. > > ?Go read it. ------------------------------ Message: 5 Date: Fri, 25 Feb 2011 14:53:02 +0100 From: Alan DeKok <al...@deployingradius.com> Subject: Re: store and proxy accounting packets To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4d67b43e.4020...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Waqas Toor wrote: > Thank you Alan for you help, > But please can you point out where I am wrong or a line may be which > is a bad config, I am having trouble understanding why the packets are > not being forwarded while being in site-enabled directory. As I said, the debug log you posted shows *no* packets being received. How can it forward packets it doesn't receive? How can you debug the failure to proxy packets, when it doesn't receive any packets? > I read the file I am still struggling to understand FreeRadius proxy > and virtual servers, treat me as a noob I'm asking you to read the documents, and the messages on this list. Nothing more. Alan DeKok. ------------------------------ Message: 6 Date: Fri, 25 Feb 2011 19:10:53 +0500 From: Waqas Toor <waqasnasirt...@gmail.com> Subject: Re: store and proxy accounting packets To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Alan DeKok <al...@deployingradius.com> Message-ID: <aanlktinubnyy8nagxyvnk+g+daogqn8ov+alieiav...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Ahaan, Ok below is an accounting packet and and its response also please tell me if the the lines that i get while in debug mode are normal ? Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.159171 sec Waking up in 1.1 seconds. ================================================= Waking up in 0.8 seconds. Polling for detail file /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* Detail listener /usr/local/var/log/radius/radacct/detail.example.com/detail-*:* state unopened signalled 0 waiting 1.058084 sec Waking up in 1.0 seconds. rad_recv: Accounting-Request packet from host 2.2.2.2 port 10044, id=248, length=248 Acct-Status-Type = Start WiMAX-Beginning-Of-Session = 1 WiMAX-IP-Technology = Reserved-0 WiMAX-Prepaid-Indicator = 0 Acct-Session-Id = "12033268" Acct-Multi-Session-Id = "9a7f45c70eb9cfc263d4b7f5db740d25" non-hw-flow-info = "\000\000\000" Framed-IP-Address = 175.110.77.76 User-Name = "002682D1A232@test_cpe.com" Calling-Station-Id = "002682d1a232" NAS-Identifier = "WASN" WiMAX-hHA-IP-MIP4 = 0.0.0.0 NAS-IP-Address = 2.2.2.2 WiMAX-BS-Id = 0x303030303066303030663130 WiMAX-GMT-Timezone-offset = 18000 Event-Timestamp = "Feb 25 2011 18:36:49 PKT" Huawei-Attr-218 = 0x00000000 NAS-Port-Type = Wireless-802.16 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 2.2.2.2,NAS-IP-Address = 2.2.2.2,Acct-Session-Id = "12033268",User-Name = "002682D1A232@test_cpe.com"' [acct_unique] Acct-Unique-Session-ID = "8b9e32f20020add2". ++[acct_unique] returns ok [suffix] Looking up realm "test_cpe.com" for User-Name = "002682D1A232@test_cpe.com" [suffix] No such realm "test_cpe.com" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225 [detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/2.2.2.2/detail-20110225 [detail] expand: %t -> Fri Feb 25 18:35:11 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 002682D1A232@test_cpe.com rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop [sql] expand: %{User-Name} -> 002682D1A232@test_cpe.com [sql] sql_set_user escaped user --> '002682D1A232@test_cpe.com' [sql] expand: INSERT into accounting (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey, AcctStatusType) VALUES('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port-Id}', '%{NAS-Port-Type}', TO_DATE('%S','yyyy-mm-dd hh24:mi:ss'), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0', '%{X-Ascend-Session-Svr-Key}', '%{Acct-Status-Type}') -> INSERT into accounting (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctSta rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> 002682D1A232@test_cpe.com attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 248 to 2.2.2.2 port 10044 Finished request 9. Cleaning up request 9 ID 248 with timestamp +20 Going to the next request Waking up in 0.7 seconds. ======================================================= On Fri, Feb 25, 2011 at 6:53 PM, Alan DeKok <al...@deployingradius.com> wrote: > Waqas Toor wrote: >> Thank you Alan for you help, >> But please can you point out where I am wrong or a line may be which >> is a bad config, I am having trouble understanding why the packets are >> not being forwarded while being in site-enabled directory. > > ?As I said, the debug log you posted shows *no* packets being received. > > ?How can it forward packets it doesn't receive? > > ?How can you debug the failure to proxy packets, when it doesn't > receive any packets? > >> I read the file I am still struggling to understand FreeRadius proxy >> and virtual servers, treat me as a noob > > ?I'm asking you to read the documents, and the messages on this list. > Nothing more. > > ?Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ------------------------------ Message: 7 Date: Fri, 25 Feb 2011 15:39:53 +0100 From: Alan DeKok <al...@deployingradius.com> Subject: Re: store and proxy accounting packets To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4d67bf39.8070...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Waqas Toor wrote: > Ahaan, Ok below is an accounting packet and and its response > also please tell me if the the lines that i get while in debug mode are normal ? Yes, but... > [suffix] Looking up realm "test_cpe.com" for User-Name = > "002682D1A232@test_cpe.com" > [suffix] No such realm "test_cpe.com" That should be fixed. Alan DeKok. ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 70, Issue 99 ************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html