RE: users file not using multiple directives
yes, i didnt need the stack trace, i've been running it in debug mode all along, and never noticed the incorrect ip til i ran the strace.. which i agree wasnt necessary. i'm using radtest to generate the radius packet, radtest includes a line nas = `hostname` and then includes in the packet NAS-IP-Address = $nas so it's sending my hostname instead of my IP, radiusd wants an ip address and seems to evaluate a string of characters to 255.255.255.255, which i obviously have not included in my huntgroup. I changed the radtest script to send the right IP, and everything seems to be working now. --thanks. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of 255.255.255.255. stack trace? What about debugging mode? That's the problem right there. Somehow, the nas ip address isn't being properly set, and as a result the request does not match the huntgroup. The NAS-IP-Address is set to whatever is in the RADIUS packet. Debugging mode will show this. Run 'tcpdump' to see it in another format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: users file not using multiple directives
thanks for the direction, after reading that i see a bunch of mistakes, but it hasnt actually fixed the problem. i see that my operators were wrong... everywhere. now the user: bob Auth-Type := System, Huntgroup-Name == dnsservers with the hunt group dnsservers NAS-IP-Address == 192.168.10.254 authenticates user bob from anywhere, regardless of whether the NAS-IP-Address is 192.168.10.254. My understanding from the users man page (5) is that this will: Auth-Type := System changes the Auth-Type to be System from anything that it was previously set to, if there was no previously declared Auth-Type, it creates the attribute and sets it. Huntgroup-Name == dnsservers only matches if the requesting packet includes information that matches all criteria from the dnsservers huntgroup. NAS-IP-Address == 192.168.10.254matches only if the ip of the NAS is 192.168.10.254... --thats what i think it all means, thats what the man page implies, thats what the docs i've seen on huntgroups implies, but as i stated, it's authenticating from any NAS, not just the aforementioned IP. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:31 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: i'm having a problem with my users file, i'm declaring users and it seems to only accept a single option per user: Read the 'users' file 'man' page. Look at the examples in the 'users' file. username Auth-Type = System, Huntgroup-Name = dnsservers will not authenticate anyone, even when the access request matches everything in the dnsservers huntgroup, Look for 'Huntgroup-Name' in the sample 'users' file, and see what you're doing differently from those examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file not using multiple directives
nothing to do with your post except for one detail: like alan i asked myself what a stack trace could be? i thought about some special network sniffer device or even some jargon talking about switches (perhaps from baystack?) etc. :-) funny, i've always been subconsiously defining strace as system call trace or something like that because that is what it does - under linux. as a matter of fact debian defines it this way in its man-page: strace - trace system calls and signals. history out of the man page: The original strace was written by Paul Kranenburg for SunOS and was inspired by its trace utility. The SunOS version of strace was ported to Linux and enhanced by Branko Lankester, who also wrote the Linux kernel support. Even though Paul released strace 2.5 in 1992, Branko's work was based on Paul's strace 1.5 release from 1991. In 1993, Rick Sladkey merged strace 2.5 for SunOS and the second release of strace for Linux, added many of the features of truss(1) from SVR4, and produced an strace that worked on both platforms. In 1994 Rick ported strace to SVR4 and Solaris and wrote the automatic configuration support. In 1995 he ported strace to Irix and tired of writing about himself in the third person. simultaneously, SunOS 5.9 defines it as strace - print STREAMS trace messages. i am not familiar with SunOS but a fast look to man strace seemed to explain that it doesn't actually do the same thing. others? ciao artur Michael Komitee wrote: yes, i didnt need the stack trace, i've been running it in debug mode all along, and never noticed the incorrect ip til i ran the strace.. which i agree wasnt necessary. i'm using radtest to generate the radius packet, radtest includes a line nas = `hostname` and then includes in the packet NAS-IP-Address = $nas so it's sending my hostname instead of my IP, radiusd wants an ip address and seems to evaluate a string of characters to 255.255.255.255, which i obviously have not included in my huntgroup. I changed the radtest script to send the right IP, and everything seems to be working now. --thanks. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of 255.255.255.255. stack trace? What about debugging mode? That's the problem right there. Somehow, the nas ip address isn't being properly set, and as a result the request does not match the huntgroup. The NAS-IP-Address is set to whatever is in the RADIUS packet. Debugging mode will show this. Run 'tcpdump' to see it in another format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: users file not using multiple directives
looks like ive been using the wrong terminology fer a while then. no idea where i got that term. twas an strace. -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 6:30 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives nothing to do with your post except for one detail: like alan i asked myself what a stack trace could be? i thought about some special network sniffer device or even some jargon talking about switches (perhaps from baystack?) etc. :-) funny, i've always been subconsiously defining strace as system call trace or something like that because that is what it does - under linux. as a matter of fact debian defines it this way in its man-page: strace - trace system calls and signals. history out of the man page: The original strace was written by Paul Kranenburg for SunOS and was inspired by its trace utility. The SunOS version of strace was ported to Linux and enhanced by Branko Lankester, who also wrote the Linux kernel support. Even though Paul released strace 2.5 in 1992, Branko's work was based on Paul's strace 1.5 release from 1991. In 1993, Rick Sladkey merged strace 2.5 for SunOS and the second release of strace for Linux, added many of the features of truss(1) from SVR4, and produced an strace that worked on both platforms. In 1994 Rick ported strace to SVR4 and Solaris and wrote the automatic configuration support. In 1995 he ported strace to Irix and tired of writing about himself in the third person. simultaneously, SunOS 5.9 defines it as strace - print STREAMS trace messages. i am not familiar with SunOS but a fast look to man strace seemed to explain that it doesn't actually do the same thing. others? ciao artur Michael Komitee wrote: yes, i didnt need the stack trace, i've been running it in debug mode all along, and never noticed the incorrect ip til i ran the strace.. which i agree wasnt necessary. i'm using radtest to generate the radius packet, radtest includes a line nas = `hostname` and then includes in the packet NAS-IP-Address = $nas so it's sending my hostname instead of my IP, radiusd wants an ip address and seems to evaluate a string of characters to 255.255.255.255, which i obviously have not included in my huntgroup. I changed the radtest script to send the right IP, and everything seems to be working now. --thanks. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of 255.255.255.255. stack trace? What about debugging mode? That's the problem right there. Somehow, the nas ip address isn't being properly set, and as a result the request does not match the huntgroup. The NAS-IP-Address is set to whatever is in the RADIUS packet. Debugging mode will show this. Run 'tcpdump' to see it in another format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: users file not using multiple directives
actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of 255.255.255.255. That's the problem right there. Somehow, the nas ip address isn't being properly set, and as a result the request does not match the huntgroup. -Original Message- From: Michael Komitee Sent: Wednesday, August 13, 2003 1:53 PM To: [EMAIL PROTECTED] Subject: RE: users file not using multiple directives thanks for the direction, after reading that i see a bunch of mistakes, but it hasnt actually fixed the problem. i see that my operators were wrong... everywhere. now the user: bob Auth-Type := System, Huntgroup-Name == dnsservers with the hunt group dnsservers NAS-IP-Address == 192.168.10.254 authenticates user bob from anywhere, regardless of whether the NAS-IP-Address is 192.168.10.254. My understanding from the users man page (5) is that this will: Auth-Type := System changes the Auth-Type to be System from anything that it was previously set to, if there was no previously declared Auth-Type, it creates the attribute and sets it. Huntgroup-Name == dnsservers only matches if the requesting packet includes information that matches all criteria from the dnsservers huntgroup. NAS-IP-Address == 192.168.10.254matches only if the ip of the NAS is 192.168.10.254... --thats what i think it all means, thats what the man page implies, thats what the docs i've seen on huntgroups implies, but as i stated, it's authenticating from any NAS, not just the aforementioned IP. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 1:31 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: i'm having a problem with my users file, i'm declaring users and it seems to only accept a single option per user: Read the 'users' file 'man' page. Look at the examples in the 'users' file. username Auth-Type = System, Huntgroup-Name = dnsservers will not authenticate anyone, even when the access request matches everything in the dnsservers huntgroup, Look for 'Huntgroup-Name' in the sample 'users' file, and see what you're doing differently from those examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: users file not using multiple directives
explains it. dns is broken in my development environment. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:30 PM To: [EMAIL PROTECTED] Subject: Re: users file not using multiple directives Michael Komitee [EMAIL PROTECTED] wrote: i'm using radtest to generate the radius packet, radtest includes a line nas = `hostname` and then includes in the packet NAS-IP-Address = $nas so it's sending my hostname instead of my IP, radiusd wants an ip address and seems to evaluate a string of characters to 255.255.255.255, It doesn't, unless DNS is broken. That address is the official 'no such address' marker. Using the hostname in radtest works. It's one of the requirements, that hostnames are looked up, and converted to addresses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: users file not using multiple directives
radtest sets NAS-IP-Address = `hostname` -- which is a string, not an ip address. the
string is evaluated to the value of 255.255.255.255, and as a result, my problem was
with radtest, not with the actual huntgroup configuration. i changed nas = `hostname`
to
nas = `ifconfig eth0 | grep inet addr | awk '{ print $2}' | awk -F : '{ print $2 }'`
and i'm gold. -- sorry for the spam / uselessness.
-Original Message-
From: Michael Komitee
Sent: Wednesday, August 13, 2003 1:59 PM
To: [EMAIL PROTECTED]
Subject: RE: users file not using multiple directives
actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to
authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of
255.255.255.255. That's the problem right there. Somehow, the nas ip address isn't
being properly set, and as a result the request does not match the huntgroup.
-Original Message-
From: Michael Komitee
Sent: Wednesday, August 13, 2003 1:53 PM
To: [EMAIL PROTECTED]
Subject: RE: users file not using multiple directives
thanks for the direction, after reading that i see a bunch of mistakes, but it hasnt
actually fixed the problem. i see that my operators were wrong... everywhere.
now the user:
bob Auth-Type := System, Huntgroup-Name == dnsservers
with the hunt group
dnsservers NAS-IP-Address == 192.168.10.254
authenticates user bob from anywhere, regardless of whether the NAS-IP-Address is
192.168.10.254. My understanding from the users man page (5) is that this will:
Auth-Type := System changes the Auth-Type to be System from anything that
it was previously set to, if there was no previously declared Auth-Type, it creates
the attribute and sets it.
Huntgroup-Name == dnsservers only matches if the requesting packet includes
information that matches all criteria from the dnsservers huntgroup.
NAS-IP-Address == 192.168.10.254matches only if the ip of the NAS is
192.168.10.254...
--thats what i think it all means, thats what the man page implies, thats what the
docs i've seen on huntgroups implies, but as i stated, it's authenticating from any
NAS, not just the aforementioned IP.
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 13, 2003 1:31 PM
To: [EMAIL PROTECTED]
Subject: Re: users file not using multiple directives
Michael Komitee [EMAIL PROTECTED] wrote:
i'm having a problem with my users file, i'm declaring users and it
seems to only accept a single option per user:
Read the 'users' file 'man' page. Look at the examples in the
'users' file.
username Auth-Type = System, Huntgroup-Name = dnsservers
will not authenticate anyone, even when the access request matches
everything in the dnsservers huntgroup,
Look for 'Huntgroup-Name' in the sample 'users' file, and see what
you're doing differently from those examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file not using multiple directives
Michael Komitee [EMAIL PROTECTED] wrote: actually, it's not authenticating anyone. i ran a stack trace on radiusd, and tried to authenticate. i'm seeing that the packet radiusd is receiving has a NAS-IP-Address of 255.255.255.255. stack trace? What about debugging mode? That's the problem right there. Somehow, the nas ip address isn't being properly set, and as a result the request does not match the huntgroup. The NAS-IP-Address is set to whatever is in the RADIUS packet. Debugging mode will show this. Run 'tcpdump' to see it in another format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file not using multiple directives
Michael Komitee [EMAIL PROTECTED] wrote: i'm having a problem with my users file, i'm declaring users and it seems to only accept a single option per user: Read the 'users' file 'man' page. Look at the examples in the 'users' file. username Auth-Type = System, Huntgroup-Name = dnsservers will not authenticate anyone, even when the access request matches everything in the dnsservers huntgroup, Look for 'Huntgroup-Name' in the sample 'users' file, and see what you're doing differently from those examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file not using multiple directives
Michael Komitee [EMAIL PROTECTED] wrote: i'm using radtest to generate the radius packet, radtest includes a line nas = `hostname` and then includes in the packet NAS-IP-Address = $nas so it's sending my hostname instead of my IP, radiusd wants an ip address and seems to evaluate a string of characters to 255.255.255.255, It doesn't, unless DNS is broken. That address is the official 'no such address' marker. Using the hostname in radtest works. It's one of the requirements, that hostnames are looked up, and converted to addresses. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
