RE: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
45 to 172.17.254.100 port 1645
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=38,
length=143
Acct-Session-Id = 00F3
User-Name = 00a0080806bd
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
Called-Station-Id = 00-1D-E5-9C-29-04
Calling-Station-Id = 00-A0-08-08-06-BD
Service-Type = Framed-User
NAS-IP-Address = 172.17.254.100
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address =
172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id =
00F3,User-Name = 00a0080806bd'
[acct_unique] Acct-Unique-Session-ID = b1dbb7cf9bb1fa32.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/172.17.254.100/detail-20091229
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/172.17.254.100/detail-20091229
[detail]expand: %t - Tue Dec 29 10:37:23 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - 00a0080806bd
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - 00a0080806bd
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 38 to 172.17.254.100 port 1646
Finished request 2.
Cleaning up request 2 ID 38 with timestamp +28
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 1 ID 45 with timestamp +27
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenVPNAS Accounting Issues
Hi all, I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Multihomed VIP Issue
FreeRadius Version: FreeRADIUS Version 1.1.3 Ok here is the situation I have freeradius sitting between two networks 10.10.10.0 and 192.168.0.0, I want to combine freeradius and heartbeat so I can have a failover if one of the freeradius servers where to crash or needed to be upgraded. I'm using freeradius as a proxy by the way so on the 10.10.10.0 subnet is where one of the radius servers lives which freeradius is proying back to. When a client sends a request to the IP of eth0 on the freeradius server lets say its 192.168.0.20 everything is fine the radius request is sent out eth1 which has an IP address of 10.10.10.20 and connects to the backend radius server at 10.10.10.5 (this is just an example), then 10.10.10.5 sends the packet back to 10.10.10.20 (which again is eth1 on the freeradius server), then the packet is sent back to the client with the SOURCE address of 192.168.0.20 and the client accepts the auth request. HOWEVER, when I setup a VIP eth0:0 with an IP address of 192.168.0.30 and the client sends the radius request to this IP the following happens (and I know I've been sniffing traffic all day lol) the freeradious server receives the request on 192.168.0.30 and sends the Access Request out eth1 at 10.10.10.20 to the radius server on the backend at 10.10.10.5 which sends the Access Accept to eth1 of the free radius server 10.10.10.20 and the freeradius server sends the packet back to the client with the source address of 192.168.0.20. Well this is a problem because the client sent Access Request to 192.168.0.30 (eth0:0) NOT to 192.168.0.20 (eth0) and the client rejects the Access Accept. Thanks for any help you can offer! Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
invalid ELF header
Hello I have Centos whit FreeRADIUS Version 2.1.7 And when run radius -X Send the following error /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid ELF header Luis Antonio Chavez P. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: invalid ELF header
On 12/29/2009 06:12 PM, Luis Antonio Chavez Puebla wrote: Hello I have Centos whit FreeRADIUS Version 2.1.7 And when run radius –X Send the following error /usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid ELF header use the pre-built packages which are known to work, see: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
I apologize for the previous spam! I kind of figured out my problem.
Then I tried to fix it and now I have a new problem!!
So I want to authenticate devices when both User-Name and User-Password
are the same and are both the MAC of the device. My default files look
like:
authorize {
...
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
...
authenticate {
Auth-Type Auth-NHSTB {
if(%{request:User-Password} == %{request:User-Name}) {
ok
}
else{
noop
}
}
}
However when I try to run Radius I keep getting this error:
Expected regular expression at: request:User-Password)
/etc/raddb/sites-enabled/default[308]: Failed to parse if subsection.
Errors initializing modules
I also tried I lot other syntax and different operators as well but the
error is still there... What is the right syntax?? Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Tuesday, December 29, 2009 11:09 AM
To: FreeRadius users mailing list
Subject: RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I rewrite it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.
However it looks like my if conditions are all matched during the
process however they all returned noop instead of updating the
information I wanted it to.
Here are the configurations I made in the policy.conf and
/sites-avaliable/default files
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
00a008%{1}%{2}%{3}
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := %{User-Name}
}
chap
}
else{
ok
}
}
}
It seems to me that the last ok authenticated the device, instead of
using chap and the Cleartext-Password that I assigned. Any ideas?
Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Should be:
if(request:User-Password == %{request:User-Name}) {
However when I try to run Radius I keep getting this error:
Expected regular expression at: request:User-Password)
/etc/raddb/sites-enabled/default[308]: Failed to parse if subsection.
Errors initializing modules
I also tried I lot other syntax and different operators as well but
the error is still there… What is the right syntax?? Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
*From:*
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org]
*On Behalf Of *Difan Zhao
*Sent:* Tuesday, December 29, 2009 11:09 AM
*To:* FreeRadius users mailing list
*Subject:* RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius –X output (which I attached here) it doesn’t seem to
authenticate it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern,
use the *User-Name* (or *Calling-station-ID*, since I *“rewrite”* it
to be the same as the User-name) and the password (which is made to be
the same as the User-name as well) to authenticate the device.
However it looks like my *“if”* conditions are all matched during the
process however they all returned *“noop”* instead of *updating* the
information I wanted it to.
Here are the *configurations* I made in the *policy.conf* and
*/sites-avaliable/default* files
*Policy.conf:*
* *
policy {
…
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id := 00a008%{1}%{2}%{3}
}
}
else {
noop
}
}
}
*Default:*
authorize {
…
rewrite_calling_station_id
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
…
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := %{User-Name}
}
chap
}
else{
*ok*
}
}
}
It seems to me that the last *“ok”* authenticated the device, instead
of using *“chap”* and the *“Cleartext-Password”* that I assigned. Any
ideas? Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao wrote:
...
if(%{request:User-Password} == %{request:User-Name}) {
Please read man unlang. It documents the accepted syntax. The
example above is not correct.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
