Re: "authentication" sub in perl
...as said in the original thread when I noted your request was EAP and your server had no EAP support (which you've now fixed)...this is an EAP request...and if you haven't really broken your config then the server will use the inner-tunnel virtual serverso you need to add your call to the perl module into the authenticate section of that virtual-server alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with installation of FreeRadiusServer (2.1.11) on Solaris
Solaris sparc 5.1 sounds old. Try installing libtool first: http://www.gnu.org/software/libtool/ -- Gregor Bruhin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: "authentication" sub in perl
On Tue, Oct 4, 2011 at 3:45 AM, Alex rsm wrote: > Ok, > openSLL is installed on my server. No more issue on EAP. However, my debug > line in sub authenticate still is not being called: > Found Auth-Type = EAP As Alan said, "the EAP module saw EAP-Message, and decided to do Auth-Type := EAP". I highly suggest you try simple test first (e.g. with radtest and pap). Most modifications will be on sites-available/default. Once that works, applying it to EAP should be easy enough: you just need to adapt sites-available/inner-tunnel to use your perl module. PS: While not related to your perl problem, your previous post says you're using 2.1.11, which has some known bugs fixed in later version. 2.1.12 was released some time ago, so you should upgrade. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to specify python modules used by rlm_python?
Hi everyone,
I'm trying to use rlm_python to intergrate with my own authentication
backend, but there's so little document about rlm_python. I even cannot find
how to specify the path to the python module.
Can anybody give me a hint?
Module: Instantiating module "python" from file
/etc/freeradius/modules/python
python_init done
python {
mod_instantiate = "radiusd_test"
func_instantiate = "instantiate"
mod_authorize = "radiusd_test"
func_authorize = "authorize"
mod_accounting = "radiusd_test"
func_accounting = "accounting"
mod_pre_proxy = "radiusd_test"
func_pre_proxy = "pre_proxy"
mod_post_proxy = "radiusd_test"
func_post_proxy = "post_proxy"
mod_post_auth = "radiusd_test"
func_post_auth = "post_auth"
mod_recv_coa = "radiusd_test"
func_recv_coa = "recv_coa"
mod_send_coa = "radiusd_test"
func_send_coa = "send_coa"
mod_detach = "radiusd_test"
func_detach = "detach"
}
rlm_python:python_load_function: module 'radiusd_test' is not found
rlm_python:EXCEPT:: No module named
radiusd_test
rlm_python:python_load_function: failed to import python function
'radiusd_test.instantiate'
/etc/freeradius/modules/python[1]: Instantiation failed for module "python"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue with installation of FreeRadiusServer (2.1.11) on Solaris
Hi, I am using solaris sparc 5.10 for installation of 2.1.11 version of FreeRadiusServer. My Configure, gmake went fine but at time of "gmake install" getting following error. Can anyone suggest how to fix that error? #gmake install /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/sbin /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/bin /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/etc/raddb /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share/man /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/var/run/radiusd /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 700 /usr/local/var/log/radius /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 700 /usr/local/var/log/radius/radacct /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share/freeradius for i in 1 5 8; do \ /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -d -m 755 /usr/local/share/man/man$i; \ for p in man/man$i/*.$i; do \ /export/home/emsuser/Documents/freeradius-server-2.1.11/install-sh -c -m 644 $p /usr/local/share/man/man$i; \ done \ done gmake[1]: Entering directory `/export/home/emsuser/Documents/freeradius-server-2.1.11' Making install in libltdl... gmake[2]: Entering directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' gmake[3]: Entering directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' test -z "/usr/local/lib" || /bin/bash /export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl/install-sh -d "/usr/local/lib" /bin/bash ./libtool --mode=install /usr/bin/install -c 'libltdl.la' '/usr/local/lib/libltdl.la' /usr/bin/install -c .libs/libltdl.so.3.1.4 /usr/local/lib/libltdl.so.3.1.4 cp: cannot access /usr/local/lib/libltdl.so.3.1.4 install: cp /usr/local/lib/libltdl.so.3.1.4 .libs/libltdl.so.3.1.4/libltdl.so.3.1.4 failed gmake[3]: *** [install-libLTLIBRARIES] Error 2 gmake[3]: Leaving directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' gmake[2]: *** [install-am] Error 2 gmake[2]: Leaving directory `/export/home/emsuser/Documents/freeradius-server-2.1.11/libltdl' gmake[1]: *** [libltdl] Error 2 gmake[1]: Leaving directory `/export/home/emsuser/Documents/freeradius-server-2.1.11' gmake: *** [install] Error 2 Thanks, Harish- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: "authentication" sub in perl
Alex rsm wrote: > openSLL is installed on my server. No more issue on EAP. However, my > debug line in sub authenticate still is not being called: Read the debug output. The "perl" module isn't being called in the "authenticate" section. Why? Because the "eap" module is being called. Why? Because "Auth-Type := EAP" is set. Why? Because the EAP module saw EAP-Message, and decided to do Auth-Type := EAP It's doing exactly what it's supposed to be doing, and what you told it to do. You didn't tell it to call the Perl module during the "authenticate" section. So it didn't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: "authentication" sub in perl
Ok,
openSLL is installed on my server. No more issue on EAP. However, my debug line
in sub authenticate still is not being called:
#example.pl
# Function to handle authorize
sub authorize {
print "TEST-authorize: username=$RAD_REQUEST{'User-Name'}\n";
# For debugging purposes only
# &log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
&test_call;
return RLM_MODULE_OK;
}
# Function to handle authenticate
sub authenticate {
print "TEST-authenticate\n";
# For debugging purposes only
# &log_request_attributes;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl
function";
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
$RAD_REPLY{'h323-credit-amount'} = "100";
return RLM_MODULE_OK;
}
}
and here is the debug:
Cleaning up request 9 ID 9 with timestamp +7
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=19,
length=169
User-Name = "abc"
NAS-IP-Address = 10.0.0.31
NAS-Identifier = "belair"
NAS-Port = 0
Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x"
Calling-Station-Id = "5C-59-48-F0-34-8B"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020801616263
Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "abc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[sql] expand: %{User-Name} -> abc
[sql] sql_set_user escaped user --> 'abc'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'abc' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'abc' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 1
[sql] User abc not found
++[sql] returns notfound
TEST-authorize: username=abc
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 5C-59-48-F0-34-8B
rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x
rlm_perl: Added pair Message-Authenticator = 0xb952dcdfcec1e39a79c029ccdc94c2ca
rlm_perl: Added pair User-Name = abc
rlm_perl: Added pair NAS-Identifier = belair
rlm_perl: Added pair EAP-Message = 0x020801616263
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.0.31
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 19 to 10.0.0.31 port 50071
EAP-Message = 0x0101001604108bc56309ea2103957c2aee6450696f68
Message-Authenticator = 0x
State = 0x2c81558c2c8051de6687486c2848c067
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.31 port 50071, id=20,
length=185
User-Name = "abc"
NAS-IP-Address = 10.0.0.31
NAS-Identifier = "belair"
NAS-Port = 0
Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x"
Calling-Station-Id = "5C-59-48-F0-34-8B"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x2c81558c2c8051de6687486c2848c067
Message-Authenticator = 0x959b11a51401f767f5b52bc58298d730
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "abc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap
Re: Radius client redundance
oleaweel wrote: > I did add the ... > But it does not seem to work, is there some attributes that i need to add, > remove or change ? See the FAQ for "it doesn't work" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius client redundance
Hi,
I did add the
home_server nps01 {
type = auth+acct
ipaddr = XXX.XXX.XXX.1
port = 1812,1813
secret = secretkey
}
home_server nps02 {
type = auth+acct
ipaddr = XXX.XXX.XXX.2
port = 1812,1813
secret = secretkey
}
home_server_pool my_auth_failover {
type = fail-over
home_server = nps01
home_server = nps02
}
But it does not seem to work, is there some attributes that i need to add,
remove or change ?
Regards
Ole
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Radius-client-redundance-tp4822209p4866338.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "authentication" sub in perl
Yes yes, you've just confirmed what I said. I know you built it without openssl support...I was giving you advice on how to spot it, so that you can verify all is okay after you've installed the required development packages for openssl on your platformand Google can help you with that. alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with Freeradius and 802.1X
johnboy68 wrote: > Users with Vista machines and the 802.1X supplicant configured > Windows Server 2008 with Active Directory > Other network connected devices and 'unknown' computers > 100% Cisco LAN/WAN > > Here is what I want to do: > > Dynamic VLAN assignment based on 802.1X with Freeradius able to use Active > Directory for the computers with the supplicant configured and also be able > to use MySQL to do MAC authentication bypass for known devices like printers > that can't use a supplicant. It takes care, but it's not hard. Step 1, configure AD authentication. See my web page: http://deployingradius.com Step 2, configure MAC address authentication. See the Wiki. The key thing is... do each step in isolation. Don't worry about changes in Step 1 breaking step 2. Make sure you understand each piece in isolation before you try to combine them. Once you get that far come back with more questions. > I don't have much experience with Freeradius but I feel this is something > that would be a "normal" 802.1X configuration. Pretty much, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "authentication" sub in perl
Alex rsm wrote: > # apt-get install OpenSSL ... > E: Couldn't find package OpenSSL Use *google* to find out the names of packages on your OS. Or, search the web pages of the OS vendor. It should be less work (and faster) than posting messages to this list. This isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: "authentication" sub in perl
I've built FreeRadius2.1.11 from src files on ubuntu 8.04 server: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 8.04.4 LTS Release:8.04 Codename: hardy # ./configure | grep WARN configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h krb5. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r ldap.h. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: libperl.so libperl.so. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. # apt-get install OpenSSL Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package OpenSSL # apt-get install ssl-devel Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package ssl-devel . > Date: Mon, 3 Oct 2011 16:32:44 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: "authentication" sub in perl > > Hi, > > >Thank you for the response. > >How can I build the FreeRADIUS with EAP support? I checked the configure > >and Makefile anc couldn't figure it out > > did you build it yourself then? if so, then what platform? as that will decide > the package name. > > ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the > required > RPM or PKG file that must be installed if you'd piped the output of the > ./configure > stage through grep eg > > ./configure --with-whatever-options | grep WARN > > you'd see all the warnings about functionality that wont work because of lack > of development headers/libraries > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help with Freeradius and 802.1X
I have searched the forum but can't find what I'm looking for. Here is my scenario: Users with Vista machines and the 802.1X supplicant configured Windows Server 2008 with Active Directory Other network connected devices and 'unknown' computers 100% Cisco LAN/WAN Here is what I want to do: Dynamic VLAN assignment based on 802.1X with Freeradius able to use Active Directory for the computers with the supplicant configured and also be able to use MySQL to do MAC authentication bypass for known devices like printers that can't use a supplicant. I don't have much experience with Freeradius but I feel this is something that would be a "normal" 802.1X configuration. Any help on how to configure this environment would be greatly appreciated. Thanks, John -- View this message in context: http://freeradius.1045715.n5.nabble.com/Need-help-with-Freeradius-and-802-1X-tp4865617p4865617.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "authentication" sub in perl
Hi, >Thank you for the response. >How can I build the FreeRADIUS with EAP support? I checked the configure >and Makefile anc couldn't figure it out did you build it yourself then? if so, then what platform? as that will decide the package name. ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the required RPM or PKG file that must be installed if you'd piped the output of the ./configure stage through grep eg ./configure --with-whatever-options | grep WARN you'd see all the warnings about functionality that wont work because of lack of development headers/libraries alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server basic proxy configuration?
John Douglass wrote:
> Basically wanting to create a virtual server listening on port 1818 that
> simply proxies ALL AUTH requests to radius1.gatech.edu port 1812.
Read raddb/sites-available/README
It explains virtual servers in detail.
> At a first read/glance,
> it looks like the proxy settings might apply to all virtual servers
Yes.
> From reading "proxy.conf" would I just define something like:
Which defines a home server, just like normal.
> Now...I am not sure how to apply this to a single virtual server. All I
> really want to do is redirect the requests and respond.
Redirecting the requests involves setting Proxy-To-Realm. So you'll
need to set up a realm && home server pool for the above home server.
Or, just use the old-style realms definition. It will still work.
Then:
server proxy_all {
authorize {
update control {
Proxy-To-Realm := "nameOfRealm"
}
}
}
A seven line config. Can't get much simpler than that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server basic proxy configuration?
On 3 Oct 2011, at 17:22, John Douglass wrote:
> Freeradius gurus,
>
> I have looked over the documentation and searched for examples and haven't
> found anything concrete that I feel will solve my configuration. Perhaps
> someone has implemented this or can offer up some advice on how to approach
> this.
>
> Basically wanting to create a virtual server listening on port 1818 that
> simply proxies ALL AUTH requests to radius1.gatech.edu port 1812. I am used
> to the virtual-server configuration as I have multiple radius based services
> running on different ports, but am not sure how to only proxy those entries
> on that particular virtual server and not the other virtual servers I have
> running on this server. At a first read/glance, it looks like the proxy
> settings might apply to all virtual servers instead of just the one on port
> 1818 that I am defining.
>
> From reading "proxy.conf" would I just define something like:
>
> home_server radius1 {
>type = auth
>ipaddr = 10.10.10.10
>port = 1818
>secret = testing123
> }
>
> Now...I am not sure how to apply this to a single virtual server. All I
> really want to do is redirect the requests and respond.
Just use a listen block within the virtual server { } configuration. There's a
template one in radiusd.conf
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual server basic proxy configuration?
Freeradius gurus,
I have looked over the documentation and searched for examples and
haven't found anything concrete that I feel will solve my configuration.
Perhaps someone has implemented this or can offer up some advice on how
to approach this.
Basically wanting to create a virtual server listening on port 1818 that
simply proxies ALL AUTH requests to radius1.gatech.edu port 1812. I am
used to the virtual-server configuration as I have multiple radius based
services running on different ports, but am not sure how to only proxy
those entries on that particular virtual server and not the other
virtual servers I have running on this server. At a first read/glance,
it looks like the proxy settings might apply to all virtual servers
instead of just the one on port 1818 that I am defining.
From reading "proxy.conf" would I just define something like:
home_server radius1 {
type = auth
ipaddr = 10.10.10.10
port = 1818
secret = testing123
}
Now...I am not sure how to apply this to a single virtual server. All I
really want to do is redirect the requests and respond.
Any tips would be appreciated,
- John Douglass, Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "authentication" sub in perl
On 03/10/11 13:48, Alex rsm wrote: Alan, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out No need to edit the Makefile. You need to install a package called something like openssl-devel and then attempt to build FreeRADIUS again. Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rlm_ldap Login withount a identity
My LDAP server requires autentication, but for security reasson I cant let a user with permission to read all data from outher to made the bind for radius. Studing the log and using radiusd in debug mod I discovered if I let the identity and password in black the raius try log with the login and password provide by the user of radius, and it binds, but afther it also tryes retrive the user info with the user login, what fails. There is a way to do the login with LDAP without the identity or password? Using the information provide by the user to try bind in LDAP and if bind is sucessufull the RADIUS autenticates?? Sorry bad English Esdras Caleb -- (Você irá para o céu ou não? Acesse www.BoaPessoa.com.br já para saber!) "Não se VAI à Igreja. Se É Igreja." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: "authentication" sub in perl
Alan, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out Thanks Again, ASM > Date: Sun, 2 Oct 2011 21:18:18 +0100 > From: a.l.m.bu...@lboro.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: "authentication" sub in perl > > Hi, > > >As I said only "authorize" sub is being called when receiving a REQUEST > >and not authenticate sub. > >So I need to change Auth-Type to be Perl? > > authenticate fails quite simply because this is an EAP request...and your > FreeRADIUS > had been built without EAP support. if you have EAP support, the server would > trigger the EAP mechanism...which sends the packet through to the inner-tunnel > virtual server and you would have to have the perl module listed in the > authenticate section of that VS > > > look, > > >FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on > > Sep > >29 2011 at 14:33:46 > > > > >Ignoring EAP-Type/tls because we do not have OpenSSL support. > >Ignoring EAP-Type/ttls because we do not have OpenSSL support. > >Ignoring EAP-Type/peap because we do not have OpenSSL support. > > > > >[eap] EAP packet type response id 1 length 8 > >[eap] No EAP Start, assuming it's an on-going EAP conversation > > > > >[eap] Request found, released from the list > >[eap] EAP NAK > >[eap] NAK asked for unsupported type PEAP > >[eap] No common EAP types found. > >[eap] Failed in EAP select > >++[eap] returns invalid > >Failed to authenticate the user. > >Using Post-Auth-Type Reject > > ...end of game > > > as you can see, sending the output of radiusd -X is very very useful > for those of us that want to help you. > > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap patch for access_attr_deny_value
Please note :
As I am not a C developper, I just "mimics" what is already done in
rlm_ldap.c to create this patch, which only checks agains "FALSE"
value.
So, this patch is not sufficient to manage multiple possible values :
For example, inetUserStatus has
- 2 possible REJECT values :
* inactive
* deleted
- 1 possible ACCEPT value
* active
I am not able to create the patch to support checking on multiple
custom reject values
For example : support access_attr_deny_value as a list with
space-separated values to check :
access_attr_deny_value = "inactive deleted"
or as a list with | separated value :
access_attr_deny_value = "inactive|deleted"
Best regards,
Fred Maison
2011/10/3 Fred :
> Hi all,
>
> This patch is an attempt to have a more generic custom access_attr
> support, by introducing a new ldap module configuration parameter
> named "access_attr_deny_value" allowing to check arbitrary access_attr
> attribute value to reject user.
>
> Without this patch, configured access_attr attribute is checked
> against a static,(hard-coded) "FALSE" value.
> With this patch, rlm_ldap module user can configure not only custom
> access_attr attribute, but also custom access_attr_deny_value value to
> control user lock status.
> Default value remains FALSE, to maintain backward compatibility.
>
> This patch has been made because if, for example, inetUserStatus is
> used at ldap server level to control lock user status, this control is
> done by ldap server when user tries to bind to the ldap.
> From freeradius point of view, if ldap bind is not done for any reason
> (e.I. because radiusd received a MSCHAP challenge, and just replayed
> MSCHAP using ntPassword or lmPassword retrieved during author) , ldap
> server will not have occation to reject the user at binding, so
> radiusd has to do the job himself for inetUserStatus to be honored.
> If radiusd does not do the job, only ldap-binded user will be rejected
> (by ldap) but non-binded user will be accepted, thus making ldap
> settings disabling the user with inetUserStatus set to "inactive" will
> not be honored at radius level and user will be unexpectedly accepted.
>
>
> For example,
> ${confdir}/modules/ldap :
> access_attr = inetUserStatus # OID
> 2.16.840.1.113730.3.1.692
> access_attr_deny_value = "inactive"
>
> With this setup, if inetUSerStatus is set to inactive in ldap
> directory for a particular user, this user will be rejected early
> during authorization.
>
> Best regards,
> Fred MAISON
>
> ###
>
> diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c
> ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
> --- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c 2011-09-20
> 14:11:34.0 +0200
> +++
> ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
> 2011-09-29
> 17:39:32.0 +0200
> @@ -146,6 +146,7 @@
> char *default_profile;
> char *profile_attr;
> char *access_attr;
> + char *access_attr_deny_value;
> char *passwd_hdr;
> char *passwd_attr;
> int auto_header;
> @@ -304,6 +305,8 @@
> offsetof(ldap_instance,access_attr), NULL, NULL},
> {"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
> offsetof(ldap_instance,default_allow), NULL, "yes"},
> + {"access_attr_deny_value", PW_TYPE_STRING_PTR,
> + offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"},
> {"chase_referrals", PW_TYPE_BOOLEAN,
> offsetof(ldap_instance,chase_referrals), NULL, NULL},
> {"rebind", PW_TYPE_BOOLEAN,
> @@ -1405,8 +1408,8 @@
> if (inst->access_attr) {
> if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr))
> != NULL) {
> if (inst->default_allow){
> - RDEBUG("checking if remote access for %s is
> allowed by %s",
> request->username->vp_strvalue, inst->access_attr);
> - if (!strncmp(vals[0], "FALSE", 5)) {
> + RDEBUG("checking if remote access for user %s
> is %s by %s",
> request->username->vp_strvalue, inst->access_attr_deny_value,
> inst->access_attr);
> + if (!strncmp(vals[0],
> inst->access_attr_deny_value,
> sizeof(inst->access_attr_deny_value))) {
> RDEBUG("dialup access disabled");
>
> snprintf(module_fmsg,sizeof(module_fmsg)," [%s] Access
> Attribute denies access", inst->xlat_name);
> module_fmsg_vp =
> pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
>
>
> ###
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu client always connect to wlan even if it is not allowed by Freeradius
On 3 Oct 2011, at 12:04, Fajar A. Nugraha wrote:
> 2011/10/3 PROST Frédéric :
>> But if the connection is correct at the first time and if I then change one
>> of those parameters (ie, disable MAC address on the radius server or change
>> login on my Ubuntu workstation), I can still connect to my WLAN.
>> The only way to correct this problem is to physically switch off and on the
>> wlan card on Ubuntu workstation.
>
> Have you tried restarting radius?
>
>>
>> Mon Oct 3 11:55:51 2011 : Info: ++- entering policy
>> rewrite.calling_station_id {...}
>> Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) &&
>> "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
>
> AFAIK changes to config file (e.g. policy.conf) is re-read only when
> FR is restarted or HUP-ed.
Or in this case the users file :)
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu client always connect to wlan even if it is not allowed by Freeradius
PROST Frédéric wrote: > It seems that it has a kind of cache but I can't determine where and how to > disable it (on my Radius server). FreeRADIUS doesn't cache authentications. The issue is likely that your switch is caching the status of the MAC address. > Here is a freeradius log extract of the first connection where we can see > that it checks the MAC address I'm *presuming* that this is for an Access-Request. I don't know, because you've deleted most of the debug output. > Here is the Freeradius log file for the second connection, after disable MAC > Address and restarted FreeRadius (it connects directly without checking MAC > address) : Read it: > rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2, > length=152 That's not an Access-Request. The NAS (or switch) is starting an accounting session without first authenticating the user. > Do you have any idea of how to correct this ? Fix the switch so that it sends Access-Requests when a user connects to it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap patch for access_attr_deny_value
Hi all,
This patch is an attempt to have a more generic custom access_attr
support, by introducing a new ldap module configuration parameter
named "access_attr_deny_value" allowing to check arbitrary access_attr
attribute value to reject user.
Without this patch, configured access_attr attribute is checked
against a static,(hard-coded) "FALSE" value.
With this patch, rlm_ldap module user can configure not only custom
access_attr attribute, but also custom access_attr_deny_value value to
control user lock status.
Default value remains FALSE, to maintain backward compatibility.
This patch has been made because if, for example, inetUserStatus is
used at ldap server level to control lock user status, this control is
done by ldap server when user tries to bind to the ldap.
>From freeradius point of view, if ldap bind is not done for any reason
(e.I. because radiusd received a MSCHAP challenge, and just replayed
MSCHAP using ntPassword or lmPassword retrieved during author) , ldap
server will not have occation to reject the user at binding, so
radiusd has to do the job himself for inetUserStatus to be honored.
If radiusd does not do the job, only ldap-binded user will be rejected
(by ldap) but non-binded user will be accepted, thus making ldap
settings disabling the user with inetUserStatus set to "inactive" will
not be honored at radius level and user will be unexpectedly accepted.
For example,
${confdir}/modules/ldap :
access_attr = inetUserStatus # OID
2.16.840.1.113730.3.1.692
access_attr_deny_value = "inactive"
With this setup, if inetUSerStatus is set to inactive in ldap
directory for a particular user, this user will be rejected early
during authorization.
Best regards,
Fred MAISON
###
diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
--- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c 2011-09-20
14:11:34.0 +0200
+++
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
2011-09-29
17:39:32.0 +0200
@@ -146,6 +146,7 @@
char *default_profile;
char *profile_attr;
char *access_attr;
+ char*access_attr_deny_value;
char *passwd_hdr;
char *passwd_attr;
int auto_header;
@@ -304,6 +305,8 @@
offsetof(ldap_instance,access_attr), NULL, NULL},
{"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
offsetof(ldap_instance,default_allow), NULL, "yes"},
+ {"access_attr_deny_value", PW_TYPE_STRING_PTR,
+offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"},
{"chase_referrals", PW_TYPE_BOOLEAN,
offsetof(ldap_instance,chase_referrals), NULL, NULL},
{"rebind", PW_TYPE_BOOLEAN,
@@ -1405,8 +1408,8 @@
if (inst->access_attr) {
if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr))
!= NULL) {
if (inst->default_allow){
- RDEBUG("checking if remote access for %s is
allowed by %s",
request->username->vp_strvalue, inst->access_attr);
- if (!strncmp(vals[0], "FALSE", 5)) {
+ RDEBUG("checking if remote access for user %s
is %s by %s",
request->username->vp_strvalue, inst->access_attr_deny_value,
inst->access_attr);
+ if (!strncmp(vals[0],
inst->access_attr_deny_value,
sizeof(inst->access_attr_deny_value))) {
RDEBUG("dialup access disabled");
snprintf(module_fmsg,sizeof(module_fmsg)," [%s] Access
Attribute denies access", inst->xlat_name);
module_fmsg_vp =
pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
###
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu client always connect to wlan even if it is not allowed by Freeradius
2011/10/3 PROST Frédéric :
> But if the connection is correct at the first time and if I then change one
> of those parameters (ie, disable MAC address on the radius server or change
> login on my Ubuntu workstation), I can still connect to my WLAN.
> The only way to correct this problem is to physically switch off and on the
> wlan card on Ubuntu workstation.
Have you tried restarting radius?
>
> Mon Oct 3 11:55:51 2011 : Info: ++- entering policy
> rewrite.calling_station_id {...}
> Mon Oct 3 11:55:51 2011 : Info: +++? if ((Calling-Station-Id) &&
> "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
AFAIK changes to config file (e.g. policy.conf) is re-read only when
FR is restarted or HUP-ed.
> Here is the Freeradius log file for the second connection, after disable MAC
> Address and restarted FreeRadius (it connects directly without checking MAC
> address) :
>
> rad_recv: Accounting-Request packet from host 192.168.2.15 port 32847, id=2,
> length=152
That's accounting request, not access request.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ubuntu client always connect to wlan even if it is not allowed by Freeradius
ns noop
Mon Oct 3 11:50:16 2011 : Info: ++[files] returns noop
Mon Oct 3 11:50:16 2011 : Info: # Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
Mon Oct 3 11:50:16 2011 : Info: +- entering group accounting {...}
Mon Oct 3 11:50:16 2011 : Info: [detail] expand:
%{Packet-Src-IP-Address} -> 192.168.2.15
Mon Oct 3 11:50:16 2011 : Info: [detail] expand:
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003
Mon Oct 3 11:50:16 2011 : Info: [detail]
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.2.15/detail-20111003
Mon Oct 3 11:50:16 2011 : Info: [detail] expand: %t -> Mon Oct 3
11:50:16 2011
Mon Oct 3 11:50:16 2011 : Info: ++[detail] returns ok
Mon Oct 3 11:50:16 2011 : Info: ++[unix] returns ok
Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand:
/usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp
Mon Oct 3 11:50:16 2011 : Info: [radutmp] expand: %{User-Name} -> salons
Mon Oct 3 11:50:16 2011 : Info: ++[radutmp] returns ok
Mon Oct 3 11:50:16 2011 : Info: ++[exec] returns noop
Mon Oct 3 11:50:16 2011 : Info: [attr_filter.accounting_response] expand:
%{User-Name} -> salons
Mon Oct 3 11:50:16 2011 : Debug: attr_filter: Matched entry DEFAULT at line 12
Mon Oct 3 11:50:16 2011 : Info: ++[attr_filter.accounting_response] returns
updated
Sending Accounting-Response of id 2 to 192.168.2.15 port 32847
Mon Oct 3 11:50:16 2011 : Info: Finished request 1.
Mon Oct 3 11:50:16 2011 : Info: Cleaning up request 1 ID 2 with timestamp +17
Mon Oct 3 11:50:16 2011 : Debug: Going to the next request
Mon Oct 3 11:50:16 2011 : Info: Ready to process requests.
Do you have any idea of how to correct this ?
Thank you very much,
Regards,
Fred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
