Re: rlm_perl and dynamic_clients
Hi, I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Thank you --- FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu --- client dynamic { ipaddr = 0.0.0.0 netmask = 0 dynamic_clients = dynamic_client_server lifetime = 3600 } server dynamic_client_server { authorize { dynamic-clients-pl } } --- use strict; use Data::Dumper; use vars qw(%RAD_REQUEST); use constant RLM_MODULE_REJECT = 0; use constant RLM_MODULE_FAIL = 1; use constant RLM_MODULE_OK = 2; use constant RLM_MODULE_HANDLED = 3; use constant RLM_MODULE_INVALID = 4; use constant RLM_MODULE_USERLOCK = 5; use constant RLM_MODULE_NOTFOUND = 6; use constant RLM_MODULE_NOOP = 7; use constant RLM_MODULE_UPDATED = 8; use constant RLM_MODULE_NUMCODES = 9; sub authorize { log_request_attributes; return RLM_MODULE_FAIL; } sub log_request_attributes { for (keys %RAD_REQUEST) { radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_}); } } --- rad_recv: Access-Request packet from host 41.132.69.140 port 51951, id=31, length=212 server dynamic_client_server { } # server dynamic_client_server Ignoring request to authentication address * port 1812 as server r9 from unknown client 41.132.69.140 port 51951 Ready to process requests. --- On Tue, Aug 28, 2012 at 4:21 PM, Steven Eksteen st...@saoirse.co.za wrote: Thank you. Much appreciated On Tue, Aug 28, 2012 at 4:14 PM, Alan DeKok al...@deployingradius.com wrote: Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I thought it might be part of the RAD_REQUEST hash. It's not, but you can do: server dynamic_client_server { authorize { update request { Tmp-IP-Address-0 := %{Packet-Src-IP-Address} } dynamic-clients-pl } } And then use the Tmp-IP-Address-0 in the Perl code. If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. You just set them in the RAD_REPLY hash. I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. Nope. It's a complicated system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and dynamic_clients
Steven Eksteen wrote: I was wondering how would I use Packet-Src-IP-Address using Perl for Dynamic Clients. I'm wondering why you didn't read my previous message. You knowm the one you replied to, and quoted verbatim? The one that had the answer to your questions? I thought it might be part of the RAD_REQUEST hash. I have no idea why. You were told it wasn't. What part of my message didn't you understand? Or did you simply not read it? If some direction could be made as to setting FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I would be very grateful. Do you understand what a RADIUS secret is? I already have Perl working for the normal AAA functions. This just doesn't appear to work the same way. I am not a Perl developer in the slightest so apologies in advance if this is a monumentally stupid question. If you're going to ask questions on this list, it helps to read the answers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Integration with CISCO Router for PEAP requests
*sigh* You cannot do what you want. Even if you send an Access-Accept, the client will most likely disconnect of its own accord, because you cannot fake a success message in the inner tunnel. Unless of course you're using some weird funky cisco client that ignores all the standards. If you really don't believe us, try it for yourself: Post-Auth { Post-Auth-Type REJECT { if(%{reply:EAP-Message} =~ /0x04([0-9a-f]{2}).*/i){ update reply { EAP-Message := 0x03%{1}0004 } } update control { Response-Packet-Type := Access-Accept } } } Note: Modifying Repost-Packet-Type that may not be supported in future versions. -Arran On 30 Aug 2012, at 17:52, Andras Ionut ionut.and...@gmail.com wrote: Hi Phil, Sorry if this looks dump for you. I've read your post the reason I've explicitely asked how to do this in PEAP is because in the post it says: This only works for PAP, and does NOT work for EAP-TLS, CHAP, MSCHAP, or WIMAX authentication. Now, I especially need to send Access-Accept for PEAP with inner EAP-MSCHAPv2, and I also I don't use MyQL to select the users. I've also tried to set Access-Accept as any other AVP from my Freeradius module, but doesn't work. (extract from log attached) Can you please help? Thanks in advance. Andras On 30/08/12 15:11, Andras Ionut wrote: Hi Phil, Thanks a lot for the quick response. I need this for PEAP with EAP protocol inside the tunnel, like EAP-MSCHAPv2. Again, The device MUST reject the connection as EAP is not completed, but the ROUTER needs that Access-Accept, in order to be able to redirect user to portal. Can this be done? The technique to do this is described in the FAQ entry I linked. Did you read it? radius.txt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
On 31 Aug 2012, at 05:37, QASIM RAO qasim2...@hotmail.com wrote: sir, actual problem is when i run with 'radiusd' log file save on location i defined in radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius but when i run radius with 'radiusd -X' i save on location defined in radiusd.dat echo -n $Starting $prog: cd $binfolder daemon ./radiusd /var/log/radius`date '+%Y%m%d'`.log RETVAL=$? sleep 2 *sigh* Use -xx (instead of -X) and periodically move the log file the server generates to /var/log/radius`date '+%Y%m%d'`.log using a logrotated hook. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Integration with CISCO Router for PEAP requests
On 08/30/2012 05:52 PM, Andras Ionut wrote: Now, I especially need to send Access-Accept for PEAP with inner EAP-MSCHAPv2, and I also I don't use MyQL to select the users. I've also tried to set Access-Accept as any other AVP from my Freeradius module, but doesn't work. (extract from log attached) You keep repeating this. It is obvious you are really desparate. But it doesn't work like that. You *CAN* force the server to send the Accept - Arran has shown you how to do that. The FAQ entry is another way to force it for *every* user. The reason the FAQ entry says this doesn't work for EAP is NOTHING to do with the server. With enough knowledge, you can make the server do anything you want. The problem is the EAP client. It WILL NOT STAY CONNECTED to the network. Think about it for a second: from the debug you show, you are dealing with Wi-Fi. If you force auth success, the radius server will return an accept, and the wi-fi point will forward the EAP Success to the client. But the client will not have completed a successful authentication, so it won't have any keying material. How is it going to send encrypted packets? Try it and see; do what the FAQ entry says, or what Arran has suggested, and watch what the client does when you try to override failed auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Integration with CISCO Router for PEAP requests
Note: Modifying Repost-Packet-Type that may not be supported in future versions. *Response - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log rotation
2012/8/29 Fajar A. Nugraha l...@fajar.net On Wed, Aug 29, 2012 at 9:10 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, Today I'm rotating my log files with a script that runs every night, the problem is that it must stop the radiusd process, rename the file, create a new one then start radiusd again. Is there a way to do that transparently? Via syslog or something else? Your OS should do that already via logrotate, HUP-ing the running FR process in the process. What OS/distro are you using, and what FR version? Hi, I'm using FreeBSD 8.0-STABLE -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log rotation
On Fri, Aug 31, 2012 at 6:54 PM, Antonio Modesto mode...@isimples.com.br wrote: 2012/8/29 Fajar A. Nugraha l...@fajar.net On Wed, Aug 29, 2012 at 9:10 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, Today I'm rotating my log files with a script that runs every night, the problem is that it must stop the radiusd process, rename the file, create a new one then start radiusd again. Is there a way to do that transparently? Via syslog or something else? Your OS should do that already via logrotate, HUP-ing the running FR process in the process. What OS/distro are you using, and what FR version? Hi, I'm using FreeBSD 8.0-STABLE Sorry, I'm not familiar with freebsd. You should be able to install logrotate from freebsd ports (if not installed already), and configure it to rotate freeradius' logs. Or contact the maintainer of freeradius port on freebsd, just in case they do it already, or have plans to do it. ... or if you're feeling particularly lazy and just want something that can run FR and is already configured to do log rotate, switch to linux :) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log rotation
On 31 Aug 2012, at 14:17 , Fajar A. Nugraha wrote: On Fri, Aug 31, 2012 at 6:54 PM, Antonio Modesto mode...@isimples.com.br wrote: 2012/8/29 Fajar A. Nugraha l...@fajar.net On Wed, Aug 29, 2012 at 9:10 PM, Antonio Modesto mode...@isimples.com.br wrote: Hi, Today I'm rotating my log files with a script that runs every night, the problem is that it must stop the radiusd process, rename the file, create a new one then start radiusd again. Is there a way to do that transparently? Via syslog or something else? Your OS should do that already via logrotate, HUP-ing the running FR process in the process. What OS/distro are you using, and what FR version? Hi, I'm using FreeBSD 8.0-STABLE Sorry, I'm not familiar with freebsd. You should be able to install logrotate from freebsd ports (if not installed already), and configure it to rotate freeradius' logs. Or contact the maintainer of freeradius port on freebsd, just in case they do it already, or have plans to do it. ... or if you're feeling particularly lazy and just want something that can run FR and is already configured to do log rotate, switch to linux :) FreeBSD sports something called newsyslog for logrotation. Part of the standard install --maarten signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question setting up Virtual Servers with unique clients / users files.
Hi, I'm relatively new to FreeRADIUS, and I'm working on moving the administrative logins of our network devices (switches, routers, etc) to it. I was planning on using AD as my data source and creating groups (ex. Switches, Routers) so people could easily be assigned permissions for the various devices. I believe I have the AD/Ldap Group retrieval parts working. What I'm having issues with is creating user file rules for each group of devices. I have a few rules in the users file that look like this: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! But the issue is that if a user is a member of both groups, it stops at the first match. Is there a way to specify a specific users file for each entry in the Clients file? I'm thinking that to do this I will need to setup a virtual server for each client group, but I'm not finding much in the ways of sample configurations that let me specify the users file as well. Thanks, Zach - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question setting up Virtual Servers with unique clients / users files.
Zach Simpson wrote: What I'm having issues with is creating user file rules for each group of devices. I have a few rules in the users file that look like this: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! But the issue is that if a user is a member of both groups, it stops at the first match. You can use Fall-Through to have it continue processing the file. See the rest of the comments / examples in the users file, and man users. Is there a way to specify a specific users file for each entry in the Clients file? I'm thinking that to do this I will need to setup a virtual server for each client group, but I'm not finding much in the ways of sample configurations that let me specify the users file as well. In the latest version of the server, see raddb/modules/files Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question setting up Virtual Servers with unique clients / users files.
Am 31.08.2012 19:22, schrieb Zach Simpson: What I'm having issues with is creating user file rules for each group of devices. I have a few rules in the users file that look like this: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! But the issue is that if a user is a member of both groups, it stops at the first match. Your problem as well as the solution is descriped in the top of the users file: # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. You therefore should use the following: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! Fall-Through = Yes DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! Fall-Through = Yes Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question setting up Virtual Servers with unique clients / users files.
Am 31.08.2012 20:35, schrieb Klaus Klein: ... long text ... - Ups, to late. Next time I try to type faster. ;-) Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html