Re: rlm_perl and dynamic_clients

2012-08-31 Thread Steven Eksteen 
Hi,

I was wondering how would I use Packet-Src-IP-Address using Perl for
Dynamic Clients. I thought it might be part of the RAD_REQUEST hash.
If some direction could be made as to setting
FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I
would be very grateful. I already have Perl working for the normal AAA
functions. This just doesn't appear to work the same way. I am not a
Perl developer in the slightest so apologies in advance if this is a
monumentally stupid question.

Thank you

---

FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu

---

client dynamic {
ipaddr = 0.0.0.0
netmask = 0
dynamic_clients = dynamic_client_server
lifetime = 3600
}

server dynamic_client_server {
authorize {
dynamic-clients-pl
}
}

---

use strict;
use Data::Dumper;

use vars qw(%RAD_REQUEST);

use constant RLM_MODULE_REJECT = 0;
use constant RLM_MODULE_FAIL = 1;
use constant RLM_MODULE_OK = 2;
use constant RLM_MODULE_HANDLED = 3;
use constant RLM_MODULE_INVALID = 4;
use constant RLM_MODULE_USERLOCK = 5;
use constant RLM_MODULE_NOTFOUND = 6;
use constant RLM_MODULE_NOOP = 7;
use constant RLM_MODULE_UPDATED = 8;
use constant RLM_MODULE_NUMCODES = 9;

sub authorize {
  log_request_attributes;

  return RLM_MODULE_FAIL;
}

sub log_request_attributes {
  for (keys %RAD_REQUEST) {
radiusd::radlog(1, RAD_REQUEST: $_ = $RAD_REQUEST{$_});
  }
}
---

rad_recv: Access-Request packet from host 41.132.69.140 port 51951,
id=31, length=212
server dynamic_client_server {
} # server dynamic_client_server
Ignoring request to authentication address * port 1812 as server r9
from unknown client 41.132.69.140 port 51951
Ready to process requests.

---



On Tue, Aug 28, 2012 at 4:21 PM, Steven Eksteen st...@saoirse.co.za wrote:

 Thank you. Much appreciated


 On Tue, Aug 28, 2012 at 4:14 PM, Alan DeKok al...@deployingradius.com
 wrote:
  Steven Eksteen wrote:
  I was wondering how would I use Packet-Src-IP-Address using Perl for
  Dynamic Clients. I thought it might be part of the RAD_REQUEST hash.
 
It's not, but you can do:
 
  server dynamic_client_server {
  authorize {
  update request {
  Tmp-IP-Address-0 := %{Packet-Src-IP-Address}
  }
 
  dynamic-clients-pl
  }
  }
 
 
And then use the Tmp-IP-Address-0 in the Perl code.
 
  If some direction could be made as to setting
  FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I
  would be very grateful.
 
You just set them in the RAD_REPLY hash.
 
  I already have Perl working for the normal AAA
  functions. This just doesn't appear to work the same way. I am not a
  Perl developer in the slightest so apologies in advance if this is a
  monumentally stupid question.
 
Nope.  It's a complicated system.
 
Alan DeKok.
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl and dynamic_clients

2012-08-31 Thread Alan DeKok 
Steven Eksteen wrote:
 I was wondering how would I use Packet-Src-IP-Address using Perl for
 Dynamic Clients.

  I'm wondering why you didn't read my previous message.  You knowm the
one you replied to, and quoted verbatim?  The one that had the answer to
your questions?

 I thought it might be part of the RAD_REQUEST hash.

  I have no idea why.  You were told it wasn't.  What part of my message
didn't you understand?  Or did you simply not read it?

 If some direction could be made as to setting
 FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret, etc. too I
 would be very grateful.

  Do you understand what a RADIUS secret is?

 I already have Perl working for the normal AAA
 functions. This just doesn't appear to work the same way. I am not a
 Perl developer in the slightest so apologies in advance if this is a
 monumentally stupid question.

  If you're going to ask questions on this list, it helps to read the
answers.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Integration with CISCO Router for PEAP requests

2012-08-31 Thread Arran Cudbard-Bell 
*sigh*

You cannot do what you want. Even if you send an Access-Accept, the client will 
most likely disconnect of its own accord, because you cannot fake a success 
message in the inner tunnel. Unless of course you're using some weird funky 
cisco client that ignores all the standards.

If you really don't believe us, try it for yourself:

Post-Auth {
Post-Auth-Type REJECT {
if(%{reply:EAP-Message} =~ /0x04([0-9a-f]{2}).*/i){
update reply {
EAP-Message := 0x03%{1}0004
}
}
update control {
Response-Packet-Type := Access-Accept
}
}
}

Note: Modifying Repost-Packet-Type that may not be supported in future versions.

-Arran



On 30 Aug 2012, at 17:52, Andras Ionut ionut.and...@gmail.com wrote:

 Hi Phil,
 
 Sorry if this looks dump for you. 
 
 I've read your post the reason I've explicitely asked how to do this in PEAP 
 is because in the post it says:
 This only works for PAP, and does NOT work for EAP-TLS, CHAP, MSCHAP, or 
 WIMAX authentication.
 
 Now, I especially need to send Access-Accept for PEAP with inner 
 EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
 I've also tried to set Access-Accept as any other AVP from my Freeradius 
 module, but doesn't work. (extract from log attached)
 
 Can you please help?
 
 Thanks in advance.
 Andras
 
 
 
 
 
 On 30/08/12 15:11, Andras Ionut wrote:
  Hi Phil,
 
  Thanks a lot for the quick response.
 
  I need this for PEAP with EAP protocol inside the tunnel, like EAP-MSCHAPv2.
 
  Again, The device MUST reject the connection as EAP is not completed,
  but the ROUTER needs that Access-Accept,
  in order to be able to redirect user to portal.
 
  Can this be done?
 
 The technique to do this is described in the FAQ entry I linked. Did you 
 read it?
 
 radius.txt-
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:

2012-08-31 Thread Arran Cudbard-Bell 

On 31 Aug 2012, at 05:37, QASIM RAO qasim2...@hotmail.com wrote:

 sir,
 actual problem is when i run with 'radiusd' log file save on location i 
 defined in radiusd.conf 
 
 prefix = /usr/local
 exec_prefix = ${prefix}
 sysconfdir = ${prefix}/etc
 localstatedir = ${prefix}/var
 sbindir = ${exec_prefix}/sbin
 logdir = ${localstatedir}/log/radius
 
 
 
 but when i run radius with 'radiusd -X' i save on location defined in 
 radiusd.dat
 
 
   echo -n $Starting $prog:
 cd $binfolder
 daemon ./radiusd  /var/log/radius`date '+%Y%m%d'`.log 
 RETVAL=$?
 sleep 2

*sigh*

Use -xx (instead of -X) and periodically move the log file the server generates 
to /var/log/radius`date '+%Y%m%d'`.log using a logrotated hook.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Integration with CISCO Router for PEAP requests

2012-08-31 Thread Phil Mayers 

On 08/30/2012 05:52 PM, Andras Ionut wrote:



Now, I especially need to send Access-Accept for PEAP with inner
EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
I've also tried to set Access-Accept as any other AVP from my Freeradius
module, but doesn't work. (extract from log attached)


You keep repeating this. It is obvious you are really desparate. But it 
doesn't work like that.


You *CAN* force the server to send the Accept - Arran has shown you how 
to do that. The FAQ entry is another way to force it for *every* user.


The reason the FAQ entry says this doesn't work for EAP is NOTHING to 
do with the server. With enough knowledge, you can make the server do 
anything you want.


The problem is the EAP client. It WILL NOT STAY CONNECTED to the network.

Think about it for a second: from the debug you show, you are dealing 
with Wi-Fi. If you force auth success, the radius server will return an 
accept, and the wi-fi point will forward the EAP Success to the client. 
But the client will not have completed a successful authentication, so 
it won't have any keying material. How is it going to send encrypted 
packets?


Try it and see; do what the FAQ entry says, or what Arran has suggested, 
and watch what the client does when you try to override failed auth.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Integration with CISCO Router for PEAP requests

2012-08-31 Thread Arran Cudbard-Bell 
 
 Note: Modifying Repost-Packet-Type that may not be supported in future 
 versions.

*Response
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log rotation

2012-08-31 Thread Antonio Modesto 
2012/8/29 Fajar A. Nugraha l...@fajar.net

 On Wed, Aug 29, 2012 at 9:10 PM, Antonio Modesto
 mode...@isimples.com.br wrote:
  Hi,
 
  Today I'm rotating my log files with a script that runs every night, the
  problem is that it must stop the radiusd process, rename the file,
 create a
  new one then start radiusd again. Is there a way to do that
 transparently?
  Via syslog or something else?

 Your OS should do that already via logrotate, HUP-ing the running FR
 process in the process. What OS/distro are you using, and what FR
 version?

 Hi, I'm using FreeBSD 8.0-STABLE


 --
 Fajar
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log rotation

2012-08-31 Thread Fajar A. Nugraha 
On Fri, Aug 31, 2012 at 6:54 PM, Antonio Modesto
mode...@isimples.com.br wrote:


 2012/8/29 Fajar A. Nugraha l...@fajar.net

 On Wed, Aug 29, 2012 at 9:10 PM, Antonio Modesto
 mode...@isimples.com.br wrote:
  Hi,
 
  Today I'm rotating my log files with a script that runs every night, the
  problem is that it must stop the radiusd process, rename the file,
  create a
  new one then start radiusd again. Is there a way to do that
  transparently?
  Via syslog or something else?

 Your OS should do that already via logrotate, HUP-ing the running FR
 process in the process. What OS/distro are you using, and what FR
 version?

 Hi, I'm using FreeBSD 8.0-STABLE

Sorry, I'm not familiar with freebsd.

You should be able to install logrotate from freebsd ports (if not
installed already), and configure it to rotate freeradius' logs. Or
contact the maintainer of freeradius port on freebsd, just in case
they do it already, or have plans to do it.

... or if you're feeling particularly lazy and just want something
that can run FR and is already configured to do log rotate, switch to
linux :)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Log rotation

2012-08-31 Thread Maarten Carels 
On 31 Aug 2012, at 14:17 , Fajar A. Nugraha wrote:

 On Fri, Aug 31, 2012 at 6:54 PM, Antonio Modesto
 mode...@isimples.com.br wrote:
 
 
 2012/8/29 Fajar A. Nugraha l...@fajar.net
 
 On Wed, Aug 29, 2012 at 9:10 PM, Antonio Modesto
 mode...@isimples.com.br wrote:
 Hi,
 
 Today I'm rotating my log files with a script that runs every night, the
 problem is that it must stop the radiusd process, rename the file,
 create a
 new one then start radiusd again. Is there a way to do that
 transparently?
 Via syslog or something else?
 
 Your OS should do that already via logrotate, HUP-ing the running FR
 process in the process. What OS/distro are you using, and what FR
 version?
 
 Hi, I'm using FreeBSD 8.0-STABLE
 
 Sorry, I'm not familiar with freebsd.
 
 You should be able to install logrotate from freebsd ports (if not
 installed already), and configure it to rotate freeradius' logs. Or
 contact the maintainer of freeradius port on freebsd, just in case
 they do it already, or have plans to do it.
 
 ... or if you're feeling particularly lazy and just want something
 that can run FR and is already configured to do log rotate, switch to
 linux :)

FreeBSD sports something called newsyslog for logrotation. Part of the standard 
install

--maarten



signature.asc
Description: Message signed with OpenPGP using GPGMail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question setting up Virtual Servers with unique clients / users files.

2012-08-31 Thread Zach Simpson 
Hi,

I'm relatively new to FreeRADIUS, and I'm working on moving the
administrative logins of our network devices (switches, routers, etc) to it.


I was planning on using AD as my data source and creating groups (ex.
Switches, Routers) so people could easily be assigned permissions for the
various devices.  I believe I have the AD/Ldap Group retrieval parts
working.

What I'm having issues with is creating user file rules for each group of
devices.  I have a few rules in the users file that look like this:

DEFAULT Ldap-Group == Switch Admins
Reply-Message = Welcome Switch Admin!
DEFAULT Ldap-Group == Router Admins
Reply-Message = Welcome Router Admin!

But the issue is that if a user is a member of both groups, it stops at the
first match.

Is there a way to specify a specific users file for each entry in the
Clients file?  I'm thinking that to do this I will need to setup a virtual
server for each client group, but I'm not finding much in the ways of sample
configurations that let me specify the users file as well.


Thanks,
Zach 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question setting up Virtual Servers with unique clients / users files.

2012-08-31 Thread Alan DeKok 
Zach Simpson wrote:
 What I'm having issues with is creating user file rules for each group of
 devices.  I have a few rules in the users file that look like this:
 
 DEFAULT Ldap-Group == Switch Admins
   Reply-Message = Welcome Switch Admin!
 DEFAULT Ldap-Group == Router Admins
   Reply-Message = Welcome Router Admin!
 
 But the issue is that if a user is a member of both groups, it stops at the
 first match.

  You can use Fall-Through to have it continue processing the file.
See the rest of the comments / examples in the users file, and man
users.

 Is there a way to specify a specific users file for each entry in the
 Clients file?  I'm thinking that to do this I will need to setup a virtual
 server for each client group, but I'm not finding much in the ways of sample
 configurations that let me specify the users file as well.

  In the latest version of the server, see raddb/modules/files

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question setting up Virtual Servers with unique clients / users files.

2012-08-31 Thread Klaus Klein 

Am 31.08.2012 19:22, schrieb Zach Simpson:

What I'm having issues with is creating user file rules for each group of
devices.  I have a few rules in the users file that look like this:

DEFAULT Ldap-Group == Switch Admins
Reply-Message = Welcome Switch Admin!
DEFAULT Ldap-Group == Router Admins
Reply-Message = Welcome Router Admin!

But the issue is that if a user is a member of both groups, it stops at the
first match.


Your problem as well as the solution is descriped in the top of the users file:

#  A special user named DEFAULT matches on all usernames.
#  You can have several DEFAULT entries. All entries are processed  
#  in the order they appear in this file. The first entry that

#  matches the login-request will stop processing unless you use
#  the Fall-Through variable.

You therefore should use the following:

 DEFAULT Ldap-Group == Switch Admins
Reply-Message = Welcome Switch Admin!
Fall-Through = Yes
 DEFAULT Ldap-Group == Router Admins
Reply-Message = Welcome Router Admin!
Fall-Through = Yes

Cheers,
Klaus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question setting up Virtual Servers with unique clients / users files.

2012-08-31 Thread Klaus Klein 

Am 31.08.2012 20:35, schrieb Klaus Klein:


... long text ...
-


Ups, to late.

Next time I try to type faster. ;-)

Klaus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html