Trucation of octet attribute handled by rlm_perl
Hello everyone I am having a slight problem with rlm_perl and I would really appreciate any advice/help. I have a perl script which rlm_perl adds a value to the DHCP-Classless-Static-Route attribute something like this :- perl script snippets ... my $route = pack('C7', split(/\,/, "16,172,16,10,0,0,2")); ... &radiusd::radlog(RADLOG_DEBUG, "packed data: " . unpack('H*', $route)); ... $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; ... ### ..but from the debug output I see that the attribute data is truncated at the first octet with value 00 :- ### freeradius -Xx snippets ... Thu Feb 28 10:35:23 2013 : rlm_perl: packed data: 10ac100a02 Thu Feb 28 10:35:23 2013 : Debug: rlm_perl: Added pair DHCP-Classless-Static-Route = ??? ... DHCP-Classless-Static-Route = 0x10ac100a ## Am I doing somthething daft, or is this a possible bug in rlm_perl? I am using freeradius 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Feature requests for FreeRADIUS 3
We expect to release 3.0.0 in the next couple of months. With major releases occurring fairly infrequently, now is a good time to request any features that would break configuration compatiblity with previous releases, or you You can see the current list of feature requests here: https://github.com/FreeRADIUS/freeradius-server/issues?labels=feature+request&page=1&sort=created&state=open and log any feature requests you have using the same tool. Arran Cudbard-Bell FreeRADIUS dev team - Maintainer Please contribute documentation: http://wiki.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as DHCP server (static IP + some options)
I apollogize for the late response, I have been very busy and I couldn't keep working on this. I found the problem! (at least it works now) I installed Freeradius from PPA. https://launchpad.net/~freeradius/+archive/stable DHCP functionality not work when installed from PPA, or at least the package version 2.2.0 + dfsg-ppa10 not work. Reason: installed and configured without errors, seems to respond correctly OFFER and ACK but this packets never leaves the network adapter. SOLUTION: install and configure from sources. I'm writing a how-to for setting freeradius as DHCP server, completely from scratch, for static IP allocation, with DHCP options and using Mysql. If you allow me, i'd like to post it in this mailing list for you to test and correct it. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as DHCP server (static IP + some options)
Hi, > I installed Freeradius from PPA. > https://launchpad.net/~freeradius/+archive/stable > > DHCP functionality not work when installed from PPA, or at least the > package version 2.2.0 + dfsg-ppa10 not work. > Reason: installed and configured without errors, seems to respond > correctly OFFER and ACK but this packets never leaves the network > adapter. > > SOLUTION: install and configure from sources. what configuration options are in the PPA version? something is not right there > I'm writing a how-to for setting freeradius as DHCP server, completely > from scratch, for static IP allocation, with DHCP options and using > Mysql. > If you allow me, i'd like to post it in this mailing list for you to > test and correct it. ...and it can go onto WIKI/HOWTO alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
On 27/02/13 17:23, bpa...@ovi.com wrote: Thanks Phil. Just a quick add-on question. In radiusd.conf there is : # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE proxy.conf Would switching off proxy, be sufficient? Or will I end up with other issues? TBH I can't remember the various effects. Try it and see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap group search filter
I am have profiles setup for all our users but I am having some trouble with the setting the groupmembership_filter correctly. It will query LDAP successfully but only after it does a failed search first. I have tried using numerous filters including the default one but I cant seem to separate the username by itself which is causing the initial search failure. I read through the rlm_ldap doc a few times but I didn't seem anything that I thought would help. Here is the output from radius -X This is the part where it uses the search filter and fails. [files] users: Matched entry DEFAULT at line 214 [domain1] Entering ldap_groupcmp() [files] expand: ou=radius,o=domain.on.ca,dc=placeholder,dc=ca -> ou=radius,o=domain.on.ca,dc=placeholder,dc=ca [files] expand: (&(objectClass=radiusProfile)(member=%{control:Ldap-UserDn})) -> (&(objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca)) [domain1] ldap_get_conn: Checking Id: 0 [domain1] ldap_get_conn: Got Id: 0 [domain1] performing search in ou=radius,o=domain.on.ca,dc=placeholder,dc=ca, with filter (&(cn=residential_profile)(&(objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca))) [domain1] object not found It starts a second search and succeeds. [domain1] ldap_release_conn: Release Id: 0 [domain1] ldap_get_conn: Checking Id: 0 [domain1] ldap_get_conn: Got Id: 0 [domain1] performing search in uid=112boy,ou=radius,o=domain.on.ca,dc=palceholder,dc=ca, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group residential_profile [domain1] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok My users file looks like this. ldap domain1 { server = " ldap01.placeholder.ca" identity = "username xxx" password = basedn = "ou=radius,o=domain.on.ca,dc=placeholder,dc=ca" filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))" groupname_attribute = cn groupmembership_attribute = radiusGroupName groupmembership_filter = "(&(objectClass=radiusProfile)(member=%{control:Ldap-UserDn}))" #do_xlat = yes #compare_check_items = yes #access_attr_used_for_allow = yes ldap_connections_number = 5 My users file DEFAULT Service-Type == Framed-User, Huntgroup-Name == bras, domain1-Ldap-Group == residential_profile Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-AVPair += "ip:inacl#100=permit tcp any x.x.0.16 0.0.0.15 eq 25", Cisco-AVPair += "ip:inacl#200=deny tcp any any eq 25", Cisco-AVPair += "ip:inacl#300=permit ip any any", Fall-Through = No Any help is apprecaited. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
Thanks Phil. Just a quick add-on question. In radiusd.conf there is : # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE proxy.conf Would switching off proxy, be sufficient? Or will I end up with other issues? -BPa > > From: Phil Mayers >To: freeradius-users@lists.freeradius.org >Sent: Wednesday, February 27, 2013 9:10 AM >Subject: Re: Proxy configuration question > >On 27/02/13 14:46, bpa...@ovi.com wrote: > >> >> The RADIUS server gets the Access request and then tries to proxy it >> to example.com. I dont want the request or authentication to be proxied >> elsewhere. The authentication needs to happen on the local RADIUS server >> itself. What am I missing in the config? > >If you don't want to proxy the request, don't configure the server to proxy. > >In you case, you should remove the "suffix" module from "authorize" >and/or remove the "example.com" realm from the "proxy.conf" >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > >- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
read value of host-ip in perl-module (freeRADIUS 2.2.0)
> How (if at all) can I access the value of "host" (10.1.4.82 in the > example above) from within the perl-module? Phil Mayers p.mayers at imperial.ac.uk wrote: There is a "virtual" attribute Client-IP-Address, that you can copy to a temporary attribute before calling the perl module e.g. authorize { ... update request { Tmp-IP-Address-0 := "%{Client-IP-Address}" } myperl ... } Many thanks to Alan and especially Phil for the detailed explanation. Best, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
On 27/02/13 14:46, bpa...@ovi.com wrote: The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config? If you don't want to proxy the request, don't configure the server to proxy. In you case, you should remove the "suffix" module from "authorize" and/or remove the "example.com" realm from the "proxy.conf" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy configuration question
Hello, I have a rudimentary proxy configuration question: I am doing some testing with a Freeradius server in the lab and the setup looks as follows: [Host] --WiFi--- [AP]---[Wireless Cntrlr]---[AAA/Freeradius server] Using EAP-TTLS for authentication. My wpa_supplicant config file looks like: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin network={ ssid="mySSID" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS anonymous_identity="anonym...@example.com" ca_cert="/home/testuser/Downloads/ca.pem" phase2="autheap=PAP" identity="daniel" password="daniel" } The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config? The server and client certs are all there in /etc/raddb/certs directory. Below is a snippet of the logs that I am seeing on the RADIUS server: Tue Feb 26 17:29:43 2013 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.8 port 34438, id=117, length=234 User-Name = "anonym...@example.com" Calling-Station-Id = "00-03-7F-10-51-82" NAS-IP-Address = 192.168.0.8 NAS-Port = 34 Called-Station-Id = "8C-0C-90-15-D1-9C:mySSID" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "8C-0C-90-15-D1-9C" Connect-Info = "CONNECT 802.11a/n" EAP-Message = 0x0201001a01616e6f6e796d6f7573406578616d706c652e636f6d Vendor-25053-Attr-3 = 0x5275636b7573576972656c65737332 Message-Authenticator = 0xfdf3d6097b64d1237a34e27dd120bfec Tue Feb 26 17:29:43 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Tue Feb 26 17:29:43 2013 : Info: +- entering group authorize {...} Tue Feb 26 17:29:43 2013 : Info: ++[preprocess] returns ok Tue Feb 26 17:29:43 2013 : Info: ++[chap] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[mschap] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[digest] returns noop Tue Feb 26 17:29:43 2013 : Info: [suffix] Looking up realm "example.com" for User-Name = "anonym...@example.com" Tue Feb 26 17:29:43 2013 : Info: [suffix] Found realm "example.com" Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Stripped-User-Name = "anonymous" Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Realm = "example.com" Tue Feb 26 17:29:43 2013 : Info: [suffix] Proxying request from user anonymous to realm example.com Tue Feb 26 17:29:43 2013 : Info: [suffix] Preparing to proxy authentication request to realm "example.com" Tue Feb 26 17:29:43 2013 : Info: ++[suffix] returns updated Tue Feb 26 17:29:43 2013 : Info: [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. Tue Feb 26 17:29:43 2013 : Info: ++[eap] returns noop Tue Feb 26 17:29:43 2013 : Info: [files] users: Matched entry anonymous at line 207 Tue Feb 26 17:29:43 2013 : Info: ++[files] returns ok Tue Feb 26 17:29:43 2013 : Info: ++[expiration] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[logintime] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[pap] returns noop Tue Feb 26 17:29:43 2013 : Info: WARNING: Empty pre-proxy section. Using default return values. Any help appreciated. -BPa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read value of host-ip in perl-module (freeRADIUS 2.2.0)
Hi, > How (if at all) can I access the value of "host" (10.1.4.82 in the > example above) from within the perl-module? %{Packet-Src-IP-Address} or %{Packet-Src-IPv6-Address} for an IPv6 source alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read value of host-ip in perl-module (freeRADIUS 2.2.0)
On 27/02/13 12:02, Wolfgang Burger wrote: Dear people, as you can see in this Access-Request: rad_recv: Access-Request packet from host 10.1.4.82 port 65201, id=37, length=79 User-Name = "test" User-Password = "testpass" NAS-IP-Address = 10.0.2.15 NAS-Port-Type = Virtual NAS-Port = 1228 Calling-Station-Id = "10.0.2.15" Service-Type = Login-User the client is entering incorrect data into the field "Calling-Station-Id". In the setup used, it should not differ from the host. But "10.0.2.15" != "10.1.4.82" Authentication is handled by a perl-module. The outcome of the module depends on the host sending the packet. How (if at all) can I access the value of "host" (10.1.4.82 in the example above) from within the perl-module? There is a "virtual" attribute Client-IP-Address, that you can copy to a temporary attribute before calling the perl module e.g. authorize { ... update request { Tmp-IP-Address-0 := "%{Client-IP-Address}" } myperl ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
read value of host-ip in perl-module (freeRADIUS 2.2.0)
Dear people, as you can see in this Access-Request: rad_recv: Access-Request packet from host 10.1.4.82 port 65201, id=37, length=79 User-Name = "test" User-Password = "testpass" NAS-IP-Address = 10.0.2.15 NAS-Port-Type = Virtual NAS-Port = 1228 Calling-Station-Id = "10.0.2.15" Service-Type = Login-User the client is entering incorrect data into the field "Calling-Station- Id". In the setup used, it should not differ from the host. But "10.0.2.15" != "10.1.4.82" Authentication is handled by a perl-module. The outcome of the module depends on the host sending the packet. How (if at all) can I access the value of "host" (10.1.4.82 in the example above) from within the perl-module? Many thanks and best regards, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html