Trucation of octet attribute handled by rlm_perl
Hello everyone
I am having a slight problem with rlm_perl and I would really
appreciate any advice/help.
I have a perl script which rlm_perl adds a value to the
DHCP-Classless-Static-Route attribute something like this :-
perl script snippets
...
my $route = pack('C7', split(/\,/, "16,172,16,10,0,0,2"));
...
&radiusd::radlog(RADLOG_DEBUG, "packed data: " . unpack('H*', $route));
...
$RAD_REPLY{'DHCP-Classless-Static-Route'} = $route;
...
###
..but from the debug output I see that the attribute data is truncated
at the first octet with value 00 :-
### freeradius -Xx snippets
...
Thu Feb 28 10:35:23 2013 : rlm_perl: packed data: 10ac100a02
Thu Feb 28 10:35:23 2013 : Debug: rlm_perl: Added pair
DHCP-Classless-Static-Route = ???
...
DHCP-Classless-Static-Route = 0x10ac100a
##
Am I doing somthething daft, or is this a possible bug in rlm_perl?
I am using freeradius 2.2.0.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Feature requests for FreeRADIUS 3
We expect to release 3.0.0 in the next couple of months. With major releases occurring fairly infrequently, now is a good time to request any features that would break configuration compatiblity with previous releases, or you You can see the current list of feature requests here: https://github.com/FreeRADIUS/freeradius-server/issues?labels=feature+request&page=1&sort=created&state=open and log any feature requests you have using the same tool. Arran Cudbard-Bell FreeRADIUS dev team - Maintainer Please contribute documentation: http://wiki.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as DHCP server (static IP + some options)
I apollogize for the late response, I have been very busy and I couldn't keep working on this. I found the problem! (at least it works now) I installed Freeradius from PPA. https://launchpad.net/~freeradius/+archive/stable DHCP functionality not work when installed from PPA, or at least the package version 2.2.0 + dfsg-ppa10 not work. Reason: installed and configured without errors, seems to respond correctly OFFER and ACK but this packets never leaves the network adapter. SOLUTION: install and configure from sources. I'm writing a how-to for setting freeradius as DHCP server, completely from scratch, for static IP allocation, with DHCP options and using Mysql. If you allow me, i'd like to post it in this mailing list for you to test and correct it. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as DHCP server (static IP + some options)
Hi, > I installed Freeradius from PPA. > https://launchpad.net/~freeradius/+archive/stable > > DHCP functionality not work when installed from PPA, or at least the > package version 2.2.0 + dfsg-ppa10 not work. > Reason: installed and configured without errors, seems to respond > correctly OFFER and ACK but this packets never leaves the network > adapter. > > SOLUTION: install and configure from sources. what configuration options are in the PPA version? something is not right there > I'm writing a how-to for setting freeradius as DHCP server, completely > from scratch, for static IP allocation, with DHCP options and using > Mysql. > If you allow me, i'd like to post it in this mailing list for you to > test and correct it. ...and it can go onto WIKI/HOWTO alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
On 27/02/13 17:23, bpa...@ovi.com wrote:
Thanks Phil.
Just a quick add-on question.
In radiusd.conf there is :
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
Would switching off proxy, be sufficient? Or will I end up with other
issues?
TBH I can't remember the various effects. Try it and see.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap group search filter
I am have profiles setup for all our users but I am having some trouble with
the setting the groupmembership_filter correctly. It will query LDAP
successfully but only after it does a failed search first.
I have tried using numerous filters including the default one but I cant seem
to separate the username by itself which is causing the initial search failure.
I read through the rlm_ldap doc a few times but I didn't seem anything that I
thought would help.
Here is the output from radius -X
This is the part where it uses the search filter and fails.
[files] users: Matched entry DEFAULT at line 214
[domain1] Entering ldap_groupcmp()
[files] expand: ou=radius,o=domain.on.ca,dc=placeholder,dc=ca ->
ou=radius,o=domain.on.ca,dc=placeholder,dc=ca
[files] expand:
(&(objectClass=radiusProfile)(member=%{control:Ldap-UserDn})) ->
(&(objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca))
[domain1] ldap_get_conn: Checking Id: 0
[domain1] ldap_get_conn: Got Id: 0
[domain1] performing search in ou=radius,o=domain.on.ca,dc=placeholder,dc=ca,
with filter
(&(cn=residential_profile)(&(objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca)))
[domain1] object not found
It starts a second search and succeeds.
[domain1] ldap_release_conn: Release Id: 0
[domain1] ldap_get_conn: Checking Id: 0
[domain1] ldap_get_conn: Got Id: 0
[domain1] performing search in
uid=112boy,ou=radius,o=domain.on.ca,dc=palceholder,dc=ca, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group residential_profile
[domain1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 222
++[files] returns ok
My users file looks like this.
ldap domain1 {
server = " ldap01.placeholder.ca"
identity = "username xxx"
password =
basedn = "ou=radius,o=domain.on.ca,dc=placeholder,dc=ca"
filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))"
groupname_attribute = cn
groupmembership_attribute = radiusGroupName
groupmembership_filter =
"(&(objectClass=radiusProfile)(member=%{control:Ldap-UserDn}))"
#do_xlat = yes
#compare_check_items = yes
#access_attr_used_for_allow = yes
ldap_connections_number = 5
My users file
DEFAULT Service-Type == Framed-User, Huntgroup-Name == bras, domain1-Ldap-Group
== residential_profile
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco-AVPair += "ip:inacl#100=permit tcp any x.x.0.16 0.0.0.15 eq 25",
Cisco-AVPair += "ip:inacl#200=deny tcp any any eq 25",
Cisco-AVPair += "ip:inacl#300=permit ip any any",
Fall-Through = No
Any help is apprecaited.
Thanks,
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
Thanks Phil.
Just a quick add-on question.
In radiusd.conf there is :
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
Would switching off proxy, be sufficient? Or will I end up with other issues?
-BPa
>
> From: Phil Mayers
>To: freeradius-users@lists.freeradius.org
>Sent: Wednesday, February 27, 2013 9:10 AM
>Subject: Re: Proxy configuration question
>
>On 27/02/13 14:46, bpa...@ovi.com wrote:
>
>>
>> The RADIUS server gets the Access request and then tries to proxy it
>> to example.com. I dont want the request or authentication to be proxied
>> elsewhere. The authentication needs to happen on the local RADIUS server
>> itself. What am I missing in the config?
>
>If you don't want to proxy the request, don't configure the server to proxy.
>
>In you case, you should remove the "suffix" module from "authorize"
>and/or remove the "example.com" realm from the "proxy.conf"
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
read value of host-ip in perl-module (freeRADIUS 2.2.0)
> How (if at all) can I access the value of "host" (10.1.4.82 in the
> example above) from within the perl-module?
Phil Mayers p.mayers at imperial.ac.uk wrote:
There is a "virtual" attribute Client-IP-Address, that you can copy
to a
temporary attribute before calling the perl module e.g.
authorize {
...
update request {
Tmp-IP-Address-0 := "%{Client-IP-Address}"
}
myperl
...
}
Many thanks to Alan and especially Phil for the detailed explanation.
Best,
Wolfgang
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
On 27/02/13 14:46, bpa...@ovi.com wrote: The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config? If you don't want to proxy the request, don't configure the server to proxy. In you case, you should remove the "suffix" module from "authorize" and/or remove the "example.com" realm from the "proxy.conf" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy configuration question
Hello,
I have a rudimentary proxy configuration question:
I am doing some testing with a Freeradius server in the lab and the
setup looks as follows:
[Host] --WiFi--- [AP]---[Wireless Cntrlr]---[AAA/Freeradius server]
Using EAP-TTLS for authentication.
My wpa_supplicant config file looks like:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin
network={
ssid="mySSID"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="anonym...@example.com"
ca_cert="/home/testuser/Downloads/ca.pem"
phase2="autheap=PAP"
identity="daniel"
password="daniel"
}
The RADIUS server gets the Access request and then tries to proxy it
to example.com. I dont want the request or authentication to be proxied
elsewhere. The authentication needs to happen on the local RADIUS server
itself. What am I missing in the config?
The server and client certs are all there in /etc/raddb/certs directory.
Below is a snippet of the logs that I am seeing on the RADIUS server:
Tue Feb 26 17:29:43 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.8 port 34438, id=117,
length=234
User-Name = "anonym...@example.com"
Calling-Station-Id = "00-03-7F-10-51-82"
NAS-IP-Address = 192.168.0.8
NAS-Port = 34
Called-Station-Id = "8C-0C-90-15-D1-9C:mySSID"
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "8C-0C-90-15-D1-9C"
Connect-Info = "CONNECT 802.11a/n"
EAP-Message = 0x0201001a01616e6f6e796d6f7573406578616d706c652e636f6d
Vendor-25053-Attr-3 = 0x5275636b7573576972656c65737332
Message-Authenticator = 0xfdf3d6097b64d1237a34e27dd120bfec
Tue Feb 26 17:29:43 2013 : Info: # Executing section authorize from file
/etc/raddb/sites-enabled/default
Tue Feb 26 17:29:43 2013 : Info: +- entering group authorize {...}
Tue Feb 26 17:29:43 2013 : Info: ++[preprocess] returns ok
Tue Feb 26 17:29:43 2013 : Info: ++[chap] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[mschap] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[digest] returns noop
Tue Feb 26 17:29:43 2013 : Info: [suffix] Looking up realm "example.com" for
User-Name = "anonym...@example.com"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Found realm "example.com"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Stripped-User-Name =
"anonymous"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Realm = "example.com"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Proxying request from user anonymous
to realm example.com
Tue Feb 26 17:29:43 2013 : Info: [suffix] Preparing to proxy authentication
request to realm "example.com"
Tue Feb 26 17:29:43 2013 : Info: ++[suffix] returns updated
Tue Feb 26 17:29:43 2013 : Info: [eap] Request is supposed to be proxied to
Realm example.com. Not doing EAP.
Tue Feb 26 17:29:43 2013 : Info: ++[eap] returns noop
Tue Feb 26 17:29:43 2013 : Info: [files] users: Matched entry anonymous at line
207
Tue Feb 26 17:29:43 2013 : Info: ++[files] returns ok
Tue Feb 26 17:29:43 2013 : Info: ++[expiration] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[logintime] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[pap] returns noop
Tue Feb 26 17:29:43 2013 : Info: WARNING: Empty pre-proxy section. Using
default return values.
Any help appreciated.
-BPa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read value of host-ip in perl-module (freeRADIUS 2.2.0)
Hi,
> How (if at all) can I access the value of "host" (10.1.4.82 in the
> example above) from within the perl-module?
%{Packet-Src-IP-Address}
or
%{Packet-Src-IPv6-Address} for an IPv6 source
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: read value of host-ip in perl-module (freeRADIUS 2.2.0)
On 27/02/13 12:02, Wolfgang Burger wrote:
Dear people,
as you can see in this Access-Request:
rad_recv: Access-Request packet from host 10.1.4.82 port 65201, id=37,
length=79
User-Name = "test"
User-Password = "testpass"
NAS-IP-Address = 10.0.2.15
NAS-Port-Type = Virtual
NAS-Port = 1228
Calling-Station-Id = "10.0.2.15"
Service-Type = Login-User
the client is entering incorrect data into the field "Calling-Station-Id".
In the setup used, it should not differ from the host.
But "10.0.2.15" != "10.1.4.82"
Authentication is handled by a perl-module.
The outcome of the module depends on the host sending the packet.
How (if at all) can I access the value of "host" (10.1.4.82 in the
example above) from within the perl-module?
There is a "virtual" attribute Client-IP-Address, that you can copy to a
temporary attribute before calling the perl module e.g.
authorize {
...
update request {
Tmp-IP-Address-0 := "%{Client-IP-Address}"
}
myperl
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
read value of host-ip in perl-module (freeRADIUS 2.2.0)
Dear people, as you can see in this Access-Request: rad_recv: Access-Request packet from host 10.1.4.82 port 65201, id=37, length=79 User-Name = "test" User-Password = "testpass" NAS-IP-Address = 10.0.2.15 NAS-Port-Type = Virtual NAS-Port = 1228 Calling-Station-Id = "10.0.2.15" Service-Type = Login-User the client is entering incorrect data into the field "Calling-Station- Id". In the setup used, it should not differ from the host. But "10.0.2.15" != "10.1.4.82" Authentication is handled by a perl-module. The outcome of the module depends on the host sending the packet. How (if at all) can I access the value of "host" (10.1.4.82 in the example above) from within the perl-module? Many thanks and best regards, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
