Re: coa
thanks tiffany I have followed your instruction, but same issue,, here is the log [root@aaaisb1 terminus]# cat dic.txt | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' Sending Disconnect-Request of id 179 to 2.2.2.2 port 3799 Acct-Session-Id = 1B1E97C3 User-Name = 002682615F4E@test_cpe.com NAS-IP-Address = 2.2.2.2 rad_recv: Disconnect-NAK packet from host 2.2.2.2 port 3799, id=179, length=26 Error-Cause = Missing-Attribute tell me one thing,,,i need some configuration for enabling COA in freeradius??? thanks On Tue, Jul 23, 2013 at 10:39 AM, Tiffany Pasisir tiffany.pasi...@countrytell.com.au wrote: Hi Muhammad ** ** Try put in a file ** ** Acct-Session-Id=1B1E97C3 User-Name=002682615F4E@test_cpe.com NAS-IP-Address=2.2.2.2 ** ** cat file | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' ** ** See how it goes ** ** Send all the output here so we can help ** ** Tiffany ** ** *From:* freeradius-users-bounces+tiffany.pasisir= countrytell.com...@lists.freeradius.org [mailto: freeradius-users-bounces+tiffany.pasisir= countrytell.com...@lists.freeradius.org] *On Behalf Of *Muhammad Nadeem *Sent:* Tuesday, 23 July 2013 2:50 PM *To:* FreeRadius users mailing list *Subject:* coa ** ** hi everybody,, I wanna implement COA (Change Of Authorization) in freeradius. I have a live session of a device, I wanna disconnect this device forcefully. ** ** I isssued following command ** ** echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address=2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' ** ** but it give the error of missing attribute. Can anybody tell me what is the issue. Thanks ** ** -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: coa
No You need to read the manual from your nas / device you are trying to send a coa or disconnect to about what it expects in the message as I said before. It's nothing to do with freeradius and everything about how you talk to your nas. Error-Cause = Missing-Attribute Says everything in my view. On 23/07/2013 6:21 PM, Muhammad Nadeem mnadeem8...@gmail.com wrote: thanks tiffany I have followed your instruction, but same issue,, here is the log [root@aaaisb1 terminus]# cat dic.txt | radclient -x 2.2.2.2:3799disconnect 'huaweiaaa' Sending Disconnect-Request of id 179 to 2.2.2.2 port 3799 Acct-Session-Id = 1B1E97C3 User-Name = 002682615F4E@test_cpe.com NAS-IP-Address = 2.2.2.2 rad_recv: Disconnect-NAK packet from host 2.2.2.2 port 3799, id=179, length=26 Error-Cause = Missing-Attribute tell me one thing,,,i need some configuration for enabling COA in freeradius??? thanks On Tue, Jul 23, 2013 at 10:39 AM, Tiffany Pasisir tiffany.pasi...@countrytell.com.au wrote: Hi Muhammad ** ** Try put in a file ** ** Acct-Session-Id=1B1E97C3 User-Name=002682615F4E@test_cpe.com NAS-IP-Address=2.2.2.2 ** ** cat file | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' ** ** See how it goes ** ** Send all the output here so we can help ** ** Tiffany ** ** *From:* freeradius-users-bounces+tiffany.pasisir= countrytell.com...@lists.freeradius.org [mailto: freeradius-users-bounces+tiffany.pasisir= countrytell.com...@lists.freeradius.org] *On Behalf Of *Muhammad Nadeem *Sent:* Tuesday, 23 July 2013 2:50 PM *To:* FreeRadius users mailing list *Subject:* coa ** ** hi everybody,, I wanna implement COA (Change Of Authorization) in freeradius. I have a live session of a device, I wanna disconnect this device forcefully. ** ** I isssued following command ** ** echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address=2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' ** ** but it give the error of missing attribute. Can anybody tell me what is the issue. Thanks ** ** -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: coa
I think you should read documentation about CoA offered by your NAS. Then see what can likely be about *Missing Attribute* at least. You better know about all of Error-Cause it may occur. In my experience, it might be lack of key on identifying unique host. In other words, could it be your Acct-Session-Id or User-Name cannot be primary key to identify one host on the NAS? Okis. From: Muhammad Nadeem [mailto:mnadeem8...@gmail.com] Sent: Tuesday, July 23, 2013 2:00 PM To: okischu...@outlook.com Subject: Re: coa thanks all,,, i am using huawei NAS. here is the complete log echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address =2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect huaweiaaa Sending Disconnect-Request of id 0 to 2.2.2.2 port 3799 Acct-Session-Id = 1B1E97C3 User-Name = 002682615F4E@test_cpe.com NAS-IP-Address = 2.2.2.2 rad_recv: Disconnect-NAK packet from host 2.2.2.2 port 3799, id=0, length=26 Error-Cause = Missing-Attribute whats wrong??? On Tue, Jul 23, 2013 at 10:58 AM, okischu...@outlook.com wrote: quote author='Nadeem' hi everybody,, I wanna implement COA (Change Of Authorization) in freeradius. I have a live session of a device, I wanna disconnect this device forcefully. I isssued following command echo Acct-Session-Id=1B1E97C3,User-Name=002682615F4E@test_cpe.com,NAS-IP-Address =2.2.2.2 | radclient -x 2.2.2.2:3799 disconnect 'huaweiaaa' but it give the error of missing attribute. Can anybody tell me what is the issue. Thanks -- What kind of CoA server you are using? In my experiences, coa highly depends on the type of NAS. In my case that I has a WiFi GW as CoA server, it usually gets Missing Attributes if I missed some *keys* of identifying unique user. Such as NAS-IP-Address + NAS-Port-Id or Some-VSA-Can-Be-A-Key or Acct-Session-Id and usually with priority. Besides, maybe you can post some more detailed output of your testing so that we can do more help. Okis. _ Sent from http://freeradius.1045715.n5.nabble.com -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
On Mon, Jul 22, 2013 at 04:27:30PM +0200, Marco Aresu wrote: i am getting some problem with authorization in free radius i configured the users file as below : DEFAULT Auth-Type := System cisco Auth-Type := System Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15, If all you want is enable mode after login then send just Service-Type := Administrative-User and don't send the cisco-avpair at all. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
a.l.m.bu...@lboro.ac.uk wrote: Hi, My guess is dual-stack NAS-RADIUS is going to be rare. ummm. take a hold on that assertion. the joy of dual-stack deployment is that you need to ensure your servers are ready on IPv4 and IPv6 - and as part of that, you need to ensure that your using both methods in case either your IPv4 goes...or your IPv6 goes. we use both IPv4 and IPv6 on our kit...and our servers are configured for both..as are our NAS kit that can do IPv6 for RADIUS (we had some discussion about the best fall-over order to use..which in itself is interesting) my personal view is that network/sys admins who are avoiding IPv6 as much as they can are just storing themselves up for a whole lot of pain later when its forced onto them by internet evolution...embrace the IPv6 now whilst you can do it in your own time. it not like you havent been given over 15 years of advance notice ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, I've been unclear. What I meant was that I strongly suspect nas-radius comms will either be v4 or v6 for a given pairing at any one time, for periods of minutes or hours. Hence treating the addresses as separately should be fine -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by hostname
Hi
Could it be you are in a AD environment - your request looks like to what I
see in my environment.
If so: Domain-joined Windows machines (for what I have tested) have a
computer account in AD.
This can be used by the Windows (never tested with domain-joined Macs or
Linux machines)
client to authenticate as machine against the network (using PEAP-MSCHAPv2).
Technically you don't authenticate by hostnames but you use the computers'
AD account.
Another way would be to use EAP-TLS with certificates on your machines.
If you implement the Samba/winbind way as described by
deployingradius.comyou can in authenticate computer
accounts. - It required me to tweak the LDAP default config for group-based
authorization, but In case this is what you
are looking for, ping back and I can show you LDAP filters i use.
If you are only into authentication, most likely the public pages will
already let you in, but
(at least on Debian wheezy) I had tomodify modules/mschap as follows:
mschap {
...
with_ntdomain_hack = yes
...
# Debian
# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
# Mine (at least that made it work)
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
...
}
-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name containing a $
Hi,
Your previous answer gives an example using the unlang regex syntax,
including the case-insensitive operator at the end. But I was hoping to find
an elegant way to do case-insensitive matching in proxy.conf, where the
comments admit that the syntax breaks the rules of unlang regex matching.
Putting an 'I' at the end hasn't worked for me.
I'd love to do this:
realm ~FOO\\.EDU$i {
stuff here
}
Is the case-insensitive behavior supported in proxy.conf?
dont do that.
use unlang to define a proper realm contruct and then use that. either using
native or with case eg either
something like this,
if(%{realm} =~ /foo.edu/i {
update request {
Realm := foo.edu
}
}
then
switch %{Realm} {
case NULL {
}
case foo.edu {
update control {
Proxy-To-Realm := foo.edu
}
}
# etc etc
}
or this:
if(%{realm} =~ /foo.edu/i {
update request {
Realm := foo.edu
}
update control {
Proxy-To-Realm := foo.edu
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.x.x and radtest: no IPv6?
Hi, Sorry, I've been unclear. What I meant was that I strongly suspect nas-radius comms will either be v4 or v6 for a given pairing at any one time, for periods of minutes or hours. Hence treating the addresses as separately should be fine hmm, yes, we treat each as a seperate entity i'll have to check if cisco even let you define the same instance to have a v4 and v6 address...its doubtful but you never know. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ANN] Version 3.0.0-rc0
Thanks, John. I'll use that SPEC as base for CentOS 6.x packages :-) Regards Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of John Dennis Sent: 23 July 2013 00:42 To: FreeRadius users mailing list Subject: Re: [ANN] Version 3.0.0-rc0 FYI I've packaged this for Fedora and built it for rawhide (rawhide is current development which spawns the next Fedora release). You can download the rawhide packages and/or the SRPM from the Koji build: http://koji.fedoraproject.org/koji/buildinfo?buildID=436791 You probably will not be able to simply install the rawhide packages on a current Fedora release due to dependencies/conflicts (not something I've tried). But you can always rebuild the SRPM using rpmbuild. The first Fedora release 3.0 will appear in will be F20 because we don't introduce major new versions of packages in existing releases (especially if they are not configuration compatible). FWIW the F19 train just pulled away from the station so unfortunately it's too late for F19. HTH, John -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free radius version 3.0.0 rco
Hi, I want to download free radius version 3.0.0 rco. Please let me know the downlaod link. Also wanted to know whether free radius version 3.0.0 rco is officially released or not. If not when it will be ready for official release. Thanks amp; Regards Manjunath nbsp;- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi, # mv raddb raddb-noinst # mkdir raddb # touch raddb/all.mk # make install that's easy enough, thanks! Except that it doesn't suffice :-/ INSTALL rlm_utf8.la INSTALL rlm_always.la INSTALL rlm_logintime.la INSTALL rlm_attr_filter.la INSTALL rlm_soh.la make: *** No rule to make target `/usr/local/freeradius/config/raddb/mods-config', needed by `/usr/local/freeradius/config/raddb/mods-config/perl'. Stop. Do I need to mkdir and touch all subdirs as well? Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius version 3.0.0 rco
On 07/23/2013 05:28 AM, manjunath uthappa ponnachana wrote: Hi, I want to download free radius version 3.0.0 rco. Please let me know the downlaod link. The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_beta1.tar.gz Also wanted to know whether free radius version 3.0.0 rco is officially released or not. No. The rc0 in the name means Release Candidate Zero, in other words it's the first trial of version 3.0, they may be other trials before it's declared stable. No official release will have a release candidate notation in it's name. Release candidates are for testing. You can help out by building and testing it. If not when it will be ready for official release. I'll let the development team answer that one. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius version 3.0.0 rco
On 07/23/2013 08:29 AM, John Dennis wrote: On 07/23/2013 05:28 AM, manjunath uthappa ponnachana wrote: Hi, I want to download free radius version 3.0.0 rco. Please let me know the downlaod link. The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_beta1.tar.gz Argh sorry, cut-n-paste mistake, the real URL is: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc0.tar.gz Also wanted to know whether free radius version 3.0.0 rco is officially released or not. No. The rc0 in the name means Release Candidate Zero, in other words it's the first trial of version 3.0, they may be other trials before it's declared stable. No official release will have a release candidate notation in it's name. Release candidates are for testing. You can help out by building and testing it. If not when it will be ready for official release. I'll let the development team answer that one. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius version 3.0.0 rco
On 23 Jul 2013, at 13:38, John Dennis jden...@redhat.com wrote: On 07/23/2013 08:29 AM, John Dennis wrote: On 07/23/2013 05:28 AM, manjunath uthappa ponnachana wrote: Hi, I want to download free radius version 3.0.0 rco. Please let me know the downlaod link. The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_beta1.tar.gz Argh sorry, cut-n-paste mistake, the real URL is: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc0.tar.gz muahaha :( Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
now i can logon into the switch but i can with all USERS. Where i can specify who can access to the switch? I add a rown in the USERS file user Auth-Type := Reject but nothing change. thanks Marco Marco Aresu On 23 July 2013 10:06, Martin Kraus lists...@wujiman.net wrote: On Mon, Jul 22, 2013 at 04:27:30PM +0200, Marco Aresu wrote: i am getting some problem with authorization in free radius i configured the users file as below : DEFAULT Auth-Type := System cisco Auth-Type := System Service-Type = NAS-Prompt-User cisco-avpair = shell:priv-lvl=15, If all you want is enable mode after login then send just Service-Type := Administrative-User and don't send the cisco-avpair at all. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
On Tue, Jul 23, 2013 at 03:12:33PM +0200, Marco Aresu wrote: now i can logon into the switch but i can with all USERS. Where i can specify who can access to the switch? I add a rown in the USERS file user Auth-Type := Reject but nothing change. The first match wins in users file unless the entry also has Fall-Through := Yes so you need to have something like username1 Service-Type := Administrative-User username2 Service-Type := Administrative-User DEFAULT Auth-Type := Reject mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
omnisniff
shinyhead:freeradius-server-master arr2036$ /usr/local/freeradius/bin/radsniff -i en0 -i lo0 Sniffing on (en0 lo0) (1) Access-Request Id 151 lo0:127.0.0.1:54458 - 127.0.0.1:1812 +0.000 User-Name = 'foo' User-Password = 'bar' NAS-IP-Address = 192.168.146.1 NAS-Port = 0 Message-Authenticator = 0x4734507141d494e4ef857134b4e54bba (2) Access-Reject Id 151 lo0:127.0.0.1:1812 - 127.0.0.1:54458 +1.002 Reply-Message = 'Foo bar' Reply-Message = 'Foo bar foo' (3) Access-Request Id 38 en0:192.168.0.1:54065 - 192.168.0.1:1812 +12.192 User-Name = 'foo' User-Password = 'bar' NAS-IP-Address = 192.168.146.1 NAS-Port = 0 Message-Authenticator = 0x59098b50968999437cf3fb0d6b10ef50 shinyhead:freeradius-server-master arr2036$ /usr/local/freeradius/bin/radsniff -xx Defaulting to capture on all interfaces Sniffing with options: Device(s): [en0 fw0 en1 p2p0 lo0] PCAP filter : [udp port 1812 or 1813 or 3799] RADIUS secret: [testing123] Failed opening pcap handle: p2p0: You don't have permission to capture on that device ((no devices found) /dev/bpf4: Permission denied) Failed opening pcap handle: lo0: You don't have permission to capture on that device ((no devices found) /dev/bpf4: Permission denied) Sniffing on (en0 fw0 en1) shinyhead:freeradius-server-master arr2036$ /usr/local/freeradius/bin/radsniff -i en2 -i en1 -xx Sniffing with options: Device(s): [en2 en1] PCAP filter : [udp port 1812 or 1813 or 3799] RADIUS secret: [testing123] radsniff: Failed opening pcap handle for en2 en2: No such device exists (BIOCSETIF failed: Device not configured) Exiting.. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 07/23/2013 05:18 AM, stefan.pae...@diamond.ac.uk wrote: Thanks, John. I'll use that SPEC as base for CentOS 6.x packages :-) I'm will be making some tweaks to the spec file over the near term. For instance I just realized I make a mistake with the release field in the N-V-R, the package release increment number must precede the upstream pre-release string rc0, I just fixed that. [1] You can track the any changes to the fedora master branch (i.e. rawhide) by cloning this git repo. git clone git://pkgs.fedoraproject.org/freeradius I'm also contemplating splitting the doc into it's own subpackage, the doc is 4.6MB, no reason to install that much data on minimal install production servers. Anyway, the point is the spec file is not frozen yet, anticipate some changes. [1] If you're interested in the details see this: https://fedoraproject.org/wiki/Packaging:NamingGuidelines?rd=Packaging/NamingGuidelines#Pre-Release_packages -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
John Dennis wrote: I'm also contemplating splitting the doc into it's own subpackage, the doc is 4.6MB, no reason to install that much data on minimal install production servers. Yeah. Most of the docs are RFCs. There's no point in installing those on minimal servers. If you update the spec file to ignore doc/rfc*.txt, that should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap query in FR3
This will probably be obvious, but I can't see it!
I'm using several instances of ldap to do some load balancing so I've
got ldap1, ldap2, ldap3 etc.
I know in 3 that we need to reference the instance explicitly in the
users files for groups, e.g.
DEFAULT ldap1-ldap-group == group name
But unlike 2, I can't actually make this fail. It always comes back with
user found. I've tried to trim the config right down but it's still
failing to report that the user is missing..
Instantiation / config for ldap :
# Instantiating module ldap1 from file
/usr/local/etc/raddb/mods-enabled/ldap
ldap ldap1 {
server = 10.128.176.40
port = 389
password = ***
identity =
cn=LDAPQuery,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk
user {
filter =
(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}})
scope = sub
base_dn = DC=SATH,DC=nhs,DC=uk
access_positive = yes
}
group {
filter = (objectClass=Group)
scope = sub
base_dn = DC=SATH,DC=nhs,DC=uk
name_attribute = cn
membership_filter = (member=%{control:Ldap-UserDn})
cacheable_name = no
cacheable_dn = no
}
In the users files I have
DEFAULT ldap1-Ldap-Group == I made this group up
In operation, everything seems to expand ok:
..
(1) files : Searching for user in group I made this group up
rlm_ldap (ldap1): Reserved connection (4)
(1) files : Using user DN from request CN=Franks Andy (RLZ) IT Systems
Engineer,OU=RSHUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk
(1) files : Checking for user in group objects
(1) files : expand: ((cn=I made this group
up)(objectClass=Group)(member=%{control:Ldap-UserDn})) - '((cn=I made
this group up)(objectClass=Group)(member=CN\3dFranks Andy \28RLZ\29 IT
Systems Engineer\2cOU\3dRSHUsers\2cOU\3dSAT$
(1) files : expand: DC=SATH,DC=nhs,DC=uk - 'DC=SATH,DC=nhs,DC=uk'
(1) files : Performing search in 'DC=SATH,DC=nhs,DC=uk' with filter
'((cn=I made this group up)(objectClass=Group)(member=CN\3dFranks Andy
\28RLZ\29 IT Systems
Engineer\2cOU\3dRSHUsers\2cOU\3dSATHUsers\2cDC\3dSATH\2cDC\3dnhs\2cDC\3d
uk)$
(1) files : Waiting for search result...
(1) files : User found in group object
..
..but the user is always found.
All user based operations work fine. Not found is returned if the user
isn't in ldap etc.
I'm stumped. I've tried various filter combinations etc, but the group
doesn't even exist, and even if I reference a group that does exist
which doesn't contain the user, it returns found... Version 2 didn't
seem to have the same behaviour.
Thanks
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap query in FR3
On 23/07/13 17:19, Franks Andy (RLZ) IT Systems Engineer wrote: This will probably be obvious, but I can’t see it! Looks like a bug - the code here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/groups.c#L495 ...passes NULL for the result argument to rlm_ldap_search, which means this code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/ldap.c#L679 ...doesn't get run, so 0 results is ok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ldap query in FR3
Ah, Thanks Phil. I'll have to get out the teach yourself C in half an hour book! Maybe one of the friendly devs will have a fix.. :-) Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 23 July 2013 17:53 To: freeradius-users@lists.freeradius.org Subject: Re: Ldap query in FR3 On 23/07/13 17:19, Franks Andy (RLZ) IT Systems Engineer wrote: This will probably be obvious, but I can't see it! Looks like a bug - the code here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/ rlm_ldap/groups.c#L495 ...passes NULL for the result argument to rlm_ldap_search, which means this code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/ rlm_ldap/ldap.c#L679 ...doesn't get run, so 0 results is ok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap query in FR3
On 23 Jul 2013, at 17:52, Phil Mayers p.may...@imperial.ac.uk wrote: On 23/07/13 17:19, Franks Andy (RLZ) IT Systems Engineer wrote: This will probably be obvious, but I can’t see it! Looks like a bug - the code here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/groups.c#L495 ...passes NULL for the result argument to rlm_ldap_search, which means this code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/ldap.c#L679 ...doesn't get run, so 0 results is ok. Nice catch. Fixed. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
now i can logon into the switch but i can with all USERS. Yes. Because that's how you have configured it. You've set the DEFAULT to have those abilities. I would recommend reading freeradius resources and buy a book to discover/understand policies, groups etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ldap query in FR3
Thanks Arran, Phil. But, segv : (0) files : expand: DC=SATH,DC=nhs,DC=uk - 'DC=SATH,DC=nhs,DC=uk' (0) files : Performing search in 'DC=SATH,DC=nhs,DC=uk' with filter '((cn=I made this group up)(objectClass=Group)(member=CN\3dRSH-AF7\2cOU\3dRSH\2cOU\3dAdministrat ive\2cOU\3dSATHComputers\2cDC\3dSATH\2cDC\3dnhs\2cDC\3duk))' (0) files : Waiting for search result... (0) files : Search returned no results Program received signal SIGSEGV, Segmentation fault. 0x71ba333e in rlm_ldap_search (inst=0x8b3bb0, request=0x9abe60, pconn=0x7fffcee8, dn=0x7fffc670 DC=SATH,DC=nhs,DC=uk, scope=2, filter=0x7fffc260 ((cn=I made this group up)(objectClass=Group)(member=CN\\3dRSH-AF7\\2cOU\\3dRSH\\2cOU\\3dAdmini strative\\2cOU\\3dSATHComputers\\2cDC\\3dSATH\\2cDC\\3dnhs\\2cDC\\3duk)) , attrs=0x0, result=0x0) at src/modules/rlm_ldap/ldap.c:725 725 *result = our_result; (gdb) bt #0 0x71ba333e in rlm_ldap_search (inst=0x8b3bb0, request=0x9abe60, pconn=0x7fffcee8, dn=0x7fffc670 DC=SATH,DC=nhs,DC=uk, scope=2, filter=0x7fffc260 ((cn=I made this group up)(objectClass=Group)(member=CN\\3dRSH-AF7\\2cOU\\3dRSH\\2cOU\\3dAdmini strative\\2cOU\\3dSATHComputers\\2cDC\\3dSATH\\2cDC\\3dnhs\\2cDC\\3duk)) , attrs=0x0, result=0x0) at src/modules/rlm_ldap/ldap.c:725 #1 0x71ba752a in rlm_ldap_check_groupobj_dynamic (inst=0x8b3bb0, request=0x9abe60, pconn=0x7fffcee8, check=0x9831f0) at src/modules/rlm_ldap/groups.c:497 #2 0x71b9e5e1 in rlm_ldap_groupcmp (instance=0x8b3bb0, request=0x9abe60, thing=0x9ac130, check=0x9831f0, check_pairs=0x9831f0, reply_pairs=0x9ac050) at src/modules/rlm_ldap/rlm_ldap.c:414 #3 0x77589036 in radius_callback_compare (req=0x9abe60, request=0x9ac130, check=0x9831f0, check_pairs=0x9831f0, reply_pairs=0x9ac050) at src/main/valuepair.c:334 #4 0x77589484 in paircompare (request=0x9abe60, req_list=0x9ac130, check=0x9831f0, rep_list=0x9ac050) at src/main/valuepair.c:587 #5 0x7fffee8c8bfc in file_common (inst=0x982750, request=0x9abe60, filename=0x7fffee8c96f0 users, ht=0x983150, request_pairs=0x9ac130, reply_pairs=0x9ac050) at src/modules/rlm_files/rlm_files.c:433 #6 0x7fffee8c8e12 in mod_authorize (instance=0x982750, request=0x9abe60) at src/modules/rlm_files/rlm_files.c:480 #7 0x00423506 in call_modsingle (component=1, sp=0x992a90, request=0x9abe60) at src/main/modcall.c:311 #8 0x00424e0b in modcall (component=1, c=0x991270, request=0x9abe60) at src/main/modcall.c:796 #9 0x004210ba in indexed_modcall (comp=1, idx=0, request=0x9abe60) at src/main/modules.c:790 #10 0x00422dfa in process_authorize (autz_type=0, request=0x9abe60) at src/main/modules.c:1672 #11 0x0040cf92 in rad_authenticate (request=0x9abe60) at src/main/auth.c:409 #12 0x00432ce6 in request_running (request=0x9abe60, action=1) at src/main/process.c:1185 #13 0x00431f40 in request_queue_or_run (request=0x9abe60, process=0x432c1c request_running) at src/main/process.c:828 #14 0x004333b0 in request_receive (listener=0x9aaa80, packet=0x9abc50, client=0x861fd0, fun=0x40cdc2 rad_authenticate) at src/main/process.c:1377 #15 0x00414a45 in auth_socket_recv (listener=0x9aaa80) at src/main/listen.c:1449 #16 0x004393e4 in event_socket_handler (xel=0x994be0, fd=30, ctx=0x9aaa80) at src/main/process.c:3484 #17 0x7736944e in fr_event_loop (el=0x994be0) at src/lib/event.c:415 #18 0x0043a711 in radius_event_process () at src/main/process.c:4273 #19 0x004283f9 in main (argc=2, argv=0x7fffe678) at src/main/radiusd.c:474 (gdb) Sorry ! Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Arran Cudbard-Bell Sent: 23 July 2013 18:22 To: FreeRadius users mailing list Subject: Re: Ldap query in FR3 On 23 Jul 2013, at 17:52, Phil Mayers p.may...@imperial.ac.uk wrote: On 23/07/13 17:19, Franks Andy (RLZ) IT Systems Engineer wrote: This will probably be obvious, but I can't see it! Looks like a bug - the code here: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/ rlm_ldap/groups.c#L495 ...passes NULL for the result argument to rlm_ldap_search, which means this code: https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/ rlm_ldap/ldap.c#L679 ...doesn't get run, so 0 results is ok. Nice catch. Fixed. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap query in FR3
Fixed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
I've built on Fedora and the unreleased RHEL-7
On RHEL-7 I built on the following architectures:
ppc, s390, x86_64, ppc64, i686, s390x
All of those built successfully but when I run one of our analysis tools
it reports some problems, mostly in the area of multilib (multilib is
where you can have more than one set of libraries on a system, e.g.
32-bit and 64-bit). The main problem is the header files have a few
32-bit vs. 64-bit items in them. Header files are not supposed to be
arch specific. Normally the header files get installed in a devel
package so 3rd parties can built and link new modules if they want. But
the header files aren't clean, which would prohibit us from producing a
devel package. One possibility is for the spec file to delete the
offending elements in the header files, but it would be better if the
multilib issues were not present in the FR 3.0 release at all, that
would be much cleaner. Oddly there seems to be a multilib issue in one
of the example python files. I have not dug into how to fix any of these
yet, but I hope we can get the fixes in before 3.0 is frozen.
Also there were a few other issues reported in conjunction with IPv6. I
have not had time yet to go through and see if these are red herrings or
not.
I've attached the output of the analysis tool for review.
--
John
$ rpmdiff-cli local-analyse scratch:6062804
Setting up before packages
Setting up after packages
[rpmdiff-cli]$ ./rpmdiff-checker --xml-output=test-work-dir/output.xml
--nocompare test-work-dir
[BAD] [freeradius] Subpackage freeradius is not multilib-clean for x86_64 vs
i686: 1 file has non-equal 32/64bit content:
/etc/raddb/radiusd.conf
[INFO] [freeradius] Multilib difference for etc/raddb/radiusd.conf on x86_64 vs
i686:
--- /etc/raddb/radiusd.conf on x86_64 2013-07-19 05:16:18.829224089 -0400
+++ /etc/raddb/radiusd.conf on i686 2013-07-19 05:18:36.53887 -0400
@@ -106,7 +106,7 @@ db_dir = ${raddbdir}
# make
# make install
#
-libdir = /usr/lib64/freeradius
+libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
[BAD] [freeradius-devel] Subpackage freeradius-devel is not multilib-clean for
x86_64 vs i686: 1 file has non-equal 32/64bit content:
/usr/include/freeradius/radpaths.h
[INFO] [freeradius-devel] Multilib difference for
usr/include/freeradius/radpaths.h on x86_64 vs i686:
--- /usr/include/freeradius/radpaths.h on x86_642013-07-19
05:16:36.042228062 -0400
+++ /usr/include/freeradius/radpaths.h on i686 2013-07-19 05:18:53.607225676
-0400
@@ -1,6 +1,6 @@
/* Automatically generated by build-radpaths-h */
#define LOGDIR /var/log/radius
-#define LIBDIR /usr/lib64/freeradius
+#define LIBDIR /usr/lib/freeradius
#define RADDBDIR /etc/raddb
#define RUNDIR /var/run
#define SBINDIR/usr/sbin
[BAD] [freeradius-python] Subpackage freeradius-python is not multilib-clean
for x86_64 vs i686: 2 files have non-equal 32/64bit content:
/etc/raddb/mods-config/python/example.pyo
/etc/raddb/mods-config/python/example.pyc
[INFO] [freeradius-python] Multilib difference for
etc/raddb/mods-config/python/example.pyo on x86_64 vs i686:
Binary files /etc/raddb/mods-config/python/example.pyo on x86_64 and
/etc/raddb/mods-config/python/example.pyo on i686 differ
[BAD] [freeradius] Subpackage freeradius is not multilib-clean for ppc64 vs
ppc: 1 file has non-equal 32/64bit content:
/etc/raddb/radiusd.conf
[INFO] [freeradius] Multilib difference for etc/raddb/radiusd.conf on ppc64 vs
ppc:
--- /etc/raddb/radiusd.conf on ppc642013-07-19 05:17:46.229223508 -0400
+++ /etc/raddb/radiusd.conf on ppc 2013-07-19 05:15:27.709224515 -0400
@@ -106,7 +106,7 @@ db_dir = ${raddbdir}
# make
# make install
#
-libdir = /usr/lib64/freeradius
+libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
[BAD] [freeradius-devel] Subpackage freeradius-devel is not multilib-clean for
ppc64 vs ppc: 1 file has non-equal 32/64bit content:
/usr/include/freeradius/radpaths.h
[INFO] [freeradius-devel] Multilib difference for
usr/include/freeradius/radpaths.h on ppc64 vs ppc:
--- /usr/include/freeradius/radpaths.h on ppc64 2013-07-19 05:17:46.098223868
-0400
+++ /usr/include/freeradius/radpaths.h on ppc 2013-07-19 05:15:10.402224137
-0400
@@ -1,6 +1,6 @@
/* Automatically generated by build-radpaths-h */
#define LOGDIR /var/log/radius
-#define LIBDIR /usr/lib64/freeradius
+#define LIBDIR /usr/lib/freeradius
#define RADDBDIR /etc/raddb
#define RUNDIR /var/run
#define SBINDIR/usr/sbin
[BAD] [freeradius-python] Subpackage freeradius-python is not multilib-clean
for ppc64 vs ppc: 2 files have non-equal 32/64bit content:
/etc/raddb/mods-config/python/example.pyo
/etc/raddb/mods-config/python/example.pyc
[INFO] [freeradius-python] Multilib difference for
MSCHAPv2 authentication failure
, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module acct_unique from file
/etc/raddb/modules/acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module detail from file /etc/raddb/modules/detail
detail {
detailfile =
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module attr_filter.accounting_response from
file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = /etc/raddb/attrs.accounting_response
key = %{User-Name}
relaxed = no
}
reading pairlist file /etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module radutmp from file /etc/raddb/modules/radutmp
radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module attr_filter.access_reject from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb/attrs.access_reject
key = %{User-Name}
relaxed = no
}
reading pairlist file /etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = control
listen {
socket = /var/run/radiusd/radiusd.sock
}
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 35118
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 49575,
id=6, length=274
ChilliSpot-Version = 1.3.0
ChilliSpot-Attr-10 = 0x0001
Event-Timestamp = Jul 23 2013 20:57:54 UTC
User-Name = nagy
Acct-Input-Octets = 855677
Acct-Output-Octets = 20842716
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Acct-Input-Packets = 12030
Acct-Output-Packets = 37913
Acct-Session-Time = 601
Acct-Status-Type = Interim-Update
Acct-Session-Id = 51eeeadb0001
Framed-IP-Address = 192.168.100.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = 0001
Calling-Station-Id = 1C-75-08-B4-42-19
Called-Station-Id = 00-40-F6-F4-78-B9
NAS-IP-Address = 192.168.100.1
NAS-Identifier = coova-ethernet-gateway
WISPr-Location-ID = isocc=,cc=,ac=,network=Coova,
WISPr-Location-Name = My_HotSpot
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,NAS-Identifier =
coova-ethernet-gateway,NAS-IP-Address =
192.168.100.1,Acct-Session-Id = 51eeeadb0001,User-Name = nagy'
[acct_unique] Acct-Unique-Session-ID = 401c3b4e3e417d51.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = nagy, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} - 127.0.0.1
[detail] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /var/log/radius/radacct/127.0.0.1/detail-20130723
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/detail-20130723
[detail] expand: %t - Tue Jul 23 20:57:54 2013
++[detail] returns ok
[sql] expand: %{User-Name} - nagy
[sql] sql_set_user escaped user -- 'nagy'
[sql] expand: %{Acct-Input-Gigawords} - 0
[sql] expand: %{Acct-Input-Octets} - 855677
[sql] expand: %{Acct-Output-Gigawords} - 0
[sql] expand: %{Acct
RE: Ldap query in FR3
Good man Cheers Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Arran Cudbard-Bell Sent: 23 July 2013 20:19 To: FreeRadius users mailing list Subject: Re: Ldap query in FR3 Fixed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 authentication failure
Tekán Dávid wrote: Don't want to store cleartext password, so i created for every user an NT-Password as well beyond the MD5-Password, and it appears in the sql database as well (also checked the queries when it queries the rad_check table, it's there in the response as well). You need to list sql in the raddb/sites-enabled/inner-tunnel. And read the comments at the top of that file. They describe how to test it without having users doing WiFi logins. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
