RE: Ignoring request from unknown client
is this NOT supposed to be "10.192.1.11/32"?
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf
> Of Michael
> Basso
> Sent: Friday, December 03, 2004 12:29 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Ignoring request from unknown client
>
>
>
> > >client 10.192.1.11 {
> > >secret = testing123
> > >shortname = mbasso
> > >}
> > >
> > >STILL NO LUCK.
> >
> > Is this a problem with secrets not matching?
>
> No. I am definitely using 'testing123' in the NTRadPing utility.
>
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
Title: Message
Your
clients.conf should be:
10.192.1.11/32
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
Michael BassoSent: Friday, December 03, 2004 11:38
AMTo: [EMAIL PROTECTED]Subject: (no
subject)
I am testing my
freeradius using NTRadPing Utility. I am running radius in debugger mode and I
get this:
rad_recv:
Access-Request packet from host 10.192.1.11:3628, id=1, length=44Ignoring
request from unknown client 10.192.1.11:3628
In clients.conf I
have this entry:
client
10.192.1.11/16 {
secret =
testing123
shortname =
mbasso}
Michael
Basso
Network
Specialist
Phone: 914.241.6186
Cell: 914.227.1004
Fax: 914.241.6100
[EMAIL PROTECTED]
BCSD
www.bedford.k12.ny.us
Rte.
172Bedford, N.Y.
10506
another tack was RE: oh god please help me
Well...yes. Look, I wasn't the one that came up with this setup. It is the setup that I have to work with at this time, however. Although you & I know that it's not very secure, the folks who are using it either a) don't know or b) don't care. Although I do appreciate you pointing out that I'm doomed (no sarcasm - it has made me look around), I'd like to get back to my original question(s)... 1. Is is possible to do "fall through" on SQL-based user tables, so that RADIUS will look at the whole table for a match before deciding whether there's a match or not? 2. Is it possible to rewrite a null attribute, either with attr_rewrite or some other mechanism? 3. Are there any other attributes besides ==, <=, >=, and =* that could solve this issue for me, or can I do something different with those operators that will make this work? Thank you very much for your help - I really do appreciate it. Sincerely, Brian > > Oh boy, it's the CLIENT that you're trying to authenticate. > The AP only sends the MAC of the client, so that's about the > only thing you > can check to distinguish the users. > > -- > Regards, > > Thor Spruyt > E: [EMAIL PROTECTED] > W: www.thor-spruyt.com > M: +32 (0)475 67 22 65 > Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - > Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot > service op www.telenet.be/hotspots > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oh god please help me - duplicate radcheck entries or operators or attr_rewrite or...
dcall[authorize]: module "chap" returns noop for request 345 modcall[authorize]: module "mschap" returns noop for request 345 rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 345 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 345 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 345 radius_xlat: '00301a04a7e0' rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 345 modcall: group authorize returns ok for request 345 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 345 for 1 seconds Finished request 345 Going to the next request -- Password <= MT - Accept XO - there are two components in an XO that query RADIUS, a "Supervisor" and a "Radio". With a null password, and the "<=" operator, the Supervisor gets an Accept, but the Radio gets a Reject. rad_recv: Access-Request packet from host 10.0.0.243:1812, id=226, length=52 User-Name = "00301a04a7e0" User-Password = "00301a04a7e0" rad_lowerpair: User-Name now '00301a04a7e0' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '00301a04a7e0' modcall[authorize]: module "mac_colons" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 18 radius_xlat: '00301a04a7e0' rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [00301a04a7e0] rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns notfound for request 18 modcall: group authorize returns ok for request 18 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 modcall[authenticate]: module "unix" returns notfound for request 18 modcall: group authenticate returns notfound for request 18 auth: Failed to validate the user. Delaying request 18 for 1 seconds - So...that's "it". I am a RADIUS novice but have got to assume that what I want to do is possible...isn't it? Brian Ammons [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUCCESS, now User-Password...was RE: attr_rewrite issues
> > So...if anyone can get me any advice re: how to check the
> functionality of
> > the attr_rewrite module I'd appreciate it.
> >
> > Thank you -
> >
> > Brian Ammons
> >
>
> Its because you defined the name of the module as mac_colons. Change
> attr_rewrite to mac_colons in your authorize section.
>
That worked, exactly as advertised. Thank you very, very much. But I have
another problem, that I tried to solve but took down all our other NASs
instead...I googled and searched the archive but I couldn't find the
answer...
The new NAS does not transmit a password along with the username, as
illustrated below:
rad_recv: Access-Request packet from host 10.35.0.30:1034, id=50, length=60
> Service-Type = Framed-User
> NAS-Port-Id = "wlan1"
> User-Name = "00:0A:E9:06:29:07"
> User-Password = ""
> NAS-IP-Address = 10.35.0.30
In our AuthDB, every username (the 12 digit mac, no colons) has a password
that exactly matches the username.
I tried to do this (and correctly loaded the module this time, thanks again
to Dustin Doris):
#attr_rewrite blank_password {
# attribute = User-Password
# searchin = packet
# searchfor = ""
# replacewith = User-Name
# ignore_case = yes
# new_attribute = no
# max_matches = 10
# append = no
#}
However, as I mentioned, that totally broke every other Auth-Request in
addition to not validating the new NAS Auth-Request in question.
So my boolean would be, "IF an Auth-Request comes in (??"from a particlar
client"? or "from a particular shortname defined in clients.conf"? or would
it be "with a blank password") THEN replace User-Password with (no colons,
all lowercase) User-Name."
OR would I replace it with the User-Name as passed from the NAS and then
operate on the password?
Thanks again for the assistance:
Brian
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_rewrite issues
Hello FreeRadius list:
I'm having difficulty getting the attr_rewrite module to do...well,
anything.
I have a working RADIUS installation validating off of a mySQL database.
Our existing NASs (Wireless APs) transmit mac addresses as 12 character
lower case letter/number combos - this corresponds to username within
RADIUS. A new NAS device is transmitting mac addresses in caps, with a
colon between each octet. I am trying to filter the attributes coming from
the new NAS so that they are of the correct format in our mySQL database.
I have already gotten the case issue solved by making the following change
in radiusd.conf:
lower_user = before
What I can't get to work: I have placed the following in radiusd.conf, just
under the commented-out example of attr_rewrite concerning "sanecallerid"
attr_rewrite mac_colons {
attribute = User-Name
searchin = packet
searchfor = ":"
replacewith = ""
ignore_case = yes
new_attribute = no
max_matches = 10
append = no
}
However, as I said, I don't see any indication that the RADIUS server is
doing anything of the kind. This is the debug output, concerning an auth
request from the new type of NAS:
rad_recv: Access-Request packet from host 10.35.0.30:1034, id=50, length=60
Service-Type = Framed-User
NAS-Port-Id = "wlan1"
User-Name = "00:0A:E9:06:29:07"
User-Password = ""
NAS-IP-Address = 10.35.0.30
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '00:0a:e9:06:29:07' ORDER BY id
rlm_sql (sql): User 00:0a:e9:06:29:07 not found in radcheck
Note how the User-Name comes into RADIUS as all caps, but is in lower case
when it's checked against the db, this is the result of the "lower_user =
before" command I mentioned previously. However, the attr_rewrite command
doesn't appear to be functioning at all. I've tried several different
syntaxes slightly different from the one listed above with no luck. Looking
further around radiusd.conf, I saw the authorize section at the bottom of
the file (thinking that I had to load the module, just as "preprocess"
apparently has to be loaded):
authorize {
preprocess
# auth_log
# attr_filter
attr_rewrite
However, having "attr_rewrite" uncommented as it is above causes an error on
load:
Starting - reading configuration files ...
Using deprecated naslist file. Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
ERROR: Cannot find a configuration entry for module "attr_rewrite".
After which is returns to the command prompt (without loading the server).
I don't really understand the error message on its face, as I would have
thought the "attr_rewrite mac_colons " section I listed earlier in the file
would be the "configuration entry" that the error output says it can't find.
So...if anyone can get me any advice re: how to check the functionality of
the attr_rewrite module I'd appreciate it.
Thank you -
Brian Ammons
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://www.frontios.com/freeradius.html
Just found this good stuff re: RADIUS and mySQL. http://www.frontios.com/freeradius.html Thanks to everyone for their help. BCA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
what attributes go in which SQL tables?
i do know what man pages are, I did set all of this up myself. I'm new (6 months) to Linux but I'm able to figure stuff out with just a push in the right direction...you could have said "RTFM" and I would have gotten the hint. typing "man users" doesn't bring up anything about radius, it's about the "users" command, which reports who's logged into the system. "that doesn't change how the server works" - that's not very helpful, sorry - my whole question was about how the server works becuase I DON'T understand it and (sorry if I'm being repetitive) I was asking if there was anywhere else I could look for enlightenment. I guess the answer is "no". I appreciate the time you've spent answering my questions. I'll look elsewhere for the answers I'm looking for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Thursday, September 30, 2004 3:31 PM To: [EMAIL PROTECTED] Subject: Re: stupid question > "Man Users" - What does that mean? Manually added users? It means read the documentation for the "users" file in the system "man" pages. Try typing "man users" on a command-line, and picking up an "intro to Unix" book. If you don't know what man pages are, you're missing a LOT of the available documentation. > I asked about the order that it looks at the tables because I thought that > "radcheck" was for validation only. However George's reply indicated that I > should put Auth-Type in "radcheck" - but to my current way of thinking > "Auth-Type" is a a reply-type thing, not a validation-type thing... You cna think that way if you want, but that doesn't change how the server works. > after I put the "Auth-Type" entry into "radcheck" (it's the only "Auth-Type" > entry in the whole database" I still get the following warning (2 auth > types)in the debug screen: So read the rest of the debug log to see what else is going on. > So is there no precise breakdown of which types of attributes (as in the > users file on page 84 of the oreilly book) go in which SQL table and the > order in which the tables are checked, including error conditions? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
stupid question
I am a radius rookie. I have FreeRadius 1.0.0 installed on Slack 9.1 and have the mySql compatibility working as well. I ran the script that was included with the source code to create the mySql tables. My problem is not with getting the server running - it's that I can't make it deny access when I want, or accept when I want. I'm using NTRadPing for testing. For example...there's only one username defined (bammons) in the table "usergroup", and that user is a member of groupname "administrators". In the table "radcheck", I setup "username" = "bammons", "Attribute" = "Password", "op" = "==" and "Value" = "wtfover". So at that point I've setup a user and a password for that user, right? After it validates, it's supposed to look @ the table "radreply" for what to do, right? In "radreply", I define "username" = "bammons", "Attribute" = "Auth-Type", "op" = "==" and "Value" = "Accept". You may know that that does NOT result in the "Access-Accept" message I expected to see, but I can't figure out why. I'm running radiusd in full debug mode (radiusd -xxyz -l stdout) and I see the following: modcall: entering group authenticate for request 34 modcall [authenticate]: module "unix" returns notfound for request 34 modcall: group authenticate returns notfound for request 34 auth: Failed to validate the user. OK, so I see that it wants to find an entry for the group "administrators" in the "radgroupcheck" table. So I add that - "groupname" = "administrators", "attribute" = Auth-Type, "op" = "==" and "Value" = "Local" (I picked "local" because it's listed as an "Auth-Type" value in the Hassell Radius book) and then that works, I get "Access-Accept" back from the server. WHY is that required? WHAT can I do about the error message that appears, "Warning: Found 2 auth-types on request for user 'bammons'"? I've tried putting "Service-Type" in place of "Auth-Type" in "radgroupcheck" but that doesn't work...what am I missing here? Back to the working config...I change the Auth-Type in "radreply" to "Reject", but I still get an "Access - Accept" reply - this is (I suspect) because any Auth-Type entries found in "radgroupcheck" take precedence over any others...except that just doesn't seem right, what am I missing? I guess ultimately despite trying to read everything I could find, I just don't get how the RADIUS system steps through the different tables. Thanks for your gentle replies. Brian Ammons - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
