Re: Cisco VRF + Radius
Francesco Cristofori schrieb: > Hi all, > anybody has experience in setting up FR to support IP VRF for cisco > equipments? > Can you point me to some clear and simple configuration guide for doing that? Putting a User into a certain VRF is quite simple: vrfuser User-Password == "topsecret" Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding \ VRFNAME", Framed-IP-Address = x.x.x.x, ... -- Gerald (ax/tc) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post-auth problem after update from 2.0.4 to 2.1.10
Hi,
after upgrading our server from 2.0.4 to 2.1.10 we see a change in the
auth logic - e.g. when processing proxied requests to a home server and
their replies. We need this feature to append some special attributes to
the accept-packet from the home server before sending it to the NAS.
1) Our config in 2.0.4 (the DEFAULT record is recognized before sending
the packet to the NAS):
proxy.conf:
===
realm foo {
type = radius
authhost = 1.2.3.4
secret= hidden
nostrip
}
users file:
===
DEFAULT User-Name =~ "test@foo"
MS-Primary-DNS-Server = "192.168.203.6",
MS-Secondary-DNS-Server = "192.168.203.1",
MS-Primary-NBNS-Server = "192.168.203.6"
sites-enabled/default:
==
authorize {
...
files
...
}
test:
=
# radtest test@foo password localhost:1812
# /usr/sbin/freeradiusd -X
...
rad_recv: Access-Request packet from host 127.0.0.1 port 51046, id=236,
length=74
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "foo" for User-Name = "test@foo"
rlm_realm: Found realm "foo"
rlm_realm: Adding Realm = "foo"
rlm_realm: Proxying request from user test to realm foo
rlm_realm: Preparing to proxy authentication request to realm "foo"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test@foo
users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 228 to 1.2.3.4 port 1812
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
Proxy-State = 0x323336
Proxying request 50 to home server 1.2.3.4 port 1812
Sending Access-Request of id 228 to 1.2.3.4 port 1812
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.63
NAS-Port = 123
Proxy-State = 0x323336
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=228,
length=117
Proxy-State = 0x323336
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f30050201370001c0a8cb0601cd117a507f4414010e
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x000e
+- entering group post-proxy
rlm_eap: No pre-existing handler found
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test@foo
users: Matched entry DEFAULT at line 6
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [test@foo/password] (from client LOCALHOST port 123)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 236 to 127.0.0.1 port 51046
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0x4f30050201370001c0a8cb0601cd117a507f4414010e
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x000e
MS-Primary-DNS-Server = 192.168.203.6
MS-Secondary-DNS-Server = 192.168.203.1
MS-Primary-NBNS-Server = 192.168.203.6
Finished request 50.
2) Our config in 2.1.10 (the DEFAULT record is ignored before sending
the packet to the NAS):
proxy.conf:
===
realm foo {
type = radius
authhost = 1.2.3.4
secret= hidden
nostrip
}
users file:
===
DEFAULT User-Name =~ "test@foo"
MS-Primary-DNS-Server = "192.168.203.6",
MS-Secondary-DNS-Server = "192.168.203.1",
MS-Primary-NBNS-Server = "192.168.203.6"
sites-enabled/default:
==
authorize {
...
files
...
}
test:
=
# radtest test@foo password localhost:1812
# /usr/sbin/freeradiusd -X
...
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49833, id=110,
length=74
User-Name = "test@foo"
User-Password = "password"
NAS-IP-Address = 172.16.1.55
NAS-Port = 123
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap
Re: post-auth problem after update from 2.0.4 to 2.1.10
Am 16.04.2012 21:22, schrieb Alan DeKok: > Gerald Krause wrote: >> after upgrading our server from 2.0.4 to 2.1.10 > > Please use 2.1.12. It's better. I'll check that suggestion. In the moment this is a plain "apt-get install/update/upgrade" Debian box that comes with 2.1.10 (don't blame me...) but maybe I'am going to install freeradius from scratch somewhat later. >> we see a change in the >> auth logic - e.g. when processing proxied requests to a home server and >> their replies. We need this feature to append some special attributes to >> the accept-packet from the home server before sending it to the NAS. > > Yes. The "post-proxy authorize" functionality has been removed. It > was horrible and unnecessary. o-kay > >> users file: >> === >> DEFAULT User-Name =~ "test@foo" >> MS-Primary-DNS-Server = "192.168.203.6", >> MS-Secondary-DNS-Server = "192.168.203.1", >> MS-Primary-NBNS-Server = "192.168.203.6" > > You can just list "files.authorize" in the "post-proxy" section. It > will run the "users" file, add those attributes. Great, that did the trick for me! Thank you Alan, Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth problem after update from 2.0.4 to 2.1.10
Am 16.04.2012 22:40, schrieb Matthew Newton: > On Mon, Apr 16, 2012 at 10:00:03PM +0200, Gerald Krause wrote: >>> Please use 2.1.12. It's better. >> >> I'll check that suggestion. In the moment this is a plain "apt-get >> install/update/upgrade" Debian box that comes with 2.1.10 (don't blame >> me...) but maybe I'am going to install freeradius from scratch somewhat >> later. > > FWIW, building packages for the latest FR on Debian is really > easy. > > There's instructions from tarball on the wiki: > http://wiki.freeradius.org/Build#Building+Debian+packages > > I've put instructions up to build from git[0], I'm sure it's in > many other places too. > > in short, assuming build deps installed: > > $ git clone git://github.com/alandekok/freeradius-server.git > $ cd freeradius-server/ > $ git checkout release_2_1_12 > $ buildpackage -us -uc -rfakeroot > > You can easily build packages for the latest 2.1.x tree this way > too (git checkout v2.1.x), which has even more shiny RADIUS > goodness (although if you don't install the freeradius-mysql > package you'll have to remove /etc/freeradius/modules/dhcp_sqlippool > to get it to start). > > Matthew > > > [0] > http://notes.asd.me.uk/2012/01/27/compiling_freeradius_from_git_on_debian/ All right, thank you Matthew for this hint. Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Still problems with usernames containing "%" ?
Are there still problems in v1.0.1, when using usernames like "user1%test": radiusd -xxyz: radtest "user1%test" "test" localhost 10 oopsi Debug: Thread 1 handling request 0, (1 handled so far) User-Name = "" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 radtest "user1test" "test" localhost 10 oopsi Debug: Thread 2 handling request 1, (1 handled so far) User-Name = "user1test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Regards -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Still problems with usernames containing "%" ?
Alan DeKok wrote: Gerald Krause <[EMAIL PROTECTED]> wrote: Are there still problems in v1.0.1, when using usernames like "user1%test": I've put a fix into CVS, and will also put it into 1.0.2. It's not *perfect*, but it will now avoid 99.999% of the cases people care about. Ok, I'll try it. Thx Alan! -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco 2610 and freeradius-mysql..
[EMAIL PROTECTED] wrote: Hi I'm using freeradius + mysql and two cisco access server (2610 and 5300). I have group default defined on my database with an entry to Called-Station-Id that look like this: ++---+---++-+ | id | GroupName | Attribute | op | Value | ++---+---++-+ | 1 | mygroup | Auth-Type | := | Local | | 16 | mygroup | Called-Station-Id | != | xxx | | . |. | . | . | . | | . |. | . | . | . | | . |. | . | . | . | ++---+---++-+ The problem is that every connections from 5300 are O.K, but all connections from 2610 fail. If i'm delete the Called-Station-Id entry from my database, then there not errors conection from 2610: everything work O.K. Looks like the 2610 does not send the Called-Station-Id or send a other one than you expect it to send. Try some debugging and take a closer look at the transmited attributes. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding 2 or more Framed-Routes
On Wednesday 29 March 2006 21:15, Brent wrote: > Anyone know the correct way to add more then 1 framed-route? > Here is what is setup now and this works. > > af_user Service-Type = Framed-User, Simultaneous-Use=1 > Framed-IP-Address = 206.40.yyy.yyy, > Framed-Route = "206.40.xxx.xxx/29 206.40.yyy.yyy 1", > > Do I just need to add a second Frame-Route like this? > > af_user Service-Type = Framed-User, Simultaneous-Use=1 > Framed-IP-Address = 206.40.yyy.yyy, > Framed-Route = "206.40.xxx.xxx/29 206.40.yyy.yyy 1", > Framed-Route = "206.40.zzz.zzz/29 206.40.yyy.yyy 1", Use "+=" as operator for attributes of the same type. -- GeraldAX/TC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Service-Type: Outbound vs. Outbound-User
hi, according to rfc2865 value 5 of attr 6 should be named "Outbound" and not "Outbound-User" (if i have read the rfc well) and that causes all my dial-out's fail after installing v1.0.4 because all users where configured with "Outbound". even though fixing was dead easy - have i misunderstood the rfc? -gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
hello alan, Am Freitag, 8. Juli 2005 22:37 schrieb Alan DeKok: > Gerald Krause <[EMAIL PROTECTED]> wrote: > > according to rfc2865 value 5 of attr 6 should be named "Outbound" and > > not "Outbound-User" (if i have read the rfc well) and that causes all > > my dial-out's fail after installing v1.0.4 because all users where > > configured with "Outbound". even though fixing was dead easy - have i > > misunderstood the rfc? > > No. But the names are essentially irrelevant. yes, i know. > You didn't say what you upgraded from (or if you upgraded), or if > you just typed in "outbound" from the RFC's. we have only cisco NAS's in production and all the examples on cisco.com using "outbound". since using freeradius (from 0.4 or so, livingston/cistron before) i remember that i stumbled on this more then once (after every upgrade?) but asking now the first time about some basics: i know i can easily change all my "outbound" values into "outbound-user" in order to make further upgrades simpler but i wonder if it would make sense to change the default value in the dictionary or include "outbound" in dictionary.cisco (even it looks not cisco specific because the rfc tells the same)? but i'am in doubt because i saw nobody else with this 'problem' (yea, maybe because it is not really one). are they all using "outbound-user" from beginning? do they all edit the dictionary? or nobody runs dial-out? hm, sounds more philosophic ;) ...anyway, that was my impulse to ask. -gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
Am Samstag, 9. Juli 2005 01:44 schrieb Alan DeKok: > Gerald Krause <[EMAIL PROTECTED]> wrote: > > we have only cisco NAS's in production and all the examples on > > cisco.com using "outbound". > > They also give ACS in their examples. Does that mean you use ACS? do not misunderstood me: i'am not using "outbound" because of faith in cisco. not at all :). i use it because it looks rfc conform - the examples from cisco only second that. it was my fault that i stumbled again over this (because i have done the appropriate dictionary modifications more then once in the past) but this time i asked myself (and afterwards the list) for the rfc-standard... > > but i'am in doubt because i saw nobody else with this 'problem' (yea, > > maybe because it is not really one). are they all using "outbound-user" > > from beginning? > > Yes. ...ok. then i'll use it too. -gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type: Outbound vs. Outbound-User
Am Samstag, 9. Juli 2005 18:31 schrieb Dusty Doris: > > The names are IRRELEVANT. The dictionaries matter only to the > > RADIUS server and it's configuration files. I could rename all of the > > attributes & valuess to random words from the dictionary, and it would > > make *no* difference to the clients. > > To expand on what Alan was saying, for the purpose of the list archive. [...] > Think of it like DNS, mapping to a user-friendly name. at this time i would only point out that my question aim at freeradius' *standard behavior* regarding naming attr 6/value 5, not *how dictionaries work* (this should be quite clear for everyone who run radius servers). my last note: i apologize for my finickiness :). i appreciate the freeradius project a lot and never regret the decision to using it. -gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Privilege Level
Am Dienstag, 20. September 2005 20:13 schrieb Ryan Sharpe: > Hello all, > > I'm having a problem getting users to default to the right privilege > level. > > aaa authentication login default group radius local > aaa authorization exec default group radius local > radius-server host xx.20.xx.xx auth-port 1645 acct-port 1646 > radius-server key 7 > privilege exec level 2 enable > > DEFAULT Group == "radiusfull", Auth-Type = System > CiscoAVPair = "shell:priv-lvl=2", > Fall-Through = No > DEFAULT Group == "radiusview", Auth-Type = System > CiscoAVPair = "shell:priv-lvl=1", > Fall-Through = No ... > I also did a packet capture of the communication between > the two devices and I did no see any of the AVPairs in the packet data. > If someone could help and enlighten me that would be great. THANKS! Maybe you should use "Cisco-AVPair" instead of "CiscoAVPair"? Or is "CiscoAVPair" in one of your dictionaries? --Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Monitoring FreeRadius with WhatsUp! Professional
Am Mittwoch, 28. September 2005 13:57 schrieb Matthew Anderson: > Are there any freeradius users out there that are using WhatsUp! to > monitor there freeradius server? I am trying to set it up but I am > unsure > what to use for the send/expect statements. Any help would be greatly > appreciated. I already configured WhatsUp! to use port 1812 and was > told by > the WhatsUp! People to contact the vendor for freeradius to get the > correct > Send/expect strings. This stupid check results in an NACK/AUTH-REJECT answer but it works for me to knowing that my freeradius is alive: Servicename: RADIUS-1812 Protocl: UDP Port:1812 Send=%001D%000,0123456789012345%001%006TEST%002%018abcdefghijklmnop Expect=.D%000 Just sniff the packets a little bit more in detail (tcpdump/ethereal) to build an better send/expect mapping. --Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use - checkrad with diff. auth/acct systems
hi, i have search the archive for some informations about an scenario where AUTHing and ACCTing take place on different machines. We have this situation what makes the use of checkrad (which needs a local radutmp on the AUTH-system - or have we here misunderstood someting?) a little bit difficult. Now we are close to the point to write our own "Simultaneous-Use" solution for our CISCO-NASes but if someone have some hints, they will be appreciate. thx gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use - checkrad with diff. auth/acct systems
Andrea Gabellini wrote: At 14.38 20/01/2004, you wrote: hi, i have search the archive for some informations about an scenario where AUTHing and ACCTing take place on different machines. We have this situation what makes the use of checkrad (which needs a local radutmp on the AUTH-system - or have we here misunderstood someting?) a little bit difficult. checkrad is used also with sql simul_*_query, so if you are using sql to authenticate and for accounting you can use it. ok, thats a good idea! thx gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How Could We configure an empty Username and Password ? HELP
Nader Sayeh wrote: I tried to configure an empty username and password but it didn't work, how could I do so? i think an empty user is not really a user ;). maybe you sould have a look @ the DEFAULT records that are described in the doc's. with DEFAULT records you can define logins that do not need usernames and/or passwords. gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco config to use two radius servers
hi rob, try this: radius-server host [ip-first-auth] auth 1812 acct 0 radius-server host [ip-fallback-auth] auth 1812 acct 0 radius-server host [ip-first-acct] auth 0 acct 1813 radius-server host [ip-fallback-acct] auth 0 acct 1813 -- gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user with more tha one NAS Server
My question is, is there a better method to do so ? Can I give a user more than one NAS-IP-Address option ? For example: user Auth-Type:= Local, User-Password == "**", NAS-IP-Address == 1.1.1.1 , NAS-IP-Address == 1.1.1.2 Maybe you can use one regexp (=~) instead of multiple plain compares (==). -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication logging not working?
Hi, I miss extended authentication logging lines when starting radiusd with "-yz" (ver 0.9.3): --- snip --- Mon Jun 7 12:53:01 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Jun 7 12:53:01 2004 : Info: Using deprecated clients file. Support for this will go away soon. Mon Jun 7 12:53:01 2004 : Info: Using deprecated realms file. Support for this will go away soon. Mon Jun 7 12:53:01 2004 : Info: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Mon Jun 7 12:53:01 2004 : Info: Ready to process requests. --- snip --- afterwards authentication is working but without any logging informations about good/bad logins. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication logging not working?
Gerald Krause wrote: Hi, I miss extended authentication logging lines when starting radiusd with "-yz" (ver 0.9.3): sorry - please forget this stupid question... radiusd.conf... ;). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
