Re: Affect Static IP by Freeradius/ASA5510
Alan DeKok a écrit : Phibee Network Operation Center wrote: I see "Framed-IP-Address = 10.218.3.41" but at the end of the logs he have: "Sending Access-Accept of id 32 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254" Why he sending 255.255.255.254 . Some part of the configuration *you* added does this. The default configuration as shipped with the server doesn't add a Framed-IP-Address of 255.255.255.254. Look at the debug output, and look at the "users" file entries it matches. You could also simply "grep" the configuration files for 255.255.255.254, and see where it comes from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html H very thanks Alan ! I have add a "#" into "users": DEFAULT Service-Type == Framed-User # Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes And now, the user have the good IP address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect Static IP by Freeradius/ASA5510
Hi Sorry to restart the same subject, but actually i am search .. i am search but i don't see any solution ... I use: FreeRadius with a Perl Script A Cisco ASA5510 IOS 8.0 In debug i have: When a user don't have IP, use "Pool" : == rad_recv: Access-Request packet from host 10.218.7.243:1025, id=31, length=166 User-Name = "vpn...@xx.fr" User-Password = "XXX" NAS-Port = 1658880 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "62.XX.XX.XX" Calling-Station-Id = "88.XX.XX.XX" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "88.XX.XX.XX" NAS-IP-Address = 10.218.7.243 Cisco-AVPair = "ip:source-ip=88.XX.XX.XXy\223" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "xx.fr" for User-Name = "vpn...@xx.fr" rlm_realm: No such realm "xx.fr" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module "perl" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type "Perl" Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module "perl" returns ok for request 0 modcall: leaving group Perl (returns ok) for request 0 Login OK: [vpn...@xx.fr/XXX] (from client 10.218.7.243 port 1658880 cli 88.XX.XX.XX) Sending Access-Accept of id 31 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP h323-credit-amount = "100" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 4989aa4d Nothing to do. Sleeping until we see a request. No problems, the user connect and have a IP of the Pool When i use a user with static IP: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=32, length=166 User-Name = "vpn...@xx.fr" User-Password = "XXX" NAS-Port = 1662976 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "62.23.17.71" Calling-Station-Id = "88.XX.XX.XX" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "88.XX.XX.XX" NAS-IP-Address = 10.218.7.243 Cisco-AVPair = "ip:source-ip=88.XX.XX.XXy\223" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "xx.fr" for User-Name = "vpn...@xx.fr" rlm_realm: No such realm "xx.fr" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.3.41 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_pe
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit :
Your perl script changes this:
rlm_perl: Added pair Framed-IP-Address = 10.218.4.120
into this (use IP pool on the NAS):
rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
I don't see this:
$RAD_REPLY{'Framed-IP-Address'} = "10.218.6.1";
at all. Fix your script.
Hi
sorry, i have change my script for test into the pool:
$RAD_REPLY{'Framed-IP-Address'} = "10.218.4.120";
$RAD_REPLY{'Framed-IP-Netmask'} = "255.255.255.0";
return RLM_MODULE_OK;
i don't know why i have a " Framed-IP-Address = 255.255.255.254"
On the cisco, i see:
5|Jan 27 2009|17:01:00|713130|||Group = XXX, Username = usertest, IP =
88.XX.XX.xx, Received unsupported transaction mode attribute: 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit :
thanks for your return. I have added:
$RAD_REPLY{'Framed-IP-Address'} = "10.218.6.1";
return RLM_MODULE_OK;
but no change, he use the pool included into the cisco ASA (10.218.4.5)
a error of me ?
Do a debug (radiusd -X) and see did the attribute make it into the
Access-Accept packet. If it is sent to Cisco - the problem is on ASA. Do
debug aaa there and see why is it ignoring static IP address.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, first this is the debug of Freeradius:
rad_recv: Access-Request packet from host 10.218.7.243:1025, id=50,
length=165
User-Name = "usertest"
User-Password = "XXX"
NAS-Port = 1011712
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "62.XX.XX.XX"
Calling-Station-Id = "88.XX.XX.XX"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "88.XX.XX.XX"
NAS-IP-Address = 10.218.7.243
Cisco-AVPair = "ip:source-ip=88.166.47.158y\223"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "usertest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 154
users: Matched entry DEFAULT at line 173
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 1
Using perl at 0x8146460
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 10.218.4.120
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Framed-MTU = 576
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = Perl
modcall[authorize]: module "perl" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type Perl
auth: type "Perl"
Processing the authenticate section of radiusd.conf
modcall: entering group Perl for request 1
Using perl at 0x8146460
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair h323-credit-amount = 100
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0
rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP
rlm_perl: Added pair Framed-MTU = 576
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Auth-Type = Perl
modcall[authenticate]: module "perl" returns ok for request 1
modcall: leaving group Perl (returns ok) for request 1
Login OK: [usertest/XX] (from client 10.218.7.243 port 1011712 cli
88.xx.xx.xx)
Sending Access-Accept of id 50 to 10.218.7.243 port 1025
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Netmask = 255.255.255.0
h323-credit-amount = "100"
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 50 with timestamp 497f20c3
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit :
i use the perl example supplied with freeradius for authenticate my
user.
modules {
perl {
module = "/etc/raddb/Test-Auth.pl"
func_accounting = accounting
func_authenticate = authenticate
func_authorize = authorize
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
If i want add a IP Address for one specific user, what is the process ?
sample:
All user => Use Pool of the NAS
One specific user => use 192.168.50.1 (static IP)
There is an example in example.pl for sending h323... attribute in the
reply. You want to send Framed-IP-Address.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
thanks for your return. I have added:
$RAD_REPLY{'Framed-IP-Address'} = "10.218.6.1";
return RLM_MODULE_OK;
but no change, he use the pool included into the cisco ASA (10.218.4.5)
a error of me ?
bye
jerome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect IP with script perl into freeradius
Hi
i use the perl example supplied with freeradius for authenticate my
user.
modules {
perl {
module = "/etc/raddb/Test-Auth.pl"
func_accounting = accounting
func_authenticate = authenticate
func_authorize = authorize
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
If i want add a IP Address for one specific user, what is the process ?
sample:
All user => Use Pool of the NAS
One specific user => use 192.168.50.1 (static IP)
Thanks
jerome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Cisco ASA => Accounting and IP Static
Hi I use FreeRadius for authenticate my IPSEC VPN User on a Cisco ASA. I search to know if it's possible: - Get Accounting for know: Login connection Start Login stop and time connected and if possible the number of Ko used - Use FreeRadius for IP Pool: Actually, it's the Asa that attribute IP Adresse with a IP Pool Do you know if it's possible that it's Freeradius sent the IP Adresse for use IP Static based on the login ? I Use a Perl Script in auth Thanks jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [HELP] FreeRadius and External Script
Hi All that's work now, very thanks at Alan, Luciano and Ivan ;=) bye jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [HELP] FreeRadius and External Script
a.l.m.bu...@lboro.ac.uk a écrit :
Hi,
Ok, now i think's that this script are started but i don't understand
hit, he have a lot of sub but
sub are not launched.
if i understand, i put all of my perl script into the sub test_call no ?
its quite easy. in the experimental.conf file you state
which routines you would like to be calledand then when the PERL
script is run, it will call the relevant subroutine for the
method wanted. or, if its an auth thent he auth subroutine gets
called. if its a post-auth, then the post-auth routine gets called.
no other routine gets called unless you specifically code the
routing in the code to call another routine (basic PERL here)
if all you want is to use PERL to do an authentication test (eg a DB call
rather than using the built-in DB support), then ensure the authentication
routine is enabled in experimental.conf, that experimental.conf is
pulled in by the FreeRADIUS config and that 'perl' is listed
in the authentication section of the FreeRADIUS config. (be that radiusd.conf
or sites-enabled/whatever-file)
its quite easy to test/debug by uncommenting all the test/debug routines
in the example.pl and maybe by even opening your own file, writing
junk to it...and then closing it. tail that file as you test.
alan
-
Very thanks for your help Alan ;=)
I start a new test with:
in radiusd.conf:
modules {
perl {
#
# The Perl script to execute on authorize, authenticate,
# accounting, xlat, etc. This is very similar to using
# Exec-Program-Wait = "/path/foo.pl", but it is persistent,
# and therefore faster.
#
module = "/etc/raddb/Test-Auth.pl"
func_accounting = accounting
func_authenticate = authenticate
func_authorize = authorize
func_preacct = preacct
func_checksimul = checksimul
func_xlat = xlat
}
}
authorize {
}
authenticate {
Auth-Type Perl {
perl
}
}
in users.conf:
DEFAULT Auth-Type = Perl
Fall-Through = 1
If i understand, when he receive a authentification request of my cisco,
he start the script
(Test-Auth.pl are a copy of example.pl)
it's correct ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [HELP] FreeRadius and External Script
a.l.m.bu...@lboro.ac.uk a écrit :
Hi,
When i start manually the script, we have:
./example.pl: line 26: use: command not found
./example.pl: line 29: syntax error near unexpected token `('
./example.pl: line 29: `use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);'
how are you running this script manually? looks like you're trying
to run it as a shell script
perl ./example.pl
Ok, when i start with this command, no error.
What is the good process for create a small script ?
take the example.pl file and modify it to suit your needs...then
ensure that it is called (ensure that experimental.conf
is included in the config and that you call the perl
module where you want it - eg post-auth, auth or such.
alan
-
Ok, now i think's that this script are started but i don't understand
hit, he have a lot of sub but
sub are not launched.
if i understand, i put all of my perl script into the sub test_call no ?
Bye
jerome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[HELP] FreeRadius and External Script
Hi
i request your help because i don't understand the process of FreeRadius
and i am limited
in the time ;=) Very thanks to all men that accept to help me.
I have installed FreeRadius and my Cisco can talk with it without problems.
Now i want that FreeRadius start a perl script for get the authentification.
i have read a HOWTO and used example.pl but with no real success
because all request are valided.
When i start manually the script, we have:
./example.pl: line 26: use: command not found
./example.pl: line 29: syntax error near unexpected token `('
./example.pl: line 29: `use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);'
i thinks that when freeradius start the script, he have the same message
and valid the connexion
no ?
What is the good process for create a small script ?
Thanks
jerome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
