Re: Affect Static IP by Freeradius/ASA5510
Alan DeKok a écrit : Phibee Network Operation Center wrote: I see "Framed-IP-Address = 10.218.3.41" but at the end of the logs he have: "Sending Access-Accept of id 32 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254" Why he sending 255.255.255.254 . Some part of the configuration *you* added does this. The default configuration as shipped with the server doesn't add a Framed-IP-Address of 255.255.255.254. Look at the debug output, and look at the "users" file entries it matches. You could also simply "grep" the configuration files for 255.255.255.254, and see where it comes from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html H very thanks Alan ! I have add a "#" into "users": DEFAULT Service-Type == Framed-User # Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes And now, the user have the good IP address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect Static IP by Freeradius/ASA5510
Hi Sorry to restart the same subject, but actually i am search .. i am search but i don't see any solution ... I use: FreeRadius with a Perl Script A Cisco ASA5510 IOS 8.0 In debug i have: When a user don't have IP, use "Pool" : == rad_recv: Access-Request packet from host 10.218.7.243:1025, id=31, length=166 User-Name = "vpn...@xx.fr" User-Password = "XXX" NAS-Port = 1658880 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "62.XX.XX.XX" Calling-Station-Id = "88.XX.XX.XX" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "88.XX.XX.XX" NAS-IP-Address = 10.218.7.243 Cisco-AVPair = "ip:source-ip=88.XX.XX.XXy\223" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "xx.fr" for User-Name = "vpn...@xx.fr" rlm_realm: No such realm "xx.fr" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module "perl" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Perl auth: type "Perl" Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 0 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module "perl" returns ok for request 0 modcall: leaving group Perl (returns ok) for request 0 Login OK: [vpn...@xx.fr/XXX] (from client 10.218.7.243 port 1658880 cli 88.XX.XX.XX) Sending Access-Accept of id 31 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP h323-credit-amount = "100" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 4989aa4d Nothing to do. Sleeping until we see a request. No problems, the user connect and have a IP of the Pool When i use a user with static IP: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=32, length=166 User-Name = "vpn...@xx.fr" User-Password = "XXX" NAS-Port = 1662976 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "62.23.17.71" Calling-Station-Id = "88.XX.XX.XX" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "88.XX.XX.XX" NAS-IP-Address = 10.218.7.243 Cisco-AVPair = "ip:source-ip=88.XX.XX.XXy\223" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "xx.fr" for User-Name = "vpn...@xx.fr" rlm_realm: No such realm "xx.fr" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 Using perl at 0x8149a00 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.3.41 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_pe
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit : Your perl script changes this: rlm_perl: Added pair Framed-IP-Address = 10.218.4.120 into this (use IP pool on the NAS): rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 I don't see this: $RAD_REPLY{'Framed-IP-Address'} = "10.218.6.1"; at all. Fix your script. Hi sorry, i have change my script for test into the pool: $RAD_REPLY{'Framed-IP-Address'} = "10.218.4.120"; $RAD_REPLY{'Framed-IP-Netmask'} = "255.255.255.0"; return RLM_MODULE_OK; i don't know why i have a " Framed-IP-Address = 255.255.255.254" On the cisco, i see: 5|Jan 27 2009|17:01:00|713130|||Group = XXX, Username = usertest, IP = 88.XX.XX.xx, Received unsupported transaction mode attribute: 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit : thanks for your return. I have added: $RAD_REPLY{'Framed-IP-Address'} = "10.218.6.1"; return RLM_MODULE_OK; but no change, he use the pool included into the cisco ASA (10.218.4.5) a error of me ? Do a debug (radiusd -X) and see did the attribute make it into the Access-Accept packet. If it is sent to Cisco - the problem is on ASA. Do debug aaa there and see why is it ignoring static IP address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, first this is the debug of Freeradius: rad_recv: Access-Request packet from host 10.218.7.243:1025, id=50, length=165 User-Name = "usertest" User-Password = "XXX" NAS-Port = 1011712 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "62.XX.XX.XX" Calling-Station-Id = "88.XX.XX.XX" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "88.XX.XX.XX" NAS-IP-Address = 10.218.7.243 Cisco-AVPair = "ip:source-ip=88.166.47.158y\223" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "usertest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 154 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 Using perl at 0x8146460 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 10.218.4.120 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authorize]: module "perl" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type Perl auth: type "Perl" Processing the authenticate section of radiusd.conf modcall: entering group Perl for request 1 Using perl at 0x8146460 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair h323-credit-amount = 100 rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Framed-IP-Address = 255.255.255.254 rlm_perl: Added pair Framed-IP-Netmask = 255.255.255.0 rlm_perl: Added pair Framed-Compression = Van-Jacobson-TCP-IP rlm_perl: Added pair Framed-MTU = 576 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Auth-Type = Perl modcall[authenticate]: module "perl" returns ok for request 1 modcall: leaving group Perl (returns ok) for request 1 Login OK: [usertest/XX] (from client 10.218.7.243 port 1011712 cli 88.xx.xx.xx) Sending Access-Accept of id 50 to 10.218.7.243 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Framed-IP-Netmask = 255.255.255.0 h323-credit-amount = "100" Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 50 with timestamp 497f20c3 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Affect IP with script perl into freeradius
t...@kalik.net a écrit : i use the perl example supplied with freeradius for authenticate my user. modules { perl { module = "/etc/raddb/Test-Auth.pl" func_accounting = accounting func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_checksimul = checksimul func_xlat = xlat } If i want add a IP Address for one specific user, what is the process ? sample: All user => Use Pool of the NAS One specific user => use 192.168.50.1 (static IP) There is an example in example.pl for sending h323... attribute in the reply. You want to send Framed-IP-Address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, thanks for your return. I have added: $RAD_REPLY{'Framed-IP-Address'} = "10.218.6.1"; return RLM_MODULE_OK; but no change, he use the pool included into the cisco ASA (10.218.4.5) a error of me ? bye jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Affect IP with script perl into freeradius
Hi i use the perl example supplied with freeradius for authenticate my user. modules { perl { module = "/etc/raddb/Test-Auth.pl" func_accounting = accounting func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_checksimul = checksimul func_xlat = xlat } If i want add a IP Address for one specific user, what is the process ? sample: All user => Use Pool of the NAS One specific user => use 192.168.50.1 (static IP) Thanks jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Cisco ASA => Accounting and IP Static
Hi I use FreeRadius for authenticate my IPSEC VPN User on a Cisco ASA. I search to know if it's possible: - Get Accounting for know: Login connection Start Login stop and time connected and if possible the number of Ko used - Use FreeRadius for IP Pool: Actually, it's the Asa that attribute IP Adresse with a IP Pool Do you know if it's possible that it's Freeradius sent the IP Adresse for use IP Static based on the login ? I Use a Perl Script in auth Thanks jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [HELP] FreeRadius and External Script
Hi All that's work now, very thanks at Alan, Luciano and Ivan ;=) bye jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [HELP] FreeRadius and External Script
a.l.m.bu...@lboro.ac.uk a écrit : Hi, Ok, now i think's that this script are started but i don't understand hit, he have a lot of sub but sub are not launched. if i understand, i put all of my perl script into the sub test_call no ? its quite easy. in the experimental.conf file you state which routines you would like to be calledand then when the PERL script is run, it will call the relevant subroutine for the method wanted. or, if its an auth thent he auth subroutine gets called. if its a post-auth, then the post-auth routine gets called. no other routine gets called unless you specifically code the routing in the code to call another routine (basic PERL here) if all you want is to use PERL to do an authentication test (eg a DB call rather than using the built-in DB support), then ensure the authentication routine is enabled in experimental.conf, that experimental.conf is pulled in by the FreeRADIUS config and that 'perl' is listed in the authentication section of the FreeRADIUS config. (be that radiusd.conf or sites-enabled/whatever-file) its quite easy to test/debug by uncommenting all the test/debug routines in the example.pl and maybe by even opening your own file, writing junk to it...and then closing it. tail that file as you test. alan - Very thanks for your help Alan ;=) I start a new test with: in radiusd.conf: modules { perl { # # The Perl script to execute on authorize, authenticate, # accounting, xlat, etc. This is very similar to using # Exec-Program-Wait = "/path/foo.pl", but it is persistent, # and therefore faster. # module = "/etc/raddb/Test-Auth.pl" func_accounting = accounting func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_checksimul = checksimul func_xlat = xlat } } authorize { } authenticate { Auth-Type Perl { perl } } in users.conf: DEFAULT Auth-Type = Perl Fall-Through = 1 If i understand, when he receive a authentification request of my cisco, he start the script (Test-Auth.pl are a copy of example.pl) it's correct ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [HELP] FreeRadius and External Script
a.l.m.bu...@lboro.ac.uk a écrit : Hi, When i start manually the script, we have: ./example.pl: line 26: use: command not found ./example.pl: line 29: syntax error near unexpected token `(' ./example.pl: line 29: `use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);' how are you running this script manually? looks like you're trying to run it as a shell script perl ./example.pl Ok, when i start with this command, no error. What is the good process for create a small script ? take the example.pl file and modify it to suit your needs...then ensure that it is called (ensure that experimental.conf is included in the config and that you call the perl module where you want it - eg post-auth, auth or such. alan - Ok, now i think's that this script are started but i don't understand hit, he have a lot of sub but sub are not launched. if i understand, i put all of my perl script into the sub test_call no ? Bye jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[HELP] FreeRadius and External Script
Hi i request your help because i don't understand the process of FreeRadius and i am limited in the time ;=) Very thanks to all men that accept to help me. I have installed FreeRadius and my Cisco can talk with it without problems. Now i want that FreeRadius start a perl script for get the authentification. i have read a HOWTO and used example.pl but with no real success because all request are valided. When i start manually the script, we have: ./example.pl: line 26: use: command not found ./example.pl: line 29: syntax error near unexpected token `(' ./example.pl: line 29: `use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);' i thinks that when freeradius start the script, he have the same message and valid the connexion no ? What is the good process for create a small script ? Thanks jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html