Re: Rule for don't log specific user session.
Hello Rafael, It should be possible in Freeradius 2 and using unlang language: if (User-Name != "test-user") { sql_log } Regards, Vincent M. Rafael Medici <[EMAIL PROTECTED]> a écrit : Hello, Is there a way to don't log nothing for a specific user, creating a rule in sql_log? You will probably ask me why! Because i have a plugin running on nagios, that checks for authentication with a specific user ex: "testuser" every 5 minutes, and at the end of the day my database grows with useless information. We are a global hotspot provider, so this check running on nagios is performed in 10.000 hotspots, to test for authentication, so you could imagine that this "testuser" generates infinite registers. I think put some kind of trigger to do that, will probably slow down my server performance, because we have a huge users database. I'm running freeradius(1.1.7) + postgre. Regards, Rafael Medici - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering RADIUS request to only allow EAP-TTLS in a proxying-only server?
Hello Peter, Try to look at "attr_filter" section and configure it as you wishes: In your radiusd.conf: attr_filter attr_filter.post-proxy { attrsfile = ${some path}/attrs.post-proxy } This file may contains similar information: DEFAULT User-Name =* ANY, Reply-Message =* ANY, State =* ANY, Class =* ANY, Message-Authenticator =* ANY, Calling-Station-ID =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY State and EAP-Message are needed for EAP. User-Name is for proxying to the right destination. If you do not put "User-Password" in this file, you will have this argument removed. Some institition will do PEAP instead of EAP-TTLS. It's most likely a bad idea to do processing on EAP-Message. Regards, Vincent Peter Eriksson <[EMAIL PROTECTED]> a écrit : One thing I'd like to achive in the "EDUROAM"-responsible RADIUS "router" (server) is to make sure that *only* EAP-TTLS requests are forwarded to the RADIUS server doing the real user authentication. Anyone got something already configured that I could copy? Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext. (And also make sure itself won't send out such requests). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inner/outer Tunnel attributes of TTLS/MS-CHAPv2
Hello All, I've an issue with passing attributes from EAP TTLS MS-CHAPv2 to outer: My /etc/raddb/users contains: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`, Fall-Through = yes And my eap ttls module contains: copy_request_to_tunnel = yes use_tunneled_reply = yes The user-name and Tunnel-* are not rewiten/copied to the outer. This isssue is only with MS-CHAP, not PAP. Running version: freeradius-1.0.1-3.RHEL4.5 radius -X : rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 39 modcall: group Auth-Type returns ok for request 39 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 39 radius_xlat: '/var/log/radius/radacct/127.0.0.1/reply-detail-20080204' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20080204 modcall[post-auth]: module "reply_log" returns ok for request 39 modcall: group post-auth returns ok for request 39 TTLS: Got tunneled reply RADIUS code 2 User-Name := "[EMAIL PROTECTED]" Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "16" Tunnel-Medium-Type:0 = IEEE-802 MS-CHAP2-Success = 0x5b533d314643453436444634323935383843304336324346463046363836393836353236314637 MS-MPPE-Recv-Key = 0xcf199064e5ce16501ad868646e8e7b3c MS-MPPE-Send-Key = 0x053e079625529879fe9f4f1cb9b7ad47 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 39 modcall: group Auth-Type returns ok for request 39 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 39 radius_xlat: '/var/log/radius/radacct/130.223.222.60/reply-detail-20080204' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/130.223.222.60/reply-detail-20080204 modcall[post-auth]: module "reply_log" returns ok for request 39 modcall: group post-auth returns ok for request 39 Sending Access-Accept of id 60 to 130.223.222.60:1645 MS-MPPE-Recv-Key = 0xc9abc77f52aa954231989e3bc26c35b2b6f6578dec2fe6b1bf06e9fb1b75740f MS-MPPE-Send-Key = 0xe940dd6f47a1a7102d876dacf2f36385a5e717f96372d87256b5e6c1c3ba962b EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = "anonymous" Finished request 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: inner/outer Tunnel attributes of TTLS/MS-CHAPv2
Hello Alan, You have right, this version is too old and do not support this feature (I've checked src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c). This version is the one supplied with Redhat Enterprise 4. I'll compile 1.1.7 from source. Regards, Vincent Magnin Alan DeKok <[EMAIL PROTECTED]> a écrit : Vincent Magnin wrote: Running version: freeradius-1.0.1-3.RHEL4.5 Why? I'm not sure if the functionality you need is even in 1.0.1. Why not try 2.0.1, or maybe 1.1.7? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2 and proxing
In freeradius 1, if I need to proxy requests whose realm are remote, I put the following in proxy.conf: realm DEFAULT { type = radius authhost = remote.server1.com:1812 accthost = remote.server1.com:1813 secret = ldflag = round_robin nostrip } realm DEFAULT { type = radius authhost = remote.server2.com:1812 accthost = remote.server2.com:1813 secret = ldflag = round_robin nostrip } I've tried to put the same lines in my freeradius2 config file and it does not work as expected: radius -X output: rlm_realm: Looking up realm "extern.realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "extern.realm.com" Then, the request is done locally. If I put in my proxy.conf file this domain explicitely, it works fine: realm extern.realm.com { type = radius authhost = remote.server2.com:1812 accthost = remote.server2.com:1813 secret = ldflag = round_robin nostrip } radius -X output: rlm_realm: Looking up realm "extern.realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "extern.realm.com" rlm_realm: Proxying request from user anonymous to realm extern.realm.com rlm_realm: Adding Realm = "extern.realm.com" rlm_realm: Preparing to proxy accounting request to realm "extern.realm.com" Regards, Vincent Magnin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS on LDAP with freeradius 2.0.1
hi Thierry, on your /etc/raddb/users file, you can put the follwing to copy the inner identity to the outer identity (works with freeradius 1 and 2): DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`, Fall-Through = yes Thierry CHICH <[EMAIL PROTECTED]> a écrit : Hello, I know that my problem is so simple that I should be ashamed to ask help, but I have to say that I can't find a good way to do what I want to do. With the previous release of freeradius 1.1.7, I could do the following things: - people with a correct outer identity and inner identity (login/password) could be authorized and authenticate on a LDAP server, using an EAP-TTLS tunnel, obtained a WPA key. - with the same radius server, I could authenticate people with EAP-PEAP and mschapv2 on a sql database. It was nice, but I had a small problem: accounting was done using the outer identity. Since I was using the ldap to do the authorization, people who put an other valid identity didn't be correctly accounted. Then, I decided to use freeradius 2.0.1. And then I don't see how to obtain a basic configuration that is doing my first point. I always finished by : rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user If I put an Auth-Type := LDAP, it seems better in the first time, but it is worst: rad_check_password: Found Auth-Type LDAP auth: type "LDAP" +- entering group LDAP rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY. ++[ldap] returns invalid auth: Failed to validate the user. At this point, I don't understand what freeradius want. I don't know how to say : authorize on waht you want, I don't care, and authenticate on my LDAP server. Is it a good configuration sample I can find anywhere ? Regards, -- Thierry CHICH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ------------ Vincent Magnin[EMAIL PROTECTED] Ingénieur Réseau & Télécom +41 21 692 22 48 UNIL, Centre Informatique, 1015 Lausanne Switzerland - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and proxing
Well, I've writen a patch for realms.c and now, I've a better behaviour: rlm_realm: Looking up realm "extern.realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user anonymous to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy authentication request to realm "DEFAULT" Does exist a better way to use the DEFAULT realm? Regards, Vincent Magnin Vincent Magnin <[EMAIL PROTECTED]> a écrit : In freeradius 1, if I need to proxy requests whose realm are remote, I put the following in proxy.conf: realm DEFAULT { type = radius authhost = remote.server1.com:1812 accthost = remote.server1.com:1813 secret = ldflag = round_robin nostrip } realm DEFAULT { type = radius authhost = remote.server2.com:1812 accthost = remote.server2.com:1813 secret = ldflag = round_robin nostrip } I've tried to put the same lines in my freeradius2 config file and it does not work as expected: radius -X output: rlm_realm: Looking up realm "extern.realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "extern.realm.com" Then, the request is done locally. If I put in my proxy.conf file this domain explicitely, it works fine: realm extern.realm.com { type = radius authhost = remote.server2.com:1812 accthost = remote.server2.com:1813 secret = ldflag = round_robin nostrip } radius -X output: rlm_realm: Looking up realm "extern.realm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "extern.realm.com" rlm_realm: Proxying request from user anonymous to realm extern.realm.com rlm_realm: Adding Realm = "extern.realm.com" rlm_realm: Preparing to proxy accounting request to realm "extern.realm.com" Switzerland --- freeradius-server-2.0.1/src/main/realms.c 2008-01-09 14:39:13.0 +0100 +++ freeradius-server-2.0.1-defaultrealm/src/main/realms.c 2008-02-07 14:14:26.0 +0100 @@ -1323,11 +1323,21 @@ REALM *realm_find(const char *name) { REALM myrealm; - + REALM *ret; + if (!name) name = "NULL"; myrealm.name = name; - return rbtree_finddata(realms_byname, &myrealm); + ret = rbtree_finddata(realms_byname, &myrealm); + + if (!ret) { + const char *defrealm = "DEFAULT"; + + myrealm.name = defrealm; + ret = rbtree_finddata(realms_byname, &myrealm); + } + + return ret; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
I do not receive any comment about my supplied patch. I will try to explain my issue better: Freeradius 2.0.1 (or latest CVS): src/modules/rlm_realm/rlm_realm.c: /* * Allow DEFAULT realms unless told not to. */ realm = realm_find(realmname); if (!realm) { DEBUG2("rlm_realm: No such realm \"%s\"", (realmname == NULL) ? "NULL" : realmname); return 0; } if (inst->ignore_default && (strcmp(realm->name, "DEFAULT")) == 0) { DEBUG2("rlm_realm: Found DEFAULT, but skipping due to config."); return 0; } realname contains the realm (suffix/ntdomain authorize). If the 'realname' is not defined in proxy.conf and if a DEFAULT realm is defined in proxy.conf; realm_find returns NULL. Thus, the correct debug message is shown: lm_realm: No such realm "example.com" But, DEFAULT realm is not handled (-> return 0). From my point of view, something is missing here to handle the DEFAULT realm. Regards, Vincent Magnin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius2 and proxing
Alan DeKok <[EMAIL PROTECTED]> a écrit : Does exist a better way to use the DEFAULT realm? Nope. I've added a patch with the same behavior. Thank you, Vincent Magnin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Logging eap protocols
Bonjour, Avez-vous essayé d'utiliser %{Auth-Type} ? Salutations, Vincent Magnin Richard Timsit <[EMAIL PROTECTED]> a écrit : Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. -- Richard Timsit <[EMAIL PROTECTED]> EPFL DIT-TI - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Logging eap protocols
Sorry for my previous email;) I was meaning: %{control:Auth-Type} In my configuration, I use two different auth-type, one for PAP, one for MS-CHAP. Regards, Vincent Vincent Magnin <[EMAIL PROTECTED]> a écrit : Bonjour, Avez-vous essayé d'utiliser %{Auth-Type} ? Salutations, Vincent Magnin Richard Timsit <[EMAIL PROTECTED]> a écrit : Alan DeKok a écrit : You can use %{EAP-Type} to log the EAP type. It would best be done as part of a post-auth section. Ok, this works perfectly, thanks a lot ! Is it conseivable to retreive more info for EAP-TTLS or for some others authentications methods, like PAP or CHAP for example ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html